Well this is a new twist

[Markverhyden]

Got the email below from a customer this morning while I was out and about. First blush it looks like a typical phishing expedition. Got back and took the message apart. All links are legit so I did a search and turns out ICANN has in fact been cracking the whip. For years I've been getting the "verify domain ownership" messages, often ignoring them. But now it looks like they'll actually shutdown email and DNS if it's not done in a timely fashion. I've several customer with domains, as well as myself, and this is the first notification of this type I've seen.

How ICANN's new Domain WHOIS Verification Policy is Going to Make your Life More Stressful

Those ICANN emails you ignore? You absolutely cannot anymore.

itristanmedia.com

 

[HCHTech]

Thanks for the head's up on this - I'm also guilty of autopilot-ignoring so much of this kind of stuff.

 

[Porthos]

I would check that phone number in that email. https://www.everycaller.com/phone-number/1-866-507-1946/

 

[britechguy]

I would check that phone number in that email. https://www.everycaller.com/phone-number/1-866-507-1946/

But remember, IRS scams use any one of a number of spoofed numbers. This could easily be one used, but where the number itself is actually real and legitimate for a completely different purpose.

Were I to receive such a message from the doman name registrar I'm working with I certainly wouldn't ignore it, but I would log in to their website directly, not via click through. If it's real, I'll either get a pop-up message after logging in, have a message in their PM system for me, or both.

It's the same procedure I use with banking and credit card email messages that I believe to be legitimate.

 

[Markverhyden]

Turns out it is a scam. I don't have the original email to parse the headers but everything else seemed to look good. @Porthos the number showed up as scam as well as Netsol, last link on the first page of a google search. At the bottom, not in the screen shot I posted, is a link for tech support and that resolved properly. I decided to look at the Confirm Email Address button and it's a phishing technique I've started seeing the last few months. To get by filtering the scammers are mapping a hyper link to a file that usually hosted on OneDrive or Google. That file is the code for the legitimate looking, but not real, login page. What's compelling is that the premise, suspend DNS resolution until confirmed, does appear to be legitimate.

 

[YeOldeStonecat]

The concept of "confirming" is not too new, we've had those start rolling in for our clients domains for....I want to say, around the past 2 years. I don't think 3 years. So...based on your last email, scammers are hopping on that.

 

[britechguy]

I haven't received one like this before, either. Having never done business with this entity I won't be responding, either:

---------
Dear user,

An automated email was sent out to you earlier in error with the subject “Your domain registration is expiring”. Please discard the erroneous message. Since your domain is set to auto renew with 382 USD.

Your domain will be removed on the expiration date 21st April 2022 as expected.

Reference ID: DL05HJ963

We apologize for any confusion this may have caused.

Let us know if you have further questions,

Regards

Matrix Squad Team

Have any questions? Call us



(85080)+67439– 6743291

-----------
Note well the "exposed" phone number above. In the actual message it's masked as (8 0 0) 6 4 9- 6 4 2 1 (including all those embedded spaces).

 

[Porthos]

Turns out it is a scam

I always do the following.

You can report suspicious links or files sent to you via email by forwarding the message to us directly at scam@netcraft.com.

 

[Markverhyden]

I always do the following.

I sent it into abuse@. Doubt I'll hear back about it. Never have in the past.

I downloaded the linked page incase anyone is interested in seeing what the code looks like. Renamed as .txt.

 

[callthatgirl]

Network Solutions is working hard to getting people off their email systems. Just a heads up!

 

[Markverhyden]

Network Solutions is working hard to getting people off their email systems. Just a heads up!

Pretty obvious to be honest. Their default mbox size is just 1gb. At least that's not as bad a Earthlink, 100mb. LOL!!! They're just dragging their feet until they find someone so they can pull a Verizon.

 

[callthatgirl]

Yeah, it's super obnoxious. They changed up some settings to now include the INBOX in the root path. So effed up in so many ways. I get a lot of work from it lol.