We got an email titled “Attention Domain Expiration” from firstname.lastname@example.org today. Reading it carefully, it is a solicitation, but every effort is used to make it look like an INVOICE.
The email was sent from IP address 18.104.22.168 which is owned by Cellco Partnership DBA Verizon Wireless. The mail server that delivered the email is p3plsmtpa06-09.prod.phx3.secureserver.net (22.214.171.124) based in Phoenix, Arizona.
The email states that the hoodooguru.com domain expires on the 9th October and that we should urgently pay $75 to have it registered. The scam artists have brought forward the expiry date to 24th October so as to make you panic and send them your credit card for immediate processing.
The email requests that you proceed to their online payment system at http://domannual.com/order/xxxxxxxxxx. This domain is owned by a “Terry Jackson” of 1565 Benedict Canyon, Beverly Hills. After some further investigation we find that the domains urlannual.com and urldomannual.com are also owned by Mr Jackson. The site is hosted is hosted by Velocity Servers on Ethr.Net LLC network.
There are a couple of more interesting observations.
1) You have no idea about who you are dealing with. There is no company name, phone number or contact on the order form as well as the email. If you actually read the message, they are not even offering domain registration but rather, “search engine registration”, whatever that is.
2) The form claims Secure Online Payment yet the page is all unencrypted with no SSL/https connection.
3) It proudly displays a fraudulent TRUSTe logo to make you believe the site is trusted.
4) It proudly displays a fraudulent Comodo Secured icon to make you believe the connection is encrypted and secure.
5) It proudly displays Visa and Mastercard, American Express and Discover Network.
The form actually submits your your details to another site, iglobalmerchantservices.com.
This is the main collection site. urlannual.com and urldomannual.com are also redirected to iglobalmerchantservices.com. This site is is owned by Moniker Privacy Services listed in Pompano Beach, Florida. This redirection takes you to an insecure page on port 80. Upon closer inspection, the site also runs an INVALID SSL certificate. This company has only one web page for their whole site. Their grammar is quite good, except on the Retrieve Account Information section they have a field called “Last 4 of Card”. I suspect this form is used to harvest credit card details.
The websites for these domains are hosted on Velocity Servers Inc (Aptos, California) servers at an IP address of 126.96.36.199. The web hosting company obviously is unaware of what their customers are hosting, or they don’t care.
Interestingly all these domains and others all use the same name servers and share the same contact details. cucpa.com admin is associated with monikaprivacy.net and share the Pompano Beach, Florida office. The admin of monikaprivacy.net is associated with oversee.net at 515 S. Flower Street, Suite 4400, Los Angeles who are all, interestingly enough, in the domain registration business.
So, you are probably asking, how is it that people are allowed to operate scams such as this?
I have let the hosting company know, so lets see if they take it down.