NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Warning: Network Solutions' Moronic Alert Email That Masquerades as a Phishing Attack

              Warning: Network Solutions' Moronic Alert Email 
                    That Masquerades as a Phishing Attack


Normally, the less said about domain registrar Network Solutions,
(NSI) the better. But events this morning seem worthy of particular

Within my inbox were two messages purporting to be from Network
Solutions, one after the other. They were identical except for coded
differences in one of the embedded URLs. They demanded that I simply
"click here" to confirm my WHOIS information due to "New 
Regulations" -- they warned that if I didn't comply, I'd still own my 
domains, but my websites would stop working.

These messages had a variety of the hallmarks of malware attack
phishing .They contained an ominous warning. They demanded a click.
They contained no references to my actual NSI accounts or domains.
They had odd capitalization. And they appeared to have been worded by
an underachieving sixth grader.

Normally I would have simply deleted these apparent jokers without
much thought. But I didn't this time for one reason -- just a few days
ago, I had undergone the tortuous process to unlock two of my last
domains still with NSI, in preparation for moving them to a sane
registrar. The timing was suspicious.

So I investigated these messages in more depth. And remarkably, I
determined that they were seemingly legit.

A quick Google Search revealed extremely scarce discussion of key
strings from the emails. That can be interpreted as either good news
or bad news, depending on your point of view. But this did lead me to
an apparent NSI Facebook page where someone was currently asking about
this, and a curt reply from NSI saying that the alerts were real.

The key reply URL in the emails (at least at first glance) pointed to:


followed by a long coded string that varied with each email. Typing
this in manually led me to a register.com page that simply complained
of invalid input (keep in mind that NSI, register.com, and rcom.com
are the same domain entities). Alexa also seemed to suggest that the
URL was legitimate, though receiving a miniscule percentage of
NSI-related hits.

Inspection of message headers, particular the key top MTA ingress
header, showed that the message did indeed gateway to my servers from

Given all this, I decided to click the links from a reasonably
isolated system. Each time, the register.com page simply noted that my
email address had been verified.

It is my supposition at this point that these two emails were probably
part of a WHOIS accuracy statistical sampling survey or something
similar, likely triggered by my actions to move two domains away from

And it is my considered opinion that the implementation of this
process qualifies as idiotic and borderline criminal in terms of gross

But then again, we're talking about Network Solutions.

So while we've now been warned, we shouldn't be at all surprised.

UPDATE: Within a few minutes of my sending a tweet with a link to this
blog posting, I received this tweet back from NSI:

   "Thx for your fdbk, Lauren! The email format has changed, but
    requirements are still the same." 
    -- and referencing a 2010 NSI blog posting about ICANN
    requirements. I've had domains since 1986, and I've never received
    a message like these before. I find it utterly bizarre that
    apparently after at least three years NSI is now (still?) using
    such an inexcusably inept and dangerous format for these
    notifications! C'mon guys, get with the program!

Disclaimer: I'm a consultant to Google. My postings are speaking only
for myself, not for them.
 - - -
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://google.com/+LaurenWeinstein 
Twitter: http://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com

nnsquad mailing list