Whois Information Fraud

02_thief

A very long time ago when the internet was young, someone had a great idea that rather than remembering 192.168.111.245 we could use a sensible name that people could remember like "email" and this was called its hostname and these were stored in text files, but that wasn't good enough and so this concept was further developed into what we now know as the Domain Name System. The Doman Name System (DNS) that we know and use today is basically the same; we have top level domains such as com, net, org, uk, us, eu, and so on, and under these registries administer the second level domains. 

An example would be gen.net.uk. In this case the top level domain uk is administered by the registry Nominet. If someone wants to view our website (this website) then upon entering it into their browser their computer will ask the top level name servers who's responsible for uk and be given Nominet. Then Nominet will be asked who's responsible for gen.net and that will be GEN, and finally GEN will be asked what's the server address for www. All this magic happens without any user involvement and takes fractions of a second. 

This article is specifically targeted at the registries, in the example above it was Nominet, but every country has at least one registry and with the expansion of top level domains into things like .email, .digital, .academy etc there's now even more registries that are not country specific.

When you register a domain name with a registry, they will require you to provide information such as the owner, their address, phone numbers, email address and the same for the administrative contact, Technical Contract and Billing Contact and this information is publicly available for anyone to access via a service commonly known as WHOIS. You can use our WHOIS tool on the GENSupport website to find out what information is available for any domain. Some registries allow certain information to be hidden for an additional fee, and others don't. Nominet for example will now allow information to be hidden even for an additional charge unless the registrant is an individual. Having all this information publicly available when there's absolutely no reason to do so presents fraudsters with a virtually unlimited target base with a perceived credibility greater than the usual daily scam emails. We'll look at one common fraud that regularly hits the HelpDesk here at GEN. 

Whois Information Fraud

Now that's sounds quite important and for companies who don't have their own dedicated IT department or who haven't outsourced there's an information vacuum that the fraudsters leverage with such scams. This particular one is quite expensive at $86 but even so I've no doubt that some smaller companies will pay it under fear of loosing something they need without fully understanding the implications. This example is just one of many such scams all with different wording and layouts but all trying to take your money for something you don't have.

Let's first look at how it got here...

Received: from reliance.gen.net.uk ([127.0.0.1])
	by localhost (reliance.gen.net.uk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id JRVvXwltlucK for <This email address is being protected from spambots. You need JavaScript enabled to view it.>;
	Sat,  9 Sep 2017 22:07:33 +0100 (BST)
Received: from mail.szjdyd.org (j115-58.sjc1.ethr.net [216.224.115.58])
	by reliance.gen.net.uk (Postfix) with ESMTP id 7E93D5F085
	for <This email address is being protected from spambots. You need JavaScript enabled to view it.>; Sat,  9 Sep 2017 22:07:29 +0100 (BST)
Received: from ([127.0.0.1]) with MailEnable ESMTPA; Sun, 10 Sep 2017 05:07:26 +0800

So it originated from a host in the USA, namely j115-58.sjc1.ethr.net [216.224.115.58] which is operated by Ethr.Net LLC and all the information on this scam is taken from the WHOIS information for the domain in question, we know this because of the information in the fraudulent email. If we look at the 'Secure Online Payment Link' which in this case goes to "bit.ly/2wOlh4L" but that's just a redirector (a website who's only purpose is to direct you to a different site) which directs us to "www.whoisworks.win" and we're presented with a set of options to pay money. What is moderately entertaining is that the WHOIS information for this domain isn't obscured in any way and we see that the owner of the domain is 

Registrant Name: wu zhiying
Registrant Organization: wu zhiying
Registrant Street: cuixiangjiedao635hao
Registrant Street:
Registrant Street:
Registrant City: zhuhai
Registrant State/Province: Guangdong
Registrant Postal Code: 519000
Registrant Country: CN
Registrant Phone: +86.75638971201
Registrant Phone Ext:
Registrant Fax: +86.75638971201
Registrant Fax Ext:
Registrant Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Which could well be made up but moving on, the Payment Link from the website which doesn't even use SSL just takes us in a loop capturing card details for the fraudsters to sell or use or both. 

Until someone actually decides that making this information public is a ridiculous idea then the endless scams will continue and we're stuck with workarounds.  

Whois Privacy Options

Assuming you don't want to publicly broadcast your name, address, phone number and email then options are limited to a whois privacy service such as the one that we offer, which simply registers the domain using a subset of our details therefore directing scams to us instead of you. This means that we need to 'administer' the domain by responding to the nonsense sent by registries from time to time but we don't mind doing this for our customers and change nothing for the service. Other Providers do charge but it's generally a fairly nominal fee of around $5 per year. 

Know Your Domain & Services

When you have one or more domains then there will be an annual registration charge which will be invoiced directly to you by your registrar. If you registered through GEN, or migrated your domain here then we'll send you an invoice yearly. There are no other annual charges for the registration of your domain name.

If you have services on that domain name such as a website and email then charges for these, which are usually annual will be invoiced to you directly so know who hosts your website and provides your email services and if your even in doubt then ask them before paying anything that arrives to your inbox unexpectedly and never pay for something if your unsure. If you are a current, past or future customer of GEN then the HelpDesk is available 24/7 to answer your questions to please ask. 

 

 

Rate this blog entry:
Synology Hyperbackup and Certificates
Toyota's Touch 2 & Go Review
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Sunday, 17 December 2017

Captcha Image