Phishing Scam Alert: Domain Name Expiration Notices stealing data through phishing site

Phishing Scam

Have you received an email notification that your domain is about to expire? Most website owners have. But do you pay close attention to who it is from and the renewal fee? If not, you may be throwing money away to a scammer.

Quick Heal Security Labs has recently come across a phishing scam related to domain names. And we want to give some insights on ways to identify the scam and protect yourself from falling victim.

Security researchers say expired domains can put data at risk. Hackers use expired domains to steal credit card data or contact information. Or they may target email accounts linked to the domain to scam clients and steal company secrets.

What is Phishing?

Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords, and payment information by disguising oneself as a trustworthy entity in an electronic communication.

In other words, phishing is a type of online scam where criminals or attackers send an email that appears to be from a legitimate source or company and ask you to provide sensitive information.

There is a new phishing attack going on, which you need to be aware of a recent phishing email out there, the ‘Domain Name Expiration Scam.’ The target of this scam is to trick people with fake Domain Name Expiration to steal sensitive payment information from consumers or make payments to them.

Fig. 1 Phishing attack flow

 

We observed a phishing mail attack during our analysis. The victim received multiple phishing emails on his registered mail from different Mail IDs. In the mail, attackers mentioned “Domain Services Expiration Date.” Attackers send fake Domain services expiration notices to the user. This date is not a correct expiration date.

Fig.2 Phishing Email

 

In the above mail, shortened malicious URL is embedded which leads to a phishing attack.

https[:]//bit.ly/3l2vkND

This bitly URL redirects the user to another phishing website-

URL:  https[:]//webdomainsrvcs.com

 

Information about the above URL and their respective:

URL:  https[:]//webdomainsrvcs.com

  • IP: 105.65.125
  • Server Type: Apache
  • Country: Russia
  • City: Moscow
  • ISP: HOSTKEY B.V.
  • Organization: LLC Server v arendy (hostkey.ru)

 

Fig.3 Phishing Site

 

This redirected website asks the victim to fill in some basic information like Domain name, Email address, Phone Number, and Digital signature, as shown below.

 

   Fig.4 User Info page

 

After submitting details in the given form and clicking on submit button, it redirects to a page that will show some plans for domain renewal.

 

  Fig.5:  Domain renewal plans

 

After clicking on PAY NOW on any of the plans this page redirects the user to the payment page (PayPal).

 

    Fig.6:  Payment page

 

VT Graph

Fig.7 VT Graph

 

Here, we can see the Root node https[:]//bit.ly/3l2vkND is communicating with the malicious files.

 

How Can We Catch and Avoid Falling for these types of Phishing Scams?

  • Validate Links and Attachment: Don’t click and open any Link and attachments attached in Mail validate it, then open it.
  • Set up Auto-renewal: Use domain name auto-renewal services. So, you can ignore all renewal mails, which might be Phishing mail.
  • Use Registrar’s website: Renew your domain name through the official registrar’s website only.
  • Registration information: Use Domain privacy protection. It’s worth it.

 

IOCs:

Short URLs: These Shorten bit.ly URLs redirect to the below given malicious URLs.

  • https[:]//bit.ly/3l2vkND
  • https[:]//bit.ly/38sIQVM
  • https[:]//bit.ly/2PSyhVH
  • https[:]//bit.ly/3raUDj5
  • https[:]//bit.ly/3qDXcc6
  • https[:]//bit.ly/38tbshO
  • https[:]//bit.ly/3pNezHb

 

Malicious URLs:

  • http[:]//domainsrvcsexpiry.com/
  • https[:]//domainsrvcsexpiry.com/03/09/2021be
  • http[:]//domainsrvcsexpiry.com/03/09/2021bj/
  • https[:]//domainsrvcsexpiry.com/03/09/2021ae
  • http[:]//domainsrvcsexpiry.com/03/09/2021ab
Rahul Pawar

Rahul Pawar


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image