A new phish frontier: Phishing of domain registrar accounts

We have started seeing a new kind of phish campaign today. Instead of the regular bank phish, or the more recent university/webmail email account phish, this new campaign targets domain registrar accounts, as per the email below:

eNom phish message

The email fakes the From address (purports to come from tech@enom.com) and ask the user to update their account due to some maintenance, in a manner similar to bank phishes. The following two subject lines were seen in the phish emails, some with additional words such as “attention”,  “warning”, or “IncidentID: #####”

Inaccurate whois information.
Maintenance at eNom

Clicking on the link will take the user to a link in the url format of www.enom.com.someotherdomain:

eNom phish domain

The fake login site is probably lifted from the real eNom login page in its entirety. Looking at the HTML source of the phish site, one would find that even the Google Analytics link was copied. The only HTML code that was not part of the real eNom page is the login box. Submitting credentials to the box would allow phishers to gain access to an eNom registrar account.

Why would phishers wants to go after registrar accounts all of a sudden? There have been much speculation, but the most likely explanation of all seems to point to the termination of the EST Domains as a registrar. EST Domains happens to be the registrar of choice for  many spammers, rogue anti-virus program writers, and malware writers. Shutting down this registrar would impede their ability to bulk reigster new domains. Hence, newly phished registrar accounts can be used to purchase new domains for malicious use until they can find someone else to partner with them. It remains to be seen if these registrar account phish campaigns will be here to stay.

As I was writing this blog entry, the phishers have switched to target registrar accounts at Network Solutions. Here is a capture of their phish email and phish domain:

Network Solutions phish email

Network Solutions phish domain

Just like the eNom phishes, the From address is a tech@ address, and the phish site seems to be a modified version of the Network Solutions login page. Given the two targets so far, it is quite possible that other registrar providers will be targeted next. So, beware of email purporting to be coming from your registrar service and don’t give spammers and malware writers a way to obtain domains for their nefarious purposes.