Fake domain emails rising and more malicious

The number and variations of “fake domain” type emails are on the rise and carrying more malicious payloads.

Fake ICANN “Compliance” emails

One set making the rounds are variants of fake ICANN “compliance” emails such as the one pasted below:


Dear Domain Owner, Our system has detected that your domain: {example}.com is being used for spamming and spreading malware recently. You can download the detailed abuse report of your domain along with date/time of incidents. Click Here <hxxp://report.icann-monitor.org/view/Domain_Abuse_Report.doc> We have also provided detailed instruction on how to delist your domain from our blacklisting. Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently. There is also possibility of legal action depend on severity and persistence of your abuse case. Three Simple Steps: 1. Download your abuse report. 2. Check your domain abuse incidents along with date and time. 3. Take few simple steps for prevention and to avoid domain suspension. Click Here to Download your Report <hXXp://report.icann-monitor.org/view/Domain_Abuse_Report.doc> Please look into it and contact us. Best Regards, Domain Abuse Dept. ICANN Inc. Tel.: (139) 722-66-56

The domain icann-monitor.org used seems to be suspended by the Registrar now, but it is worth knowing that ICANN’s official domain name is icann.org and variations one may come across are almost certainly phishes.

Obviously that Domain_Abuse_Report.doc contains a malicious payload, as reported via VirusTotal it downloads a plethora of trojans and malware, including some unknown ones.

Fake “new domain registration” emails

Another one making the rounds lately, as reported via DomainGang is a fake email purporting to “confirm” your recent domain registration:

The link points to mic.qb-i.ru (see VirusTotal report) or some other toxic domain and according to VirusTotal it downloads all kinds of fun stuff including a trojan and a ransomeware locker.

Sorting Out Real From Fake Domain Emails

Your domain Registrar is contractually obligated to email you several types of emails, including:

  • Whois Data Reminder Program (WDRP) – at least once per year the contents of your domain’s “whois” record details must be emailed to the registrant with an eye toward double checking it for accuracy and making any required modifications. These can be safely ignored.
  • Whois Accuracy Program (WAP) – whenever you do make any updates to your domain contact details, IF your new information has not been previously confirmed under this program, the Registrant must “verify” their new contact set, most often implemented by emailing a link to the end-user that they must click. These cannot be ignored. If the new contact set is not confirmed within 15 days then the Registrar must suspend the domain.

Last summer easyDNS began GPG signing WDRP, WAP notices with our public key  as an incremental measure toward eventually signing all easyDNS generated correspondence.

Preventing Disaster

In general one should be very wary about what links they click on in any emails they receive. You should have antivirus and web protection programs running on your personal computers.

On the easyDNS side of things, you should:

  • Enable 2-factor authentication
  • Turn on all event notifications
  • Put in an account ACL, even if only to limit logins to the same country you’re in

All of this can be enabled via your account security settings.

Also See: