Today I received the following message in my inbox, claiming to be from the Asian Domain Registration Service and warning me that the eset brand was in danger of being registered by a third-party. Here is the message I received, which I’ve included in its entirety, except for a few bits:
Received: from mail.umail168.cn4e.com (mail.umail168.cn4e.com [188.8.131.52]) by [...].eset.com (Postfix) with ESMTP id 83EB18000B0; Mon, 23 Jul 2012 04:26:56 +0200 (CEST)
Received: from ?????? (localhost.localdomain [127.0.0.1]) by mail.umail168.cn4e.com (Postfix) with SMTP id 4B426A2804E; Mon, 23 Jul 2012 10:26:34 +0800 (CST)
Received: from ?????? (unknown [184.108.40.206]) by mail.umail168.cn4e.com (Postfix) with ESMTPA; Mon, 23 Jul 2012 10:26:33 +0800 (CST)
From: richard zhang <firstname.lastname@example.org***>
Subject: URGENT eset Brand Registration Confirmation
Date: Mon, 23 Jul 2012 10:25:48 +0800
Content-Type: multipart/related; boundary=”—- =_NextPart_12072310232006281362145_001″
X-Mailer: DreamMail 220.127.116.11
We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on July 20,2012 that a company claimed YDai Investment Ltd were applying to register “eset” as their Net Brand and some domain names through our firm.
Now we are handling this registration, and after our initial checking, we found the name were similar to your company’s, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for YDai Investment Ltd.Looking forward to your prompt reply.
Head of Registration Department
Tel:+86-551-3434624 || Fax:+86-551-3434924
Address:No.99 JiuHuaShan Road,Hefei,Anhui,China
If this sounds the least bit suspicious, well, there’s a reason for that.
This is a repeat of the Asian ccTLD domain registration scam which we have discussed over the years and I last blogged about back in March 2010 as The Return of Jacques Titsâ€”a scam which was at least three years old when I wrote that article.
The scam has not changed much over the years. The scammer reports that someone is attempting to register your domain name in a different part of the world using country- and region-specific top level domains. For example, ESET.CN for China, ESET.CO.JP for Japan, ESET.ASIA for the Asia Pacific region and so forth.
In this case, the scammer has made a few small changes to the content of their warning message, using a new company name Asian Domain Registration Service for their organization, a fake name for the company trying to register my domain name in Asia, and putting the address of their web site in a picture; techniques have been used by spammers for many years in order to slow detection of their messages by antispam engines. They also no longer include the actual domain names in the body of the message, perhaps realizing that many of them may now be in use, or perhaps because it creates additional work for them. The scammer’s actual web site, though, has remained largely unchanged over the years. This makes sense; aside from the image-based link included in the email, it it not referenced in detail until the time comes for the “payment” from the victim.
How does the actual scam work? By abusing the trust of the recipient. If I were to reply to the above message, Richard Zhang of the Asian Domain Registration Service (or whomever in the organization behind the scam is monitoring the mailbox) would notify me that unless I register my domain names with them for a fee, they will be given to the other party. I might even have to participate in a fake bidding war against the imaginary company trying to register my domain names. If I ask for the contact information for the company trying to register my domains, I will be told it cannot be given out for privacy reasons. And, of course, since it is a fictitious company name, I will not be able to find it by searching on it.
All in all, it’s a simple way for a scammer to take someone’s money: They don’t have to write any malicious software, hack into any systems or have any technical expertise beyond running a real domain registration business. They simply use social engineering techniques to trick you into registering domains with them that you do not need, do not use and no one else is buying, either.
The techniques to counter social engineering-based scams such as this fake Asian domain registration scam remain unchanged since I blogged about them in 2010 and reprinted, below.
By far, the most effective countermeasure against such scammy, scummy business is to educate yourself about how such scams work, and if you come across them in the future, to simply ignore them. These scammers prey on the unwitting by making their sales pitches sound like a legitimate business communication. As soon as you understand what their scam is, you can defend against them using the best means possible: The delete button.
For more reading about domain registration scams, please see the following earlier ESET Threat Blog articles:
My colleague David Harley reports seeing this scam as far back as 2004, which makes this scam eight years old, at least. It also points out the difficulty of combating social engineering, which attacks people instead of computers.
Aryeh Goretsky, MVP, ZCSE
Have you received a fake domain registration scam? If so, who was it from, and how did you respond? Please let us know in the comments, below.
Author Aryeh Goretsky, We Live Security