Fraudsters sell .ASIA, other domains via spam

.ASIA domain name scams still going strong

Today I received the following message in my inbox, claiming to be from the Asian Domain Registration Service and warning me that the eset brand was in danger of being registered by a third-party.   Here is the message I received, which I’ve included in its entirety, except for a few bits: Received: from mail.umail168.cn4e.com

Today I received the following message in my inbox, claiming to be from the Asian Domain Registration Service and warning me that the eset brand was in danger of being registered by a third-party.   Here is the message I received, which I’ve included in its entirety, except for a few bits: Received: from mail.umail168.cn4e.com

Today I received the following message in my inbox, claiming to be from the Asian Domain Registration Service and warning me that the eset brand was in danger of being registered by a third-party.   Here is the message I received, which I’ve included in its entirety, except for a few bits:

Received: from mail.umail168.cn4e.com (mail.umail168.cn4e.com [117.27.141.168]) by […].eset.com (Postfix) with ESMTP id 83EB18000B0;      Mon, 23 Jul 2012 04:26:56 +0200 (CEST)
Received: from ?????? (localhost.localdomain [127.0.0.1]) by mail.umail168.cn4e.com (Postfix) with SMTP id 4B426A2804E; Mon, 23 Jul 2012 10:26:34 +0800 (CST)
Received: from ?????? (unknown [114.97.226.112]) by mail.umail168.cn4e.com (Postfix) with ESMTPA;      Mon, 23 Jul 2012 10:26:33 +0800 (CST)
Reply-To: <richard@dcidc.a***>
From: richard zhang <richard@dcidc.a***>
To:
Subject: URGENT eset Brand Registration Confirmation
Date: Mon, 23 Jul 2012 10:25:48 +0800
Message-ID: <DreamMail__102548_82822228707@mail.dcidc.a***>
MIME-Version: 1.0
Content-Type: multipart/related; boundary=”—- =_NextPart_12072310232006281362145_001″
X-Priority: 1
X-Mailer: DreamMail 4.4.1.0
Disposition-Notification-To: <richard@dcidc.a**>
Return-Path: richard@dcidc.a***

Dear Sir/Madam,

We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on July 20,2012 that a company claimed YDai Investment Ltd were applying to register “eset” as their Net Brand and some domain names through our firm.

Now we are handling this registration, and after our initial checking, we found the name were similar to your company’s, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for YDai Investment Ltd.Looking forward to your prompt reply.

Best Regards,

Richard Zhang
Head of Registration Department
Tel:+86-551-3434624 || Fax:+86-551-3434924
Address:No.99 JiuHuaShan Road,Hefei,Anhui,China

image with address of scammer's web site

 

If this sounds the least bit suspicious, well, there’s a reason for that.

There’s no scam like an old scam.

This is a repeat of the Asian ccTLD domain registration scam which we have discussed over the years and I last blogged about back in March 2010 as The Return of Jacques Tits—a scam which was at least three years old when I wrote that article.

The scam has not changed much over the years.   The scammer reports that someone is attempting to register your domain name in a different part of the world using country- and region-specific top level domains.   For example, ESET.CN for China, ESET.CO.JP for Japan, ESET.ASIA for the Asia Pacific region and so forth. The scammer's web site

In this case, the scammer has made a few small changes to the content of their warning message, using a new company name Asian Domain Registration Service for their organization, a fake   name for the company trying to register my domain name in Asia, and putting the address of their web site in a picture; techniques have been used by spammers for many years in order to slow detection of their messages by antispam engines. They also no longer include the actual domain names in the body of the message, perhaps realizing that many of them may now be in use, or perhaps because it creates additional work for them. The scammer’s actual web site, though, has remained largely unchanged over the years. This makes sense; aside from the image-based link included in the email, it it not referenced in detail until the time comes for the “payment” from the victim.

Scam Mechanics

How does the actual scam work? By abusing the trust of the recipient.  If I were to reply to the above message, Richard Zhang of the Asian Domain Registration Service (or whomever in the organization behind the scam is monitoring the mailbox) would notify me that unless I register my domain names with them for a fee, they will be given to the other party. I might even have to participate in a fake bidding war against the imaginary company trying to register my domain names.  If I ask for the contact information for the company trying to register my domains, I will be told it cannot be given out for privacy reasons. And, of course, since it is a fictitious company name, I will not be able to find it by searching on it.

All in all, it’s a simple way for a scammer to take someone’s money: They don’t have to write any malicious software, hack into any systems or have any technical expertise beyond running a real domain registration business. They simply use social engineering techniques to trick you into registering domains with them that you do not need, do not use and no one else is buying, either.

Countering the Wily Domain Registration Scammer

The techniques to counter social engineering-based scams such as this fake Asian domain registration scam remain unchanged since I blogged about them in 2010 and reprinted, below.

  1. If, despite all of the warning signs, you feel for some reason that the message might be legitimate, open a new instance of your web browser, visit your favorite search engine, and type in the name of the domain name registrar along with keywords such as hoax, scam and spam. For example, if the domain name registrar is named “Worldwide Network Services” then you should type in “Worldwide Network Services + spam” for your search terms.
  2. The scammers behind these types of messages often make small changes to them in order to make it more difficult for anti-spam tools to detect them. If the messages did not get sent to the spam folder in your email client, be sure to flag them as spam to help better classify them in the future.
  3. Review what email addresses are made available on your web site, including old press releases and downloadable documents. It may be those addresses no longer need to be displayed, could be obfuscated better, or replaced by a contact form.
  4. You should never reply to messages sent by scammers. By replying, you let them know that not only have they found a valid email address at your company but that they can also send you additional emails and share your email address with other scammers.<br >[Source: ESET Threat Blog. The Return of Jacques Tits,     March 30, 2010.]

By far, the most effective countermeasure against such scammy, scummy business is to educate yourself about how such scams work, and if you come across them in the future, to simply ignore them.  These scammers prey on the unwitting by making their sales pitches sound like a legitimate business communication. As soon as you understand what their scam is, you can defend against them using the best means possible: The delete button.

For more reading about domain registration scams, please see the following earlier ESET Threat Blog articles:

My colleague David Harley reports seeing this scam as far back as 2004, which makes this scam eight years old, at least. It also points out the difficulty of combating social engineering, which attacks people instead of computers.

Regards,

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher


Have you received a fake domain registration scam?   If so, who was it from, and how did you respond?  Please let us know in the comments, below.

Discussion