Scams & Hacks

Sometimes we find out about scams and hacks from the media, sometimes our customers tell us, or we receive direct contact from the scammers.  If you receive any correspondence regarding your domain or hosting and are not sure if it is genuine please forward it to our Support email address.  We will advise you and, if it is a scam, will post it here to make others aware of it.  Some email scams can do the rounds for years, either in their original form or with slight or major changes.  Always be wary – even if you think it’s genuine – and, if in doubt, ask us.  (Customer names, addresses, phone numbers, domain names, and certain other information has been removed from the examples.)

Be on your guard so you don’t fall for emails like the ones shown below.  Don’t send money; don’t click links (including any unsubscribe links); just delete them (or forward them to us).

The list is in reverse order, so the most recent one we receive will be the first one to be read.  We hope it will be the newest but, as some of them do the rounds for years, it may be a rehashed old one or just an old one we haven’t come across previously.

A word of caution about genuine emails:  The domain registries have implemented new systems to ensure that contact information held for domains is current and correct.  New registrations, and changes to certain information for some existing domains, such as an email address, will trigger an email directly from the registry asking for verification within a fixed time limit (which will be shown in the email).  As you will see from the first example, this was being used to try to scam people as soon as it was introduced.  If someone has gained access to a domain illegitimately they will change the contact details to suit themselves, so asking them to verify that they have done so seems pretty pointless to us!  However, we don’t make the rules, all we can do is advise you of them and let you know that if we make a change – and know an email has been sent by the registry as a result – we will tell you.  You may also receive emails from us, either directly from our support or accounts addresses or directly from the server if your domain is due for renewal.  If you are in any doubt it has come from us please ask us.

*****

Example 9.

19th March 2019.

This one claims to be from someone working for the CIA.  It isn’t, of course, and we’re sure if they were the CIA would like to know about them!

Case #94258731

Distribution and storage of pornographic electronic materials involving underage children.

My name is Jason Almeida and I am a technical collection officer working for Central Intelligence Agency.

It has come to my attention that your personal details including your email address (our email address was included) are listed in case #94258731.

The following details are listed in the document’s attachment:

Your personal details,

  • Home address,
  • Work address,
  • List of relatives and their contact information.

Case #94258731 is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries.

The data which could be used to acquire your personal information:

  • Your ISP web browsing history,
  • DNS queries history and connection logs,
  • Deep web .onion browsing and/or connection sharing,
  • Online chat-room logs,
  • Social media activity log.

The first arrests are scheduled for April 8, 2019.

Why am I contacting you ?

I read the documentation and I know you are a wealthy person who may be concerned about reputation.

I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case. Here is my proposition.

Transfer exactly $10,000 USD (ten thousand dollars – about 2.5 BTC) through Bitcoin network to this special bitcoin address:

37ibeeCE7o2hu6MLhHky1MhbX8y3VKVU7Q

You can transfer funds with online bitcoin exchanges such as Coinbase, Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to access and edit the files).

Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you.

Please do not contact me. I will contact you and confirm only when I see the valid transfer.

Regards,

Jason Almeida

Technical Collection Officer

Directorate of Science and Technology

Central Intelligence Agency

*****

Example 8.

3rd October 2018.

The following email is a very nasty, blackmailer, that was  brought to our attention by a customer who received it, and this week (first week of October 2018), we have received at least one per day directly to our own mailboxes.  The latest, from which the post below is copied, today.

Our customer’s concern was not that any such sites, had been visited – they hadn’t – but because of the password/passphrase mentioned which, although no longer being used, had been used in the past.  If you recognise the password/passphrase, and you didn’t change it after you heard about a data breach, you should change it now, before you get distracted and go and do something else.  Make sure you change it on every site where you use it (if you use the same password/passphrase on multiple sites).  Remember, it is safer to use a complex password or phrase and write it down, than to use a simple one that is easily hackable.

You might also want to let your friends know about it in case they receive one, and please don’t feel too embarrassed to do that.  Even if you don’t visit porn sites people you know might well do so, and not only might they be more embarrassed than you, but they might also be more likely to be deceived by the email and perhaps reluctant to ask anyone about it.

Here is the email:

I do know xxxxx is your passphrase. Lets get directly to the purpose. You don’t know me and you are probably wondering why you’re getting this e-mail? No person has paid me to check about you.

actually, I setup a software on the 18+ vids (porno) web-site and there’s more, you visited this website to experience fun (you know what I mean). While you were watching video clips, your browser started operating as a Remote control Desktop with a key logger which provided me with accessibility to your display as well as webcam. Right after that, my software gathered every one of your contacts from your Messenger, FB, as well as e-mail . After that I created a double video. First part displays the video you were watching (you’ve got a good taste hehe), and second part displays the view of your web cam, yea it is you.

You actually have only 2 choices. Shall we analyze the solutions in particulars:

Very first option is to just ignore this e-mail. As a result, I am going to send your recorded material to each one of your personal contacts and thus think about regarding the awkwardness you feel. Furthermore in case you are in a romantic relationship, just how it will certainly affect?

2nd solution is to compensate me $3000. Let us name it as a donation. As a consequence, I will straight away delete your video recording. You could continue your way of life like this never took place and you would never hear back again from me.

You’ll make the payment via Bitcoin (if you don’t know this, search for “how to buy bitcoin” in Google).

BTC Address: 1Gp52BpT1FyuTayQfCFrH7EYpkthbp3ztz

[CASE sensitive, copy and paste it]

Should you are thinking about going to the law enforcement officials, well, this mail can not be traced back to me. I have covered my steps. I am not trying to ask you for money a lot, I simply prefer to be paid for.

You have one day in order to pay. I have a specific pixel in this email, and at this moment I know that you have read this email message. If I do not receive the BitCoins, I will definately send your video recording to all of your contacts including close relatives, coworkers, and so forth. Nonetheless, if I receive the payment, I’ll erase the video immediately. If you want proof, reply with Yes and I will send your video to your 15 contacts. This is a non-negotiable offer, that being said please don’t waste my personal time & yours by replying to this mail.

*****

Example 7.

The following email was forwarded to us by a customer on 26th September 2016.  It seems quite reasonable, however…   Usernames for our hosting accounts are server-generated and cannot be changed.  We would never ask you for it because we don’t need to.  Not only can we obtain it directly from the server on which you are hosted, but we also keep a separate record on the database we use to send out our hosting renewal notices.  We do not need your username or password to move your account to a new server.  We upgrade our servers regularly and send advance notification by email to the address registered within your account as your contact address, so please ensure you keep your contact information up-to-date.

Here is the email:

Help Desk

Scheduled Maintenance & Upgrade

Your account is in the process of being upgraded to a newest Windows-based servers and an enhanced online email interface inline with internet infrastructure Maintenance. The new servers will provide better anti-spam and anti-virus functions, along with IMAP Support for mobile devices to enhance your usage.

To ensure that your account is not disrupted but active during and after this upgrade, you are required to kindly confirm your account by stating the details below:

* Domain\user name:

* Password:

This will prompt the upgrade of your account.

Failure to acknowledge the receipt of this notification, might result to a temporary deactivation of your account from our database. Your account shall remain active upon your confirmation of your login details.

During this maintenance window, there may be periods of interruption to email services.  This will include sending and receiving email in Outlook, on webmail, and on mobile devices. Also, if you leave your Mailbox open during the maintenance period, you may be prompted to close and reopen.

We appreciate your patience as this maintenance is performed and we do apologize for any inconveniences caused.

Sincerely,

Customer Care Team

*****

Example 6.

The following email arrived directly into our inbox on 29th November 2014 (It is a Chinese domain registered on the 20th November, so was most likely registered soley for the purpose of scamming). This has overtaken example 4 in the nastiness stakes and is currently firmly in number 1 spot. It is another search engine submission scam, but is very cleverly worded to imply that the domain registration is expiring. The unsubscribe instructions and disclaimers that state it is not an invoice, although clear here, are in pale grey in the original email to make them very difficult to see but to keep things looking legitimate.

ATTENTION: IMPORTANT NOTICE Domain SEO Service Registration Corp.
Order#: 562454
Date: 11/29/2014

EXPIRATION NOTICE
DOMAIN: domain.com
Notification Offer
EXPIRATION DATE: 12/07/2014

Bill To: (customer’s address, taken from public Whois information)

Domain Name: Registration SEO Period: Price: Term:
domain.com 12/21/2014 to 12/21/2015 $64.00 1 Year

SECURE ONLINE PAYMENT

Domain Name: domain.com
Attn: registrant’s name (in capitals)
This important expiration notification notifies you about the expiration notice of your domain registration for xxx.com search engine submission. The information in this expiration notification may contain confidential and/or legally privileged information from the notification processing department of the Domain SEO Service Registration. This information is intended only for the use of the individual(s) named above.
If you fail to complete your domain name registration domain.com search engine service by the expiration date, may result in the cancellation of this domain name notification offer notice.
PLEASE CLICK ON
SECURE ONLINE PAYMENT
TO COMPLETE YOUR PAYMENT.

Failure to complete your domain name registration domain.com search engine service process may make it difficult for customers to find you on the web.
CLICK UNDERNEATH FOR IMMEDIATE PAYMENT
PROCESS PAYMENT FOR
domain.com
SECURE ONLINE PAYMENT
ACT IMMEDIATELY
This domain registration for xxx.com search engine service notification will expire 12/07/2014.

Instructions and Unsubscribe Instructions:
You have received this message because you elected to receive special notification offers. If you no longer wish to receive our notifications, please unsubscribe here or mail us a written request to Domain SEO Service Registration Corp., 5379 Lyons Rd. 452, Coconut Creek, FL 33073. If you have multiple accounts with us, you must opt out for each one individually in order to stop receiving notifications notices. We are a search engine optimization company. We do not directly register or renew domain names. We are selling traffic generator software tools. This message is CAN-SPAM compliant. THIS IS NOT A BILL. THIS IS A NOTIFICATION OFFER. YOU ARE UNDER NO OBLIGATION TO PAY THE AMOUNT STATED UNLESS YOU ACCEPT THIS NOTIFICATION OFFER. Please do not reply to this email, as we are not able to respond to messages sent to this address.

*****

Example 5.

This email was forwarded by a customer on 4th November 2014. It is very short and simple and gives little information, is addressed to the user and doesn’t actually make sense, “Your mailbox might be close…” We assume it to be a phishing email, and clicking the link would go to a website that asks for an email account username and password for the email address to which the message has been sent. Once they have that information they would be able to use the email account for sending spam. Our customer would normally have probably just deleted it, but the email’s arrival coincided with problem that prevented him using his email so he contacted us to check.

From: Email administator (the email address here was mail@mail.com)
To:
Sent: Saturday, November 01, 2014 1:10 AM
Subject: Email suspension

Dear user,

Your mailbox is almost full. (The mailbox usage is displayed in a box with a yellow usage bar in the actual email.)

1969MB 2000MB
Current size Maximum size

Your mailbox might be close kindly click activate to add more MB to your mailbox.

Copyright © 2014 Email! Inc. All rights reserved. (Preceeding the copyright symbol was the Yahoo! logo.)

*****

Example 4.

This email was sent to us on 8th October 2014, and we think it is a particularly nasty example of the search engine submission emails as it implies that the customer’s domain is not actually yet registered to them.  It is sent to the contact name for the domain, in this case us (fortunately) as the customer preferred it that way.   It included the registrant’s address, which is shown on the public Whois information, but rather worryingly it also included their telephone number (albeit in scientific format) which is not made public on Whois.  The email even included a picture of the supposed Mr ONeal next to his name and job title.

Subject:  Hi DOMAIN ADMIN – www.domain.com has not been completely registered.

Newly Registered Domain at: domain.com

DOMAIN ADMIN
REGISTRANT’S ADDRESS

Registrant’s Telephone Number: xxxxxxxxxxxx

Hi DOMAIN ADMIN

My name is Bernard and I will be your Account Manager for your free 2 week advertising campaign listing on 2.5 million websites. This is an exclusive to newly registered domain owners only. Click here: http://www.newlyregisterdomain.com/exclusive/free-advertising3777x.html

Did you know that 95% of people use search engines to find what they are looking for? Right now, your website cannot be located on many search engines.

We’ll help your website domain.com succeed by making your website known across the entire Internet. We will get you listed virtually everywhere. This includes Yahoo, Bing, Google, Ask, and almost every known search engine, classified network, blogs, FFA link websites, directories, e-zines, download submissions and much more.

You can redeem your free advertising here:
http://www.newlyregisterdomain.com/exclusive/free-advertisingxxxxx.html

Let me know if you have any problems.

Best Regards

Bernard Oneal
Personal Account Manager
Domain Submit

P.S

Remember, this exclusive free advertising is for a limited time and can expire at any time.

Your Exclusive Link is: http://www.newlyregisterdomain.com/exclusive/free-advertisingxxxxx.html

This email was sent from Domain Submit, 700 Commerce Dr, Suite 500, Oak Brook, IL 605

 

Unsubscribe me from this list

 

*****

Example 3.

The following email arrived directly in our inbox on 9th August 2014 – the day after we registered the domain (I guess we can’t fault them for efficiency!)  It is another search engine submission solicitation, the content of which is, as usual, complete rubbish.  They are not at anyone’s service but their own.

From: Search Registry [admin@bailz.com] (Note: the sender’s email address will vary.)

To: [Our email address]

Subject: REMINDER: Search Engine Registration for Your Domain xxx is pending

Hi DOMAIN ADMIN,

Domain Name: xxx (Account #xxxxx)
This email is being sent out to you because search registration for [xxx] is pending.
Please register these domains to search engines like Google, Bing and Yahoo ASAP to avoid late fees.

Registering for search engines would help you show up in search results and increase your online presence.

You can register your domain at: here
We sincerely appreciate your business! If you require anything, we are at your service.

Remember… If you do not register your domain with the search engines, it may not appear in the search engine listing when people are looking for you. Failure to complete your domain name search engine registration by the expiration date may make it difficult for your customers to locate you on the web. Complete your search engine registration today at: www.searchregistry.org
Sincerely,

Search Engine Registry
1787 Pennsylvania Ave NW, Suite 1025
Washington DC, 20006

You may unsubscribe here

*****

Example 2.

We received the email below from a customer on 11th June 2014.  It is a very common type, and will be addressed to the domain registrant and include the domain name.  It is  carefully worded to imply that if the domain domain registrant doesn’t part with quite a lot of money to them they will suffer for it.  Further reading indicates it is for search engine submission, but by using words like “registration” and “cancellation” to confuse, they imply this is something you should pay before their deadline.  Please don’t be caught out, and do not attempt to unsubscribe from their emails.  Ignore their “do not discard…” message and discard it or forward it to us and then discard it.

From: Domain Services <notices@domainnotices8585.com>
To: XXX
Subject: Domain Notification: MR XXX This is your Final Notice of Domain Listing – (Domain name)

Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: XXX

Complete and return by fax to:
1-716-242-0416

ATT: XXX
ADMINISTRATIVE CONTACT
ADDRESS
WWW.DOMAIN
Please ensure that your contact information is correct or make the necessary changes above

Requested Reply
JULY 7,2014

PART I: REVIEW SOLICITATION

Attn: XXX
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission. You are under no obligation to pay the amounts stated below unless you accept this offer. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: XXX will expire on JULY 7,2014 Act today!

Select Term:

[ ] 1 year 07/7/2014 – 07/7/2015 $75.00
[ ] 2 year 07/7/2014 – 07/7/2016 $119.00
[ ] 5 year 07/7/2014 – 07/7/2019 $199.00
[ ] 10 year -Most Recommended- 07/7/2014 – 07/7/2024 $295.00
[ ] Lifetime (NEW!) Limited time offer – Best value! Lifetime $499.00

Today’s Date: _____________________ Signature: _____________________

Payment by Credit Card
Select the term above, then return by fax: 1-716-242-0416

(DOMAIN NAME)

——————————————————————————————-

By accepting this offer, you agree not to hold DS liable for any part. Note that THIS IS NOT A BILL. This is a solicitation. You are under no obligation to pay the amounts stated unless you accept this offer. The information in this letter contains confidential and/or legally privileged information from the notification processing department of the DS 3501 Jack Northrop Ave. Suite #F9238 Hawthorne, CA 90250 USA, This information is intended only for the use of the individual(s) named above. There is no pre-existing relationship between DS and the domain mentioned above. This notice is not in any part associated with a continuation of services for domain registration. Search engine submission is an optional service that you can use as a part of your website optimization and alone may not increase the traffic to your site. If you do not wish to receive further updates from DS reply with Remove to unsubscribe. If you are not the intended recipient, you are hereby notified that disclosure, copying, distribution or the taking of any action in reliance on the contents for this letter is strictly prohibited.

*****

Example 1.

4th March 2014.  The following email was forwarded by a customer.  It is a phishing email, intended to gain information the hacker can use for their own ends.  We have disabled the links, but clicking “PLEASE CLICK HERE” in the original email will take you to a site the purpose of which is to obtain confidential information, in this case probably your email account password so the account can be used to send out spam.

From: EMAIL SUPPORT (mailto:verification@microsoft-email-support.com)
Sent: 04 March 2014 04:50
Subject: Action Required: Important Email Verification!

ACTION REQUIRED!

Dear Email Holder,

New Regulations from Microsoft Corporation and your email host, now require that email account holders must verify their email account information. All unverified email accounts  will be classified as “inactive”. The contents of the inactive email accounts comprising e-mails and folders will be permanently deleted, and account terminated.

To ensure your email(s) remain active, PLEASE CLICK HERE to perform a one-time automatic verification.

No further action is required after completing the simple verification process. It is however necessary that you repeat this process for all other email address(es) you may own.

If this message was found in your spam/junk folder, please move to inbox.

Thank you.

Email Support Team.

Please do not reply to this email as it would not be read.
©2014 by Microsoft Corporation. All rights reserved.

*****