January 16, 2014

Warning: Network Solutions' Moronic Alert Email That Masquerades as a Phishing Attack

Normally, the less said about domain registrar Network Solutions, (NSI) the better. But events this morning seem worthy of particular mention.

Within my inbox were two messages purporting to be from Network Solutions, one after the other. They were identical except for coded differences in one of the embedded URLs. They demanded that I simply "click here" to confirm my WHOIS information due to "New Regulations" -- they warned that if I didn't comply, I'd still own my domains, but my websites would stop working.

These messages had a variety of the hallmarks of malware attack phishing .They contained an ominous warning. They demanded a click. They contained no references to my actual NSI accounts or domains. They had odd capitalization. And they appeared to have been worded by an underachieving sixth grader.

Normally I would have simply deleted these apparent jokers without much thought. But I didn't this time for one reason -- just a few days ago, I had undergone the tortuous process to unlock two of my last domains still with NSI, in preparation for moving them to a sane registrar. The timing was suspicious.

So I investigated these messages in more depth. And remarkably, I determined that they were seemingly legit.

A quick Google Search revealed extremely scarce discussion of key strings from the emails. That can be interpreted as either good news or bad news, depending on your point of view. But this did lead me to an apparent NSI Facebook page where someone was currently asking about this, and a curt reply from NSI saying that the alerts were real.

The key reply URL in the emails (at least at first glance) pointed to:


followed by a long coded string that varied with each email. Typing this in manually led me to a register.com page that simply complained of invalid input (keep in mind that NSI, register.com, and rcom.com are the same domain entities). Alexa also seemed to suggest that the URL was legitimate, though receiving a miniscule percentage of NSI-related hits.

Inspection of message headers, particular the key top MTA ingress header, showed that the message did indeed gateway to my servers from register.com.

Given all this, I decided to click the links from a reasonably isolated system. Each time, the register.com page simply noted that my email address had been verified.

It is my supposition at this point that these two emails were probably part of a WHOIS accuracy statistical sampling survey or something similar, likely triggered by my actions to move two domains away from NSI.

And it is my considered opinion that the implementation of this process qualifies as idiotic and borderline criminal in terms of gross incompetency.

But then again, we're talking about Network Solutions.

So while we've now been warned, we shouldn't be at all surprised.

- - -

UPDATE: Within a few minutes of my sending a tweet with a link to this blog posting, I received this tweet back from NSI:

"Thx for your fdbk, Lauren! The email format has changed, but requirements are still the same."

-- and referencing a 2010 NSI blog posting about ICANN requirements. I've had domains since 1986, and I've never received a message like these before. I find it utterly bizarre that apparently after at least three years NSI is now (still?) using such an inexcusably inept and dangerous format for these notifications! C'mon guys, get with the program!

- - -
Disclaimer: I'm a consultant to Google. My postings are speaking only for myself, not for them.

Posted by Lauren at January 16, 2014 10:09 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein