Yet another domain renewal scam

Y

Updated 2021-02-25 with response from TrustedSite.

Criminals will try almost anything to separate people from their money. Here is another example of another unsophisticated scam that some domain owners may, unfortunately, fall victim to.

In summary, website owners may receive a message like this one through the contact form on their site. I have redacted the domain name and removed hyperlinks so that nobody accidentally clicks on them:

TERMINATION OF DOMAIN <redacted>
Invoice#: 491343
Date: 17 Feb 2021
IMMEDIATE ATTENTION REGARDING YOUR DOMAIN <redacted> IS ABSOLUTLY NECESSARY
TERMINATION OF YOUR DOMAIN <redacted> WILL BE COMPLETED WITHIN 24 HOURS
Your payment for the renewal of your domain <redacted> has not received yet
We have tried to reach you by phone several times, to inform you regarding the TERMINATION of your domain <redacted>
CLICK HERE FOR SECURE ONLINE PAYMENT: https://domainregister.ga
IF WE DO NOT RECEIVE YOUR PAYMENT WITHIN 24 HOURS, YOUR DOMAIN <redacted> WILL BE TERMINATED!
CLICK HERE FOR SECURE ONLINE PAYMENT: https://domainregister.ga
YOUR IMMEDIATE ATTENTION IS ABSOLUTELY NECESSARY IN ORDER TO KEEP YOUR DOMAIN <redacted>
The submission notification <redacted> will EXPIRE WITHIN 24 HOURS after reception of this email

For your own safety, please do not visit the domain listed. But, if you did go there, here’s what you would see:

Note that it doesn’t identify the domain. Since the links are not even personalized, they don’t even know what domain or fake invoice you’re visiting the site about. But when you click on “Pay now” they are happy to take your money:

Note the presence of “MacAfee SECURE”, “TRUSTe VERIFIED”, and “Norton SECURED” along with the Visa, Mastercard, Amex, and Discover logos to create a sense of legitimacy. But this entire site appears to be nothing more than a fraud.

A few quick tests suggest that this site may, in fact, be connected to a payment gateway and therefore able to actually process payments. There are also comments in the page’s source code about storing submitted information in a database.

According to a whois lookup at https://my.ga (the .ga TLD registrar), the domain domainregister.ga is registered to an individual named Lee SuYeon in South Korea. This information could be fake, so I have not published any additional personal information here, even though it is publicly available. SuYeon has not replied to my inquiry as of the time of publishing.

The .ga TLD is managed by Gabon Telecom SA. According to Wikipedia, they are the largest telecom company Gabon, located on the west coast of central Africa.

Update 2020-02-19

A NortonLifeLock spokesperson responded, “NortonLifeLock is a trusted name in consumer Cyber Safety. Unfortunately, hackers and scammers want to take advantage of the trust we’ve built, and fraudulently use our name and branding to try to trick and defraud consumers. We can confirm this website is using our logo illegitimately and we are actively addressing it. We utilize a domain management tool for identification and enforcement. There has been a rise in these types of email and domain scams lately, and we encourage consumers to be wary and stay vigilant. In this instance, one red flag that something may not be right is that there are multiple cybersecurity company logos together on the page. For more tips and techniques for identifying and reporting scams involving our branding, please visit our website at https://www.nortonlifelock.com/blogs/feature-stories/fraudulent-use-nortonlifelock-brand.”

Update 2020-02-20

McAfee responded with the following information: “Though they share the McAfee name, McAfee Secure is a separate company operated by TrustedSite. We do not have any feedback regarding their logo use or policies, and we do recommend reaching out to them directly for clarification.”

I have sent a query to TrustedSite.

UPDATE 2020-02-25

TrustedSite provided the following information, “Thank you for bringing this to our attention, to confirm, this site has not been certified by McAfee SECURE: https://www.mcafeesecure.com/verify?host=domainregister.ga. Any McAfee SECURE trustmark currently being displayed on this site is not genuine, I will be forwarding this to our management team for pursuit. Also, our McAfee SECURE Chrome extension is the easiest way to verify a site’s certification status.”

SuYeon, TRUSTe, and Gabon Telecom have not yet responded to my inquiry.

About the author

Eric Jacksch

1 comment

  • I received the exact same fraudulent email a couple of days ago from the owner of one of the domains I manage. The Gabon email address gave it away as did the language which was unusually urgent in UPPER CASE and demanded immediate attention before the reader had time to think or otherwise evaluate its message.

    The fact that a domain with this name could be registered in Gabon shows how poorly equipped poor countries are to police their registrars and staff them with un-corruptible people who have an idea what they are doing.

    Its not the first time I have received these domain renewal messages. There have been a succession over the years. I now use a single domain registrar for all domains I administer and have them all set on auto-renew till I decide, or am told, to retire one, at which point it comes off of auto-renew.

By Eric Jacksch

Follow me!

Posts