Log In | Subscribe | | |

New Year brings old domain fraud

Publication: 
Editorial Staff
chiefofficersnet

Fraud is cyclical. Historically, frauds would lie dormant for, perhaps, five years then come back. But the cycle has become much shorter, often only two or three months. Some frauds have become perpetual, aided by e-mail that hits so many prospective targets at such a low marginal cost. Others have a few days in the light before disappearing into relative darkness for a matter of weeks, perhaps because the targets are sorted by e.g. alphabetical order, into batches. One such is fraud relating to domain names. They take several forms but the same basic structure. The fraudster hints that, if you don't pay up, your domain name will stop working. Here's the anatomy of one such fraudulent mail that has reached us multiple times in the past several days.

Our comments are in italics

conversazioni-fittizie.com Final Notice

not received

what is not received?

Important
expiration notice Notice#: 897531

it means "expiry" unless it's American

Domain service renew Date: 12.31.2018

It means "renewal" so we are on notice that the sender is not very good at English and has not paid someone to make sure the English in its standard form letters is correct. Also, the form of date indicates American

Domain: conversazioni-fittizie.com

To: Silkscreen Limited,

In our case, Silkscreen Limited has not been the registered owner of any domain for several years. So the "notice" is addressed to the wrong person. Incidentally, the mail was sent to an address that is not a Silkscreen address.

Domain Name: Status Price: Term:
conversazioni-fittizie.com Pending (Unpaid) €86.00 1 Year
This suggests that there is an obligation. Note that it's expressed in euro which is inconsistent with the American expressions referred to above. So far, there has been nothing to say exactly what services are purportedly provided for this amount of money, only that something expired the day before the "demand" was issued.

SECURE ONLINE
PAYMENT[Links to ---- redacted ------]

Process Payment
for conversazioni-fittizie.com
ACT IMMEDIATELY

SECURE ONLINE
PAYMENT[Links to --- redacted---]
Attn: Silkscreen Limited
This important expiration notification
notifies you about the expiration notice of your domain registration for
conversazioni-fittizie.com search engine optimization submission.

What? This nonsensical statement is supposed to represent what the demand is for but its lack of precision indicates an intent to confuse and so gain payment by either mistake or fear of missing out.

The
information in this expiration notification may contain legally privileged
information from the notification processing department of the Domain Seo
Service Registration to our search engine traffic generator.

Fake legal notices are a common practice amongst fraudsters.

We do not
register or renew domain names. We are selling traffic generator software
tools.

Ah, so this is interesting: the phraseology indicates that the writer is likely to be Indian

This information is intended for the use of the individual(s) named
above.

No individual was named

If you fail to complete your domain name registration
conversazioni-fittizie.com search engine optimization service by the
expiration date, may the dismissal of this search engine optimization
domain name notification notice.

This may be intended to be a threat but it doesn't make sense. It's pretty inept to fail to make clear the one part of the message that is intended to have maximum impact

Failure to complete your seo domain
name registration conversazioni-fittizie.com search engine optimization
service process may make it difficult for customers to find you on the
web.

The whole SEO industry has, largely, been debunked as Google, in particular, has moved away from keyword/metaterm data, which is essentially what SEO services manage

Process Payment forconversazioni-fittizie.com

Secure
Online Payment[Links to --- persistent little bugger, isn't he. The link is redacted]
This domain seo registration for
conversazioni-fittizie.com search engine service optimization notification
will expire within 9 days.

Oh, but it says up top that it expired on 31 December which is before the notice arrived. Which is it, do you think?

Instructions and Unlike Instructions from this Newsletter:
You have received this message because you elected to receive
notification.

That's a lie

If you no longer wish to receive our notifications, please Unlike here

"Unlike" - that implies an existing state of liking. No one likes fraud except fraudsters

If you have multiple accounts
with us, you must opt out for each one individually to unlike receiving
notifications.

Don't have an account. It's a fraud

We are a search engine optimization company. We do not
directly register or renew domain names.

So, it's not a domain name notification, then.

This is not a bill. You are dont
need to pay the amount unless you accept this notification.

This is a half-hearted attempt to establish that there is no fraud intended. But the essence of fraud is to mislead someone and that is the overall tenor of this message. Burying this comment in the middle of a long paragraph of pseudo-legal notices is not an effective disclaimer

This message,
which contains promotional material strictly along the guidelines of the
Can-Spam act of 2003.

Not true

We have clearly mentioned the source mail-id of this
email, also clearly mentioned our subject lines and they are in no way
misleading.

arguably true, at least insofar as the subject line is concerned (except that the mail appeared repeatedly so it wasn't "final," was it?

Please do not reply to this email, as we are not able to
respond to messages sent to this address.

The sender's mail is shown as at servpower.net, the same domain as the landing page for the links we have redacted.

Note: the email was in html format which included auto-load components. We do not allow display of html elements on our e-mail systems and therefore the auto-loading elements were not visible to us. However, we can see the links in the html code. We do not know what they loaded. It may have been drive by downloads of malware.

It is strongly recommended that servpower.net is blocked at firewall level to prevent both incoming and outgoing traffic in case staff inadvertently click.

AnalysisThe mail appears to be received from mail servers at 103.102.237.234 which is registered to servpower.net, a hosting company with its servers in Bangladesh. It's not quite Indian, then. It appears to be based on a mailing list hosted by Servpower.net itself. This suggests a high-level scam. Importantly our mail analysis software reported " domain of servpower.net designates 103.102.237.234 as permitted sender." Therefore the server host might be considered at least complicit and possibly the originator of this scam spam.

---------------- Advertising ----------------

World NomadsTravel Insurance | | Singapore Airlines

--------------------------------------