Home / Blogs

Phishing Registrar Accounts: eNom is First Target

Criminals are now looking to use established domain names, via phishing targeted at domain registrars. This is possibly related to ICANN finally moving to stop the black hat registrars of the world.

According to the first report on the matter sent yesterday to Registrar Operations (reg-ops) mailing list, the attacks seem to be run by gang of child pornography spammers. The domain names in the .biz TLD are all using fast flux technology to make the attack more difficult to mitigate.

Ironically, the email spam claims that the user’s domain, according to the subject, has “Inaccurate Whois information”.

Until eNom and other registrars get their anti-phishing services in place, I believe it is the job of the Internet security operations community to help them out by taking down these attacks.

The Registrar Operations group (reg-ops) will be watching for these and mitigating them as fast as possible, in close cooperation with the registrars and the security community.

By Gadi Evron, Security Strategist

Filed Under


Network Solutions just got it. Working on Gadi Evron  –  Oct 29, 2008 10:42 PM

Network Solutions just got it. Working on it.

Moniker too. Anyone cares about black hat Gadi Evron  –  Oct 29, 2008 11:01 PM

Moniker too. Anyone cares about black hat registrars?

the phisher's goals and methods in these attacks Greg Aaron  –  Oct 30, 2008 2:47 PM

Registrars have been phishing targets since 2007, and so it is important for them to have plans to react when they become phishing targets.  Registrars have been phishing targets since 2007, and phishers usually do not use “black hat” registrars when registering domain names for their own use.  So it seems unlikely to me that this is related to ICANN’s ongoing termination effort against EstDomains. 

In these attacks, the phishers’ goal is to get access to a registrant’s account via the registrar interface, and thereby gain the ability to purchase domains via the registrant account, control the DNS of the registrant’s domains, etc.

Greg, my friend. Thank you for your Gadi Evron  –  Oct 30, 2008 3:01 PM

Greg, my friend. Thank you for your comment. to further clarify your point:

Malicious activity-wise, the criminals often test their attacks before they fully unleash them. I believe that is also what happened here. Only in this case they also used the date of the ICANN information confirmation messages for their phishing spam run.

As to the why, theoretically, if a criminal uses a real domain name which for our example’s purpose, is used for an ecommerce website—suspending it due to abusive activity is going to be more problematic than normal, to say the least.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign


Sponsored byDNIB.com