back to article Namecheap hosted 25%+ of fake UK govt phishing sites last year – NCSC report

Domains'n'hosting outfit Namecheap harboured more than a quarter of all known phishing sites that falsely posed as UK government web presences during 2020, according to the National Cyber Security Centre today. This stat can be found in the centre's fourth annual Active Cyber Defence report, which boasts how much digital filth …

  1. GlenP Silver badge

    Not Surprised...

    ...about NameCheap.

    Friends had their domain and email hosting with them. The domain account was hijacked and spam was being sent from NameCheap's servers, despite password changes, etc. NameCheap (when they responded at all) refused to take any action and claimed it was my friends submitting the emails.

    I transferred the domain to another registrar and miraculously the spam sending stopped instantly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not Surprised...

      I hate to say that your experience is pretty identical with another not-suprised, known as "godaddy". Ever heard of them? :(

      p.s. not that it makes namecheap any less guilty just because they emulate the business model practiced by the big ones. Actually, I have a vague impression I come across this model across the board, in all fields of business:

      - customer service... are you kidding, FO, contact us on fb/twitter

      - complain on fb/twitter - are you kidding, FO, lalala, we're not listening, lalala, you're [implicitly] lying, lalala, stop trolling us, lalala, customer care is our topmost priority lalala..

      meanwhile... BIG SAVINGS on not having to solve customers' problems caused by prior savings on general business service.

      1. Doctor Syntax Silver badge

        Re: Not Surprised...

        The business model depends on customers putting up with it. If the business model depends on locking customers it it's easier to get away with. From a customer's PoV, don't rely on ISP email offerings.

  2. Pascal Monett Silver badge

    "a 28.8 per cent share of known UK government-themed phishing sites"

    Methinks that NameCheap is going to be forced to clean up their act if they don't manage to do it on their own.

    Now that they have been named and shamed by a government report, Kirkendall is not going to be bale to brush it off like an angry Twitter rant.

    If you regularly host government scam sites, there's a good change the government is going to come and have a word with you.

    1. Nick Ryan Silver badge
      Stop

      Re: "a 28.8 per cent share of known UK government-themed phishing sites"

      Not a problem at all. All the CEO of NameCheap needs to do is become a donor to the Conservative party then all of his problems will go away.

      1. Dave_uk

        Re: "a 28.8 per cent share of known UK government-themed phishing sites"

        is it just me or anyone else think of dido harding when reading that statement!

        1. Kane Silver badge
          Joke

          Re: "a 28.8 per cent share of known UK government-themed phishing sites"

          "is it just me or anyone else think of dido harding twat twat when reading that statement!"

          Twat

          Dammit!

    2. katrinab Silver badge
      Black Helicopters

      Re: "a 28.8 per cent share of known UK government-themed phishing sites"

      I wonder if the fact that they accept Bitcoin as payment has anything to do with it?

      Even if it doesn't, the powers that be might think that it does.

    3. Doctor Syntax Silver badge

      Re: "a 28.8 per cent share of known UK government-themed phishing sites"

      "there's a good change the government is going to come and have a word with you."

      As HMRC is one of the frequent sites spoofed I look forward to Namecheap, its management and board being subject to frequent and searching audits by them.

    4. Anonymous Coward
      Anonymous Coward

      Re: the government is going to come and have a word with you

      unless you happen to have a few friends in the abovementioned government, in which case, nothing.

    5. Wyrdness

      Re: "a 28.8 per cent share of known UK government-themed phishing sites"

      "a 28.8 per cent share of known UK government-themed phishing sites" leaves the question of who is responsible for the other 71.2%

    6. N2 Silver badge
      Joke

      Re: "a 28.8 per cent share of known UK government-themed phishing sites"

      If you regularly host government scam sites, there's a good change the government is going to come and have a word with you.

      For a job opportunity?

  3. katrinab Silver badge
    Flame

    It took NameCheap about 2 weeks to take down a fake Royal Mail website that I received an SMS spam for.

  4. General Purpose Bronze badge

    only a hundred thousand

    It's amazing how much hard work that "only" is doing when Namecheap say

    "only 100k of [abuse claims/reports] were actually found to be linked to abuse".

    1. Lunatic Looking For Asylum

      Re: only a hundred thousand

      1.1 million complaints, 100k linked - policy appears to be only worry if we get 10 or more complaints.

      They also said 'linked to' - they didn't say they did anything about them so I wonder how many were actually deleted.

      I use Namecheap myself - have done for almost 20 years - they were Enom resellers when I first started using them. The service has been quite good over the years though I am sick of asking them to stop sending emails out in HTML only format.

      Recently, my account has been getting locked due to failed login attempts - I suspect that Namecheap are now being bombarded with speculative logon attempts, they are now a nice big target.

      They also supported the Nominet EGM so they earned some respect there :-)

  5. Doctor Syntax Silver badge

    The one email address I have that receives frequent spam - which gets reported - is an old Hotmail address. Apart from SEO and the like service offerings* the phishing spam it receives is almost entirely pretending to be from one of the numerous Microsoft email brands. A check in the server spam folder shows that almost all other phishing spam such as advance payment scams is trapped and virtually none of the fake Microsoft mail is trapped. I'd have thought that there should be sufficient reports for NCSC to start having a quiet word with Microsoft to tighten up.

    NCSC need to have words with their own marketing department. Earlier this year the responses to reports started including links to their own puffery making them look just like phishing emails. The link in TFA to the report is non-functional with JavaScript blocked. Given the point made in the report about JavaScript framework poisoning they really should know better than to (a) depend on JavaScript so heavily on their own site and (b) send out emails pointing to it.

    * These generally get a response pretending to be a supplier questionnaire designed to suck them in before gently leading them to the conclusion that they've paid good money for a crap spam list.

    1. Lunatic Looking For Asylum
      Flame

      Tangential rant - there - I feel better :-)

      My RANT with MS is the fact that most of my mails to outllook/hotmail go to clients JUNK folders and you get no feedback from M$ as to why - at the moment I'm getting regular spam offering the services of sweet young things from outlook via what looks like some sort of injection into sharepointonline.com.

      Of course M$ won't do anything about it.

      It's in their interest to give externals a sh*t service - there's peer pressure from clients to do even more of their dirty work :-

      DId you get my email ?

      No.

      Is it in Junk ?

      Yes.

      Cool, any ideas why it went to junk ?

      No. Why don't you use outlook for you mail - we never get stuff in junk from other microsoft clients...

      Grr

      1. safffy

        Re: Tangential rant - there - I feel better :-)

        Had this happen to me, and was able to solve it by adding a SPF entry to my domain's DNS settings.

        1. Lunatic Looking For Asylum
          FAIL

          Re: Tangential rant - there - I feel better :-)

          Glad to know I'm not alone.

          I thought that playing their game would get it workiing so I went down the SPF, DKIM, DANE and TLS route and it made not a blind bit of difference. Never had a problem so far with gmail - just M$.

          It's still happening - maybe I should try something other than Exim :-)

          1. chuBb. Silver badge

            Re: Tangential rant - there - I feel better :-)

            Its fiddly to get it just so, im lucky if i manage to get 9 months of deliverability from an SMTP im stuck supporting (bloody family boxen, cus my time is obv cheaper than chucking £10 in hat a year to cover costs and improve deliverability of urgent book and bridge club business...)

      2. vtcodger Silver badge

        Re: Tangential rant - there - I feel better :-)

        at the moment I'm getting regular spam offering the services of sweet young things from outlook

        Microsoft is offering sweet young things as a service? And I thought Microsoft was completely worthless. Wrong again apparently.

        1. Anonymous Coward
          Anonymous Coward

          Re: Tangential rant - there - I feel better :-)

          An attempt at humour, one supposes?

  6. Not Entered

    Namecheap

    NameCheap are a domain registrar, and are not hosting the actual phishing/malware sites.

    The actual phishing/malware sites are probably some shmuck who has set up a Wordpress site and not secured it, then been hacked.

    Yes, NameCheap shouldn't be allowing anyone and their dog to register look-alike domains but with the volume they process it's no wonder they can't stamp it all out.

    They are also guilty of assisting spammers who register thousands of domains, then point them at a hand full of hosted IP addresses.

    This is how NameCheap get away with 'not being responsible' for content - they aren't hosting it.

    1. Victor Ludorum

      Re: Namecheap

      Not sure that's true for all of the scam sites. I got a 'Royal Mail' SMS this morning asking me to go to www.arranged-fees.com (reported it to 7726).

      The domain was registered at 09:31 this morning, I received the SMS at 10:06. Website is hosted on Namecheap's IP block. Fortunately Firefox and Chrome are already warning about it, although the site itself is still up if you want to spam them with a load of junk...

    2. adam 40 Bronze badge

      netearthone.com next

      To be fair Namecheap have processed the 10-odd reports I have sent in reasonably well, and you can submit a ticket.

      However I predict the next in the list of miscreants will be: netearthone.com.

      I tried reporting an abuse complaint with them and they have no easy way to report it.

      Also they attempt to keep the domain details secret in the whois lookup.

      They are very slow at processing reports (if they do it at all).

    3. Muppet Boss Bronze badge
      Trollface

      Re: Namecheap

      >NameCheap are a domain registrar, and are not hosting the actual phishing/malware sites.

      >The actual phishing/malware sites are probably some shmuck who has set up a Wordpress site...

      Well...

      https://www.namecheap.com/hosting/

      https://www.namecheap.com/wordpress/

      Funny enough, a week ago they even had a major hosting outage following emergency maintenance that supposedly went wrong and that they tried to hide all traces of but the Internet remembers everything. The message was basically the same, for any questions just submit the bloody ticket.

  7. Jellied Eel Silver badge

    Indecent Exposure, or well lubricated trunks.

    Curious what the flaws were in SS7. There were always risks, partly due to the way it developed and the trust model changing over time. So back in the day, it was a thing between vaguely trusted third parties, ie telcos, and it wasn't really in anyone's interests to break it. Fast forward to this century (or a bit earlier) and far more requests for SS7 interconnects, some times for no good (or possibly nefarious) reasons. Which I guess is a bit like the current pipeline problem. Back in the day, that kind of infrastructure was less exposed to the Internet, so fewer attack vectors.

  8. Kevin McMurtrie Silver badge

    Conditional content

    NameCheap is probably being fooled by a very old trick: Show different content to the abuse staff. Sometimes it's a DNS or network address trick, but more commonly it's related to the Referer header and redirects from the initial spam link. Enter with a valid URL token and you get a cookie that enables the fraud content.

    NameCheap: Those 1 million complaints are legit. You're just not that smart.

    1. Nick Ryan Silver badge

      Re: Conditional content

      Not a difficult thing to do either. The level of nasty inventiveness is pretty damn high in some of the phishing systems.

  9. Richard Tobin

    Filter by registrar

    Presumably it should be reasonably straightforward to configure a firewall to block all connections to domains registered with a particular registrar, which would be an incentive to companies like Namecheap to clean up their act.

    1. chuBb. Silver badge

      Re: Filter by registrar

      Only if your using that registrar's DNS servers, but most hide behind cloudflares dns infrastructure (or similar) so no not easily without having to maintain a massive ever growing pinhole list of allowed domains, and as others have already said they are the registrar so mainly its just running a billing system to charge for customers domains and not primarily hosting, i guess you could do a whois search per dns lookup and reject if the registrar is on your shit list, but frankly its easier to subscribe to some RBL's for this sort of thing to block at the edge, be restrictive with browser permissions, lock users down, proxy everything and actually pay someone to proactively monitor logs and spam filter reports

  10. Anonymous Coward
    Anonymous Coward

    Nationalise it ?

    What if the government had control of it's own .gov.uk registry?

    Then it could politely request (with a big stick) all UK ISPs to only accept traffic from .gov.uk that came from the Great British National DNS

    1. doublelayer Silver badge

      Re: Nationalise it ?

      It does. That's how .gov.uk works. A scammer can't impersonate a .gov.uk site, but they can register a normal something.uk address and see how many people will spot it when told to go there and enter in their tax information. You can't really do anything to prevent that from working, but you can work a lot harder to take it down later or even detect it before starting.

  11. yetanotheraoc
    Joke

    An oldie but a goodie

    "Namecheap hosted 25%+ of fake UK govt phishing sites last year"

    Namecheap: We resolve to do better.

  12. Anonymous Coward
    Anonymous Coward

    Copy and paste

    I'll just copy and paste my comment from March 10th regarding the OVH fire:

    "Now if we could just firewall off all of Arizona the world would be 99.999% spam/malware free!

    (GoDaddy and NameCheap)"

  13. Twanky
    WTF?

    The NCSC report/warning on SMS spoofing is very disappointing. A spokesbod from OfCom also commented on This Sort of Thing recently (https://www.bbc.co.uk/news/business-56934517). NCSC and OfCom issue warnings that CLI information is unreliable but don't pursue the implications:

    1. If the CLI on calls is unreliable then so is the CLI on SMS messages.

    2. If an SMS message contains a link (eg for use on a pocket computer) then that too is not trustworthy and should not be followed.

    3. If links in SMS messages are untrustworthy then surely government institutions and marketeers for reputable organisations should not send them (note me avoiding the difficult concept of reputable marketeers).

    4. If *only* untrustworthy organisations/people send links in text messages then people might eventually learn not to follow them.

    Instead we get some weak compromise message about not following links unless you were expecting them. In other words, it's probably OK as long as you trust the sender... (See point 1, above).

    Even worse than this, many organisations send shortened/obfuscated links such as bit.ly redirects for no good reason. If it's a clickable link then why not show the full URL? If it's a unique link they want the receiver to type in to the browser on another computer then a code to be entered onto their branded page would be a far better option.

    FFS! Concealing where a link is leading people should set off big red flashing warnings that it's not to be trusted.

    Banks, retailers, tax authorities, government (all levels), political parties, healthcare etc etc should *not* be sending 'clickable' links in text (SMS and e-mail) messages.

  14. LDS Silver badge

    Spamhaus thinks the same - for botnets C&C domains

    "Namecheap (again!) After years of being #1 in this Top 20, Namecheap (US) continues to be the preferred domain registrar for miscreants registering botnet C&C domains. When will this change? We don’t know. But given the long history of abuse at Namecheap, we don’t expect it to be any time soon!"

    https://www.spamhaus.org/news/article/809/spamhaus-botnet-threat-update-q1-2021

  15. Spiz

    Agrees with my experience

    I tell all my groups of friends to forward a picture of any sms/email scams like this so that I can investigate the site in a sandbox and ultimately report the domain and hosting provider.

    More often than not both are hosted by Namecheap, and no they are not very quick about taking either down, if they bother at all.

    I'd like to see more evidence of the assertation that there are too many false abuse reports to be able to handle. Something doesn't stack up there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021