Namecheap hosted 25%+ of fake UK govt phishing sites last year – NCSC report Domains'n'hosting outfit Namecheap harboured more than a quarter of all known phishing sites that falsely posed as UK government web presences during 2020, according to the National Cyber Security Centre today. This stat can be found in the centre's fourth annual Active Cyber Defence report, which boasts how much digital filth …
...about NameCheap.
Friends had their domain and email hosting with them. The domain account was hijacked and spam was being sent from NameCheap's servers, despite password changes, etc. NameCheap (when they responded at all) refused to take any action and claimed it was my friends submitting the emails.
I transferred the domain to another registrar and miraculously the spam sending stopped instantly.
I hate to say that your experience is pretty identical with another not-suprised, known as "godaddy". Ever heard of them? :(
p.s. not that it makes namecheap any less guilty just because they emulate the business model practiced by the big ones. Actually, I have a vague impression I come across this model across the board, in all fields of business:
- customer service... are you kidding, FO, contact us on fb/twitter
- complain on fb/twitter - are you kidding, FO, lalala, we're not listening, lalala, you're [implicitly] lying, lalala, stop trolling us, lalala, customer care is our topmost priority lalala..
meanwhile... BIG SAVINGS on not having to solve customers' problems caused by prior savings on general business service.
Methinks that NameCheap is going to be forced to clean up their act if they don't manage to do it on their own.
Now that they have been named and shamed by a government report, Kirkendall is not going to be bale to brush it off like an angry Twitter rant.
If you regularly host government scam sites, there's a good change the government is going to come and have a word with you.
"there's a good change the government is going to come and have a word with you."
As HMRC is one of the frequent sites spoofed I look forward to Namecheap, its management and board being subject to frequent and searching audits by them.
1.1 million complaints, 100k linked - policy appears to be only worry if we get 10 or more complaints.
They also said 'linked to' - they didn't say they did anything about them so I wonder how many were actually deleted.
I use Namecheap myself - have done for almost 20 years - they were Enom resellers when I first started using them. The service has been quite good over the years though I am sick of asking them to stop sending emails out in HTML only format.
Recently, my account has been getting locked due to failed login attempts - I suspect that Namecheap are now being bombarded with speculative logon attempts, they are now a nice big target.
They also supported the Nominet EGM so they earned some respect there :-)
The one email address I have that receives frequent spam - which gets reported - is an old Hotmail address. Apart from SEO and the like service offerings* the phishing spam it receives is almost entirely pretending to be from one of the numerous Microsoft email brands. A check in the server spam folder shows that almost all other phishing spam such as advance payment scams is trapped and virtually none of the fake Microsoft mail is trapped. I'd have thought that there should be sufficient reports for NCSC to start having a quiet word with Microsoft to tighten up.
NCSC need to have words with their own marketing department. Earlier this year the responses to reports started including links to their own puffery making them look just like phishing emails. The link in TFA to the report is non-functional with JavaScript blocked. Given the point made in the report about JavaScript framework poisoning they really should know better than to (a) depend on JavaScript so heavily on their own site and (b) send out emails pointing to it.
* These generally get a response pretending to be a supplier questionnaire designed to suck them in before gently leading them to the conclusion that they've paid good money for a crap spam list.
My RANT with MS is the fact that most of my mails to outllook/hotmail go to clients JUNK folders and you get no feedback from M$ as to why - at the moment I'm getting regular spam offering the services of sweet young things from outlook via what looks like some sort of injection into sharepointonline.com.
Of course M$ won't do anything about it.
It's in their interest to give externals a sh*t service - there's peer pressure from clients to do even more of their dirty work :-
DId you get my email ?
No.
Is it in Junk ?
Yes.
Cool, any ideas why it went to junk ?
No. Why don't you use outlook for you mail - we never get stuff in junk from other microsoft clients...
Grr
Glad to know I'm not alone.
I thought that playing their game would get it workiing so I went down the SPF, DKIM, DANE and TLS route and it made not a blind bit of difference. Never had a problem so far with gmail - just M$.
It's still happening - maybe I should try something other than Exim :-)
Its fiddly to get it just so, im lucky if i manage to get 9 months of deliverability from an SMTP im stuck supporting (bloody family boxen, cus my time is obv cheaper than chucking £10 in hat a year to cover costs and improve deliverability of urgent book and bridge club business...)
NameCheap are a domain registrar, and are not hosting the actual phishing/malware sites.
The actual phishing/malware sites are probably some shmuck who has set up a Wordpress site and not secured it, then been hacked.
Yes, NameCheap shouldn't be allowing anyone and their dog to register look-alike domains but with the volume they process it's no wonder they can't stamp it all out.
They are also guilty of assisting spammers who register thousands of domains, then point them at a hand full of hosted IP addresses.
This is how NameCheap get away with 'not being responsible' for content - they aren't hosting it.
Not sure that's true for all of the scam sites. I got a 'Royal Mail' SMS this morning asking me to go to www.arranged-fees.com (reported it to 7726).
The domain was registered at 09:31 this morning, I received the SMS at 10:06. Website is hosted on Namecheap's IP block. Fortunately Firefox and Chrome are already warning about it, although the site itself is still up if you want to spam them with a load of junk...
To be fair Namecheap have processed the 10-odd reports I have sent in reasonably well, and you can submit a ticket.
However I predict the next in the list of miscreants will be: netearthone.com.
I tried reporting an abuse complaint with them and they have no easy way to report it.
Also they attempt to keep the domain details secret in the whois lookup.
They are very slow at processing reports (if they do it at all).
>NameCheap are a domain registrar, and are not hosting the actual phishing/malware sites.
>The actual phishing/malware sites are probably some shmuck who has set up a Wordpress site...
Well...
https://www.namecheap.com/hosting/
https://www.namecheap.com/wordpress/
Funny enough, a week ago they even had a major hosting outage following emergency maintenance that supposedly went wrong and that they tried to hide all traces of but the Internet remembers everything. The message was basically the same, for any questions just submit the bloody ticket.
Curious what the flaws were in SS7. There were always risks, partly due to the way it developed and the trust model changing over time. So back in the day, it was a thing between vaguely trusted third parties, ie telcos, and it wasn't really in anyone's interests to break it. Fast forward to this century (or a bit earlier) and far more requests for SS7 interconnects, some times for no good (or possibly nefarious) reasons. Which I guess is a bit like the current pipeline problem. Back in the day, that kind of infrastructure was less exposed to the Internet, so fewer attack vectors.
NameCheap is probably being fooled by a very old trick: Show different content to the abuse staff. Sometimes it's a DNS or network address trick, but more commonly it's related to the Referer header and redirects from the initial spam link. Enter with a valid URL token and you get a cookie that enables the fraud content.
NameCheap: Those 1 million complaints are legit. You're just not that smart.
Only if your using that registrar's DNS servers, but most hide behind cloudflares dns infrastructure (or similar) so no not easily without having to maintain a massive ever growing pinhole list of allowed domains, and as others have already said they are the registrar so mainly its just running a billing system to charge for customers domains and not primarily hosting, i guess you could do a whois search per dns lookup and reject if the registrar is on your shit list, but frankly its easier to subscribe to some RBL's for this sort of thing to block at the edge, be restrictive with browser permissions, lock users down, proxy everything and actually pay someone to proactively monitor logs and spam filter reports
It does. That's how .gov.uk works. A scammer can't impersonate a .gov.uk site, but they can register a normal something.uk address and see how many people will spot it when told to go there and enter in their tax information. You can't really do anything to prevent that from working, but you can work a lot harder to take it down later or even detect it before starting.
The NCSC report/warning on SMS spoofing is very disappointing. A spokesbod from OfCom also commented on This Sort of Thing recently (https://www.bbc.co.uk/news/business-56934517). NCSC and OfCom issue warnings that CLI information is unreliable but don't pursue the implications:
1. If the CLI on calls is unreliable then so is the CLI on SMS messages.
2. If an SMS message contains a link (eg for use on a pocket computer) then that too is not trustworthy and should not be followed.
3. If links in SMS messages are untrustworthy then surely government institutions and marketeers for reputable organisations should not send them (note me avoiding the difficult concept of reputable marketeers).
4. If *only* untrustworthy organisations/people send links in text messages then people might eventually learn not to follow them.
Instead we get some weak compromise message about not following links unless you were expecting them. In other words, it's probably OK as long as you trust the sender... (See point 1, above).
Even worse than this, many organisations send shortened/obfuscated links such as bit.ly redirects for no good reason. If it's a clickable link then why not show the full URL? If it's a unique link they want the receiver to type in to the browser on another computer then a code to be entered onto their branded page would be a far better option.
FFS! Concealing where a link is leading people should set off big red flashing warnings that it's not to be trusted.
Banks, retailers, tax authorities, government (all levels), political parties, healthcare etc etc should *not* be sending 'clickable' links in text (SMS and e-mail) messages.
"Namecheap (again!) After years of being #1 in this Top 20, Namecheap (US) continues to be the preferred domain registrar for miscreants registering botnet C&C domains. When will this change? We don’t know. But given the long history of abuse at Namecheap, we don’t expect it to be any time soon!"
https://www.spamhaus.org/news/article/809/spamhaus-botnet-threat-update-q1-2021
I tell all my groups of friends to forward a picture of any sms/email scams like this so that I can investigate the site in a sandbox and ultimately report the domain and hosting provider.
More often than not both are hosted by Namecheap, and no they are not very quick about taking either down, if they bother at all.
I'd like to see more evidence of the assertation that there are too many false abuse reports to be able to handle. Something doesn't stack up there.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
