Phishing - "Your Account Needs Updating"
On October 30th, 2008, many people who have domain names registered with Network Solutions were targeted in a large phishing scam, the point of which was to trick you into revealing your login information for the domain. (Once someone else has that information, they can change the contact info and login, and steal your domain name.)
While the email people are receiving may look somewhat legit (see below), there are a few warning signs. If you dig into the header information you would see that the email appears to be from gqnl@boardbuilders.com which wouldn't have anything to do with Network Solutions. Even more damning though, is that the link in the body of the email (don't click it!) doesn't lead you to a Network Solutions website. Some email programs will show the target address of a link somewhere when you "mouse over" the link (moving the cursor over the link but not clicking on it.) In this case, the address the link would take you to is: http://www.networksolutions.com.sys44.mobi
Most people just see the left part of the address and see "networksolutions.com" and assume it's okay, but the right side is what's important. The last two parts, in this case sys44.mobi is the actual domain name, or website that you would go to. They have set up "networksolutions.com" as a subdomain of their actual domain in order to trick you.
Dear Network Solutions Customer,
We recently notified you that the registration period for your Network Solutions domain name had expired. As a benefit of having previously registered a domain name(s) with Network Solutions, you are eligible to receive a percentage of the net proceeds that were generated from the renewal and transfer of the domain name you chose not to renew. Since you have chosen not to renew the domain name listed below during the applicable grace period, we were successful in securing a backorder for this domain name on your behalf and it has been transferred to another party in accordance with the Service Agreement.
Renew your domain now - http://www.networksolutions.com
You must click on the following link, enter your domain name, and confirm your contact information in order to claim these funds. If your contact information is not correct, you must enter Account Manager and make the appropriate changes prior to clicking "submit" from the confirmation screen. If you do not do this, you will be confirming inaccurate information and will not receive any payment. Checks will only be made payable and mailed to the Account Holder of record.
Sincerely,
Network Solutions® Customer Support
Rather than clicking on a link in an email, if you're concerned there may be issues with your hosting or domain name, go directly to the company's website and login to see if there are any account notices. Never trust an email to take you to the right place. Remember, any website can be duplicated and faked! You can also contact your service provider by phone if you have questions about your account status.
As of October 30th, 2008, Network Solutions has posted the following on their customer support page:
Customers who have registered domain names through Network Solutions, as well as several other domain name providers are currently a target of a large scale phishing scam. A fraudster is sending e-mails to customers asking them to log in to renew or edit their domain name registration, and providing a link to a fraudulent site designed to look like networksolutions.com and to capture customer username and password information, or other private information.
If you believe you have received an e-mail of this type and have clicked on the link, and provided your login information, we recommend the following for security purposes:
- login to your account
- review your account information for accuracy
- change your password security question and answer
- change your password
Update: Variation On The Message Format
Later in the same day, we received the following message...
Dear Network Solutions® Customer,
On Thu, 30 Oct 2008 23:16:49 -0500 we received a third party complaint of invalid domain contact information in the Whois database for this domain Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.
Please note: ICANN (the Internet Corporation for Assigned Names and Numbers) regulations state that the WHOIS Administrative Contact may initiate and approve domain name registration transfers from your Network Solutions account to other Registrars. If you are not listed as the WHOIS Administrative Contact a transfer can occur without your knowledge if Domain Protect is not enabled for the domain name registrations listed above.
To change the WHOIS Administrative Contact Information for any of your domains, please login to Account Manager:
- Log in to Account Manager at: http://www.networksolutions.com.
- Click on the "Profile & Accounts" tab in the left navigation menu to be taken to a page listing your account details.
- Click on "Accounts" and select the account you wish to edit.
- Click "View/Edit WHOIS Contacts" to make your updates.
If you believe someone requested this change without your consent, please contact Customer Service.
If you would like to order additional services or to update your account, please visit us online.
Thank you for choosing Network Solutions. We are committed to providing you with the solutions, services, and support to help you succeed online.
Sincerely,
Network Solutions® Customer Support
This one's even more official looking... it's actually very similar to an email that Network Solutions does send out. However, the link is the same type of deception, in this case pointing to: http://www.networksolutions.com.sys56.biz ...which is not a Network Solutions domain. Domains like sys56.biz are almost always owned by spammers and used for a short duration, just long enough to try to rip you off.
