KatsBits Community

General Category => Blog => Topic started by: kat on October 11, 2012, 07:07:43 PM

Title: SCAM WARNING - auibcu.com domain renewal scam (iGlobal Merchant Services)
Post by: kat on October 11, 2012, 07:07:43 PM
Another domain renewal scam courtesy of iGlobal Merchant Services.

Pertinent Details
As usual with these scam, the entities in question trawl and farm contact details from the WHOIS database, something that's against their terms of service use, but what does that really matter, when you can pay to have domain details hidden, right? Anywho... the link in received emails holds a unique ID which takes the user to a page which looks suspiciously similar to one of PayPal's, and even if this were legit, the connection is not secure (no https://). The various logos on the page are for show only (they normally link directly back to the verification service for, you guessed it, verification purposes!).

Currently the domain, auibcu.com, is registered through moniker.com and privacy-protected; associated IP is 220.164.140.243 which routes to China - ns.chinanet.cn.net (good luck with that). The payment page IP, 173.255.206.174, routes to linode.com (name.com is the registrar - not privacy protected). Obviously, these are pretty much just the hosting services and not necessarily the culprits at the center of iGlobal Merchant Services domain renewal scam.

(https://www.katsbits.com/images/misc/auibcu_domain_scam_email.jpg)

Email notice which lists the domain name about to expire with wording which implies the message to be a legitimate way to renew. Note payment details as 'spoilered' - black out, text has to be selected to make it visible. All links route to the same page, including unsubscribe.
Quote
"Domain: BLENDERJOBS.COM

To: [whois trawled contact]

Don't miss out on this offer which includes search engine submission for BLENDERJOBS.COM for 12 months. There is no obligation to pay for this order unless you complete your payment by Oct 26, 2012. Our services provide submission and search engine ranking for domain owners. This offer for submission services is not required to renew your domain registration.

Failure to complete your search engine registration by Oct 26, 2012 may result in the cancellation of this order (making it difficult for your customers to locate you using search engines on the web)."

(https://www.katsbits.com/images/misc/auibcu_domain_scam_orderpage.jpg)

Payment page is similar in appearance to PayPal payment pages. Billing details are trawled from WhoIs and listed as such (displayed the same way they are shown in WhoIs). Note verification badges are dummies and do not link back to source for verification purposes.

(https://www.katsbits.com/images/misc/auibcu_domain_scam_homepage.jpg)

Connection on auibcu.com is not secure. Account retrival requires input of credit card details (which likely returns 'contact page' even if legit).

(https://www.katsbits.com/images/misc/auibcu_domain_scam_support.jpg)
Title: Other domain-renew Scam Services
Post by: kat on March 20, 2018, 07:29:51 PM
info@marodi.org » daoisnda.website » godomainseolifter.org » Trendy Media Inc.
"Your domain katsbits.com registration is pending. Failure to complete this order by 03/13/2018 may result in the cancellation of this solicitation (making it difficult for your customers to locate you, using search engines on the web). We do not register or renew domain names."
Title: Domain Expiration Scam - info@domainqiserver.monster
Post by: kat on April 25, 2020, 08:47:23 AM
Domain Expiration Scam from [domain-to-be-renewed].kkzmlx.fun (registered through Alibaba Cloud Computing Ltd. d/b/a HiChina) via proxy domainqiserver.monster (registered through namesilo.com). Mail sender IP 134.73.28.81, though Outlook.com.

A continuation of the 'domain registration' scams where mailers send messages that scrape domain registration information from WhoIs so mail looks like a legitimate domain registration renewal notice instead of what they are, junk scams to bait-n-switch recipients into paying for "optimization submission" ("search engine optimization services") not domain renewal (which ALWAYS come from the registrar/service where the domain is registered).

Quote
[sic]Domain Name: [domain being scammed]
Attn: [domain registrant name]

This important notification notifies you about the notice of your domain [domain.*] optimization submission. The information in this email may contain legally privileged information from the notification processing department of the Registration Office for our traffic generator. We do not register or renew domain names. We are selling traffic generator tools. This information is intended for the use of the individual(s) named above.

If you fail to complete your domain name registration [domain.*] search engine optimization service by the expiration date, may the dismissal of this search engine optimization domain name notification notice.
(emphasis added).