The Domain Registration Renewal Scam

One of the domains we own and use received the following notification – actually through the Contact Us form on the website, CAPTCHA and all. The formatting is down to how the online form is structured, the phone number does not make sense but the information in the body certainly gets attention drawn to it.

Thanks for contacting us

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this proposal making it difficult for your customers to locate you on the web.

Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine registration so your customers can locate you on the web.

It’s a scam disguised as an invitation to pay – and it’s your fault if you pay for nothing?

I wanted to know how it works. To someone who knows little about domain registration, expiry, search optimisation and costs, it sounds worrying – after all, people don’t want their domains to stop working and that’s what they might feel when reading this message.

I embarked on the user journey they wanted me to take at whats-ip.com…..almost. Loading the site with a new /?web=domain.name, I began the user journey that they defined for their victim. Naturally, I engaged with their form in the spirit one should.

Signed by me

What’s also remarkable is the scammers have a CAPTCHA on their page, possibly to deter other scammers and people who run scripts against their site. With my signature and a completed CAPTCHA, I was able to move to the next step.

Limited time offer, copyright 2012?

My eyes are drawn to the limited time offer. The other options are really expensive and I don’t want to lose my domain, right? Lifetime, $499, what could possibly be the drawback here?

Pay now – and earn Airmiles!

Pay Now. Indeed! You will be wondering where this takes you next. I was getting one of my fake credit card numbers ready when this screen loaded for me as the next step.

Surprise!

Paypal? Paypal! I expect you, like me, are staring at the URL thinking where the odd character is.

Yes, it is Paypal

There is no odd character! The scammers are actually bringing people to Paypal so that they can pay them money. This is a double-edged sword; on the one hand, the person following the journey arrives at a service they might trust (and may also be signed into). Additionally, they may be signed into the service already, thus making this step easier. Finally, expecting a scam and getting to Paypal will make people believe the purchase is legitimate as Paypal claims to offer some payment protection.

Even a password manager will offer to complete the username/password for the site because, after all, it is Paypal.

I’ve taken the liberty to report this to Paypal, due both to the fact that I like to stop people being scammed and I expect quite a few to have paid money for nothing. The domain in question that was the subject of the contact form does not expire for some time, if the scammers were really clever then they’d contact me 45 or 30 days before expiry. Mind you, if they only contacted domains expiring soon, their victim pool would be shallower – so I get the approach. I would have expected email rather than a web form as the method to try to lure us in!

Finally, what is really, really interesting is the certificate the scammers have for their site.

Thank you, Google

While I did not dig into the hosting for the site, it would have seemed normal to have a Let’s Encrypt certificate for this domain and not one from Google. This makes it harder for a normal person to work out that this is a scam.