Yet another domain renewal scam
Criminals will try almost anything to separate people from their money. Here is another example of another unsophisticated scam that some domain owners may, unfortunately, fall victim to.
In summary, website owners may receive a message like this one through the contact form on their site. I have redacted the domain name and removed hyperlinks so that nobody accidentally clicks on them:
TERMINATION OF DOMAIN <redacted>Invoice#: 491343 Date: 17 Feb 2021IMMEDIATE ATTENTION REGARDING YOUR DOMAIN <redacted> IS ABSOLUTLY NECESSARY TERMINATION OF YOUR DOMAIN <redacted> WILL BE COMPLETED WITHIN 24 HOURSYour payment for the renewal of your domain <redacted> has not received yet We have tried to reach you by phone several times, to inform you regarding the TERMINATION of your domain <redacted> CLICK HERE FOR SECURE ONLINE PAYMENT: https://domainregister.ga IF WE DO NOT RECEIVE YOUR PAYMENT WITHIN 24 HOURS, YOUR DOMAIN <redacted> WILL BE TERMINATED! CLICK HERE FOR SECURE ONLINE PAYMENT: https://domainregister.ga YOUR IMMEDIATE ATTENTION IS ABSOLUTELY NECESSARY IN ORDER TO KEEP YOUR DOMAIN <redacted>The submission notification <redacted> will EXPIRE WITHIN 24 HOURS after reception of this email
For your own safety, please do not visit the domain listed. But, if you did go there, here’s what you would see:
Note that it doesn’t identify the domain. Since the links are not even personalized, they don’t even know what domain or fake invoice you’re visiting the site about. But when you click on “Pay now” they are happy to take your money:
Note the presence of “MacAfee SECURE”, “TRUSTe VERIFIED”, and “Norton SECURED” along with the Visa, Mastercard, Amex, and Discover logos to create a sense of legitimacy. But this entire site appears to be nothing more than a fraud.
A few quick tests suggest that this site may, in fact, be connected to a payment gateway and therefore able to actually process payments. There are also comments in the page’s source code about storing submitted information in a database.
According to a whois lookup at https://my.ga (the .ga TLD registrar), the domain domainregister.ga is registered to an individual named Lee SuYeon in South Korea. This information could be fake, so I have not published any additional personal information here, even though it is publicly available. SuYeon has not replied to my inquiry as of the time of publishing.
The .ga TLD is managed by Gabon Telecom SA. According to Wikipedia, they are the largest telecom company Gabon, located on the west coast of central Africa.
I will reach out to McAfee, TRUSTe, Norton, and Gabon Telecom, and update this story when they reply.
Originally published at https://jacksch.com on February 18, 2021.
