Why do scammers love NameCheap?
The UK is facing an epidemic of SMS fraud. Scammers know that we're all at home eagerly waiting for deliveries. So they send out phishing messages saying "Sorry we missed you" or "You need to pay a delivery fee". If you click on the link they send, you'll go to a very convincing website which looks identical to the courier's page.
Whereupon the fraudsters will ask for your bank details, credit card number, mother's maiden name, and inside leg measurement.
There are many complex reasons why this fraud proliferates. But one thing underpins these scams - a domain name and hosting. Over the last few months, the vast majority of the fraud I've seen has come from domains registered by NameCheap.
OK, but that's anecdotal evidence. Is there anything more robust?
My friends in the UK's National Cyber Security Centre have released a report looking at phishing - amongst other things. Here's what they have to say about NameCheap:
Figure 1 shows that NameCheap became the most popular host of UK government-themed phishing during 2020.By December 2020 we found that it hosted in excess of 60% of phishing in this category.
NameCheap appear to be the preferred supplier of domains and hosting to the criminal community.
OK, they can't easily control who registers domains. But I'm sure that they take reports of abuse seriously. Right?
Looking specifically at the number of campaigns hosted by NameCheap against its monthly median attack availability, we see that by mid-year the median takedown times were consistently in excess of 60 hours. This undoubtedly made NameCheap an attractive proposition to host phishing and may explain the rise in monthly hosted campaigns that followed for UK government-themed phishing.
Oh...
The problem is, these domains are designed to be "hit-and-run". The spammer sends as many phishing messages as possible, in as short a time as possible. They're expecting the domain to be taken down. Every minute counts.
The CEO of NameCheap is, unsurprisingly, defensive of his company's handling of the situation.
What can be done?
There are some proposals to restrict access to new domains - but I don't think that's effective. A spammer can register a domain, wait a month, then blast it out.
NameCheap could make it harder for people to register domains with them. They accept anonymous registration using crypto-currency. I want to live in a world where people can anonymously register web services - but I also don't want to be bombarded with spam.
Given that NameCheap want anonymous customers, and given the prices for hosting are cheap, perhaps they should be taking "good behaviour" deposits from anonymous customers? Take, say, a hundred pounds and refund it only if the account isn't suspended.
Perhaps Nominet could insist that its members take swifter action against spammers - and then remove the ability to resell domains for those that don't?
Maybe NameCheap should increase its prices so that it can afford to pay for the abuse staff that it so desperately needs?
There are no easy answers here. But NameCheap are obviously doing something to attract - and profit from - scammers. What can be done to make them take more responsibility?
Meanwhile I wonder if NameCheap counts as "bulletproof hosting" at this point?
Reply to original comment on twitter.com
|Ian says:
A bit like IP reputation scores for spam filters, but for the domain name reseller instead.
Eric Andersen says:
It seems there are always people seeking to exploit gaps in the system and when attempts are made to close those gaps, cries of “excessive regulation!” can be heard from those same groups.
There is a synergy here between the spammers and NameCheap. Both are profiting from the exploit and you and I are paying the price.
I have no answer, I don’t know the inner workings well enough to propose one. I can only hope that someone more clever that I can find one.
Ubaldo says:
That was 4 years ago, c.2018. Today, mid-2022 I still receive upwards of 20 spam calls and 5 SMS spam texts PER DAY on my cell phone. 99.3% of the SMS spam that I receive is STILL from namecheap domain names usually registered within the prior 14-30 days, many times its within a day!
The domain names used in the SMS spams are gibberish too, they're not even worth reg-fee. Just a bunch of letters and numbers. Isnt it clear to these highly paid attorneys what is going on? Doubt it as 6 decades on this planet have proven that degrees AND/OR high pay has zero correlation to brains.
Apparently the spammers flock to namecheap more so than any other registrar so what that tells me is they are lax on wanting to stop this whereas these spammers likely have hit brick walls at other registrars. The complete shutdown from their abuse attorney makes me wonder if namecheap is in on it or somehow receiving benefit from it.
The answer is simple, if there isnt already a TOS clause that states the domain will be deleted, immediately, upon verifyable proof of spam activities then it needs to be added to namecheap's TOS. AND THEN namecheap needs to execute on it when shown proof.
Until then I have not and will not purchase another domain name at namecheap no matter how low the cost it. I will not subsidize this abuse and the willful ignoring of it. I have moved all my 400+ domain names out of that registrar years ago. I have also posted publicly on forums this very same statement, advised people to stay away from namecheap lest they wish to support spamming and willful ignorance of spamming.
The cost of a lost customer is quite a large number.
James says:
Phil says:
Chris March says:
There is already the 7726 spam reporting service – yet information on what the mobile networks do with reports made to this service is scarce. (Is it just there to make people feel better?)
A common pattern I see is for scam messages to start with the company name and contain a URL; e.g. “DELIVERY COMPANY: Your parcel has an unpaid £1.45 shipping fee. Please pay this now via: not Delivery Company’s website. Your package is at risk if this fee is not paid.”
There are a small number of companies whose brands get targeted in this way – banks and delivery companies seem to be the targets at the moment. Could the mobile networks take a more active role and liaise with these companies to establish what domain name(s) they are going to use in their SMS notifications – and when they are asked to deliver messages that match known fraudulent patterns containing a brand name and a URL that don’t correspond with each other, they instead route the message to /dev/null?
Reply to original comment on twitter.com
|emails constantly for months being blocked by my servers anti spam software. I also am not on any USA marketing lists so these spammers are using pirate email databases to spam the world. Time ICANN took action!
Boomish says:
Dirk Daggler says:
Kevin says:
Besides the Namecheap component, there are one or two high volume SMS spam crime gangs a well-established and stable infrastructure on Salesforce, Amazon, Cloudflare, and High Speed Web. Yes, they're all fully aware that they're hosting a credit card phishing gangs.
SpamBuster says: