The UK is facing an epidemic of SMS fraud. Scammers know that we're all at home eagerly waiting for deliveries. So they send out phishing messages saying "Sorry we missed you" or "You need to pay a delivery fee". If you click on the link they send, you'll go to a very convincing website which looks identical to the courier's page.
Whereupon the fraudsters will ask for your bank details, credit card number, mother's maiden name, and inside leg measurement.
There are many complex reasons why this fraud proliferates. But one thing underpins these scams - a domain name and hosting. Over the last few months, the vast majority of the fraud I've seen has come from domains registered by NameCheap.
OK, but that's anecdotal evidence. Is there anything more robust?
My friends in the UK's National Cyber Security Centre have released a report looking at phishing - amongst other things. Here's what they have to say about NameCheap:
Figure 1 shows that NameCheap became the most popular host of UK government-themed phishing during 2020.By December 2020 we found that it hosted in excess of 60% of phishing in this category.
NameCheap appear to be the preferred supplier of domains and hosting to the criminal community.
OK, they can't easily control who registers domains. But I'm sure that they take reports of abuse seriously. Right?
Looking specifically at the number of campaigns hosted by NameCheap against its monthly median attack availability, we see that by mid-year the median takedown times were consistently in excess of 60 hours. This undoubtedly made NameCheap an attractive proposition to host phishing and may explain the rise in monthly hosted campaigns that followed for UK government-themed phishing.
The problem is, these domains are designed to be "hit-and-run". The spammer sends as many phishing messages as possible, in as short a time as possible. They're expecting the domain to be taken down. Every minute counts.
The CEO of NameCheap is, unsurprisingly, defensive of his company's handling of the situation.
For example, there is 1 criminal gang that we've been fighting against targeting UK delivery services and banks. You live in your own bubble and that's all you care about and are exposed to.
— Richard Kirkendall (@NamecheapCEO) April 23, 2021
More than 9 out of 10 abuse reports submitted to us are false or incorrect. We processed/investigated 1.1 million abuse claims/reports in 2020 and only 100k of them were actually found to be linked to abuse. Less than 1 percent of domains registered with us. Submit a ticket.
— Richard Kirkendall (@NamecheapCEO) March 9, 2021
There are some proposals to restrict access to new domains - but I don't think that's effective. A spammer can register a domain, wait a month, then blast it out.
NameCheap could make it harder for people to register domains with them. They accept anonymous registration using crypto-currency. I want to live in a world where people can anonymously register web services - but I also don't want to be bombarded with spam.
Given that NameCheap want anonymous customers, and given the prices for hosting are cheap, perhaps they should be taking "good behaviour" deposits from anonymous customers? Take, say, a hundred pounds and refund it only if the account isn't suspended.
Perhaps Nominet could insist that its members take swifter action against spammers - and then remove the ability to resell domains for those that don't?
Maybe NameCheap should increase its prices so that it can afford to pay for the abuse staff that it so desperately needs?
There are no easy answers here. But NameCheap are obviously doing something to attract - and profit from - scammers. What can be done to make them take more responsibility?