Why do scammers love NameCheap?

by @edent | , , , | 10 comments | Read ~1,229 times.

The UK is facing an epidemic of SMS fraud. Scammers know that we're all at home eagerly waiting for deliveries. So they send out phishing messages saying "Sorry we missed you" or "You need to pay a delivery fee". If you click on the link they send, you'll go to a very convincing website which looks identical to the courier's page.

Whereupon the fraudsters will ask for your bank details, credit card number, mother's maiden name, and inside leg measurement.

There are many complex reasons why this fraud proliferates. But one thing underpins these scams - a domain name and hosting. Over the last few months, the vast majority of the fraud I've seen has come from domains registered by NameCheap.

OK, but that's anecdotal evidence. Is there anything more robust?

My friends in the UK's National Cyber Security Centre have released a report looking at phishing - amongst other things. Here's what they have to say about NameCheap:

Figure 1 shows that NameCheap became the most popular host of UK government-themed phishing during 2020.By December 2020 we found that it hosted in excess of 60% of phishing in this category.
Graph showing rise of NameCheap.

NameCheap appear to be the preferred supplier of domains and hosting to the criminal community.

OK, they can't easily control who registers domains. But I'm sure that they take reports of abuse seriously. Right?

Looking specifically at the number of campaigns hosted by NameCheap against its monthly median attack availability, we see that by mid-year the median takedown times were consistently in excess of 60 hours. This undoubtedly made NameCheap an attractive proposition to host phishing and may explain the rise in monthly hosted campaigns that followed for UK government-themed phishing.

Oh...

The problem is, these domains are designed to be "hit-and-run". The spammer sends as many phishing messages as possible, in as short a time as possible. They're expecting the domain to be taken down. Every minute counts.

The CEO of NameCheap is, unsurprisingly, defensive of his company's handling of the situation.

What can be done?

There are some proposals to restrict access to new domains - but I don't think that's effective. A spammer can register a domain, wait a month, then blast it out.

NameCheap could make it harder for people to register domains with them. They accept anonymous registration using crypto-currency. I want to live in a world where people can anonymously register web services - but I also don't want to be bombarded with spam.

Given that NameCheap want anonymous customers, and given the prices for hosting are cheap, perhaps they should be taking "good behaviour" deposits from anonymous customers? Take, say, a hundred pounds and refund it only if the account isn't suspended.

Perhaps Nominet could insist that its members take swifter action against spammers - and then remove the ability to resell domains for those that don't?

Maybe NameCheap should increase its prices so that it can afford to pay for the abuse staff that it so desperately needs?

There are no easy answers here. But NameCheap are obviously doing something to attract - and profit from - scammers. What can be done to make them take more responsibility?


10 thoughts on “Why do scammers love NameCheap?

  1. Nick Drage says:

    A well put summary of the issues around the current flurry of SMS spam, how easy it is to host domains and sites, and some thoughts on how to impede criminals while enabling anonymous use of services.

    Meanwhile I wonder if NameCheap counts as "bulletproof hosting" at this point?

  2. Ian says:

    It’s a bit of a whack-a-mole solution, but the mobile networks could start reverse look-up of domains in SMS messages, and if it’s supplied by [unreliable domain name seller] block the message on quality control grounds until the domain name seller cleans up its act.

    A bit like IP reputation scores for spam filters, but for the domain name reseller instead.

    1. This worries me. I don’t want my phone company “protecting” me. Perhaps I should think of the children…?

  3. Eric Andersen says:

    I have found in the recent past that SPAM text messages have contained links to domains registered with NameCheap. When I complained to NameCheap, I was told to take it up with the telecom company.

    It seems there are always people seeking to exploit gaps in the system and when attempts are made to close those gaps, cries of “excessive regulation!” can be heard from those same groups.

    There is a synergy here between the spammers and NameCheap. Both are profiting from the exploit and you and I are paying the price.

    I have no answer, I don’t know the inner workings well enough to propose one. I can only hope that someone more clever that I can find one.

  4. superkuh says:

    I am not a spammer. But I do love namecheap because I am able to lease domain names from them without ever giving them my name by paying in bitcoin. It’s unfortunate this, and other aspects, are abused but it is worth it in the end.

  5. James says:

    I wonder if a login-namecheap.com domain purchased from Namecheap with a mocking website hosted by them might get a different response...

    1. Phil says:

      It would, but not for the reason you might want. This is because it would be an abuse of their name, so they would be responding to this rather than the general impersonation of a company. Namecheap would likely expect each company to respond by taking action to protect their respective names and trademarks. This is the individualist/libertarian approach that is responsible for giving the scammers the benefit of the doubt to begin with.

  6. Chris March says:

    You’re right to call out NameCheap’s shoddy practices, but at the same time it feels like the problem of SMS fraud could be well-mitigated by the mobile networks?

    There is already the 7726 spam reporting service – yet information on what the mobile networks do with reports made to this service is scarce. (Is it just there to make people feel better?)

    A common pattern I see is for scam messages to start with the company name and contain a URL; e.g. “DELIVERY COMPANY: Your parcel has an unpaid £1.45 shipping fee. Please pay this now via: not Delivery Company’s website. Your package is at risk if this fee is not paid.”

    There are a small number of companies whose brands get targeted in this way – banks and delivery companies seem to be the targets at the moment. Could the mobile networks take a more active role and liaise with these companies to establish what domain name(s) they are going to use in their SMS notifications – and when they are asked to deliver messages that match known fraudulent patterns containing a brand name and a URL that don’t correspond with each other, they instead route the message to /dev/null?

  7. martin says:

    It seems that namescheap do not care about spammers using them as long as the registration cash keeps flowing. If they really cared they would ensure they had full contact details for their customers and inform the FBI if those customers illegally spammed or phished. I am in the UK and have been finding their customers
    emails constantly for months being blocked by my servers anti spam software. I also am not on any USA marketing lists so these spammers are using pirate email databases to spam the world. Time ICANN took action!

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: