IT.COM

question What can I do about a lookalike phishing domain being used to commit fraud?

Spaceship Spaceship
Watch
ryan29

ryan29

Established Member
Impact
65
Hi. This isn't a question about buying or selling, so I hope it's ok.

Is there anything I can do about a domain that was registered to impersonate an existing domain? Someone recently registered the domain of a local business that I know and is using it to (attempt to) commit fraud. The bad actor compromised one of the businesses email accounts not too long ago and did the following:
  • They registered a lookalike domain. Think `example.com` instead of `examples.com`.
  • They selected a message chain with an invoice and payment instructions.
  • They replied to the message chain using the fake domain to impersonate all the users involved.
  • They asked the recipient to update bank account info for a large payment (>$100,000).
  • They set up some odd forwarding from a 3rd domain and triggered a large volume of bounced messages that were forwarded to the impersonated businesses' users. This was done on a Friday. I assume the intent was to bury the users in junk mail to reduce the odds of them catching the fraud. I'm guessing the address used for this is a compromised account.
The target victim didn't get fooled and the local business was able to warn the rest of their customers, but the lookalike domain is still there as a future problem and I'm not sure how (or if) it can be taken offline.
  • The registrar (`onamae.com`) doesn't appear to be English speaking, so I'm going to have a tough time communicating with them. I think they're in Japan, but I'm not sure.
  • I think the DNS is hosted in Lithuania (`monovm.com/`).
  • I can't figure out who hosts the email. The MX records are for `us2.mx1.mailhostbox.com`, etc. which redirects to an American company (`newfold.com/`) that owns a bunch of hosting providers.
I'm in Canada if it makes a difference.

Can I ask ICANN to do anything or do I need to ask the registrar first? Is there any point in trying to contact the DNS or email host since it's trivial for the fraudster to move the domain to new hosts if they get banned from the existing ones?

Is there anything else I should be aware of or watch out for?
 
Last edited:
Click to expand...
Reply
1
0 Like
0 Thanks
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Sort by date Sort by points
Report it to the registrar, if communication is lacking:
https://www.gmoregistry.com/en/policy/

Which is their parent company. If nothing comes from that, there's icann.

Don't bother with the dns/hosting provider, judging by their location they won't do much.... Unless it's just DNS and they're hosted at newfold.

...

Newfold (WEB/EIG) is huge... That (Mx)domain is used by a lot of their companies. Report to them, they've got an abuse and fraud department.

Good luck!
 
Click to expand...
Reply
2
1 Like
1 Thanks
•••
Send so much email it is always full.
 
Click to expand...
Reply
1
0 Like
0 Thanks
•••
Log in or sign up to reply here.

Similar threads

Leo2k
question Can a German trademark owner claim a .com or limited only to .de?
4 replies
588 views
Alop
Alop
zotix
registrars DMCA, GD, Deepfakes & Responsibilities - Grab a coffee, let's talk
10 replies
490 views
zotix
zotix
Andreas B.
news A petition to steal a domain (from Dave Lahoti)
10 replies
727 views
Samer
Samer
jberryhill
registries More crazy .in domain regulations in the pipeline
1 reply
528 views
anantj
anantj
C
  • Poll
poll Is RLE.com #ConfirmedStolen?
12 replies
922 views
create.com
create.com

We're social

Escrow.com

New posts

Auction activity

Domain Recover

What non .com extensions have you sold in 2024?

Polls of interest

Popular this week

Community favorite

Popular this month

Blog favorites

  • The sidebar remains visible by scrolling at a speed relative to the page’s height.
Back