Domain name holders are currently being targeted in an aggressive malware campaign that claims their domain name has been suspended for violation of the domain registrar’s abuse policy. The messages list your domain name, your registrar, and your registrant name.
They claim that the registrar has tried repeatedly to contact you about abuse complaints but did not receive a reply. Thus, claim the emails, the registrar had ‘no choice but to suspend your domain name’.
The messages advise you to click a link to download a copy of complaints received. It also advises you to ‘contact us’ for additional information and includes an ‘Abuse Department Hotline’ phone number.
However, despite their legitimate appearance, the emails are not from any domain registrar. Instead, they are a criminal ruse designed to panic you into downloading and installing malware. If you click the link in the emails, a malicious executable file will be downloaded to your computer. If you then open this file in the hope of viewing the supposed complaints, the malware will be installed.
Once installed, the malware may download further malware that may steal personal information such as passwords and allow online criminals to access and control your computer.
This campaign is especially dangerous because it uses valid information about the domain registration and includes your full name. And, it uses spoofed email addresses to make it appear that the message really did come from your domain registrar. Even experienced users might be caught out by this attack.
Melbourne IT, one of the targeted domain registrars, has published a warning about the attack on its website.
Calling the ‘Abuse Department Hotline’ gets a ‘number not connected’ error message.
If you receive one of these emails, do not click any links or open any attachments that it contains. Do not reply to the email and do not attempt to call any phone numbers listed. If you have any concerns, contact your domain registrar directly.
Examples
Subject: Domain [domain name removed] Suspension Notice
Dear Sir/Madam,
The following domain names have been suspended for violation of the Melbourne IT Ltd Abuse Policy:
Domain Name: [Removed]
Registrar: Melbourne IT Ltd
Registrant Name: [removed]
Multiple warnings were sent by Melbourne IT Ltd Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Sincerely,
Melbourne IT Ltd
Spam and Abuse Department
Abuse Department Hotline: 480-195-3050
Subject: Domain [domain name removed] Suspension Notice
Dear Sir/Madam,
The following domain names have been suspended for violation of the DYNADOT LLC Abuse Policy:
Domain Name: [removed]
Registrar: DYNADOT LLC
Registrant Name: [removed]
Multiple warnings were sent by DYNADOT LLC Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here [LINK] and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Sincerely,
DYNADOT LLC
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101
