Digital Wild West

This scam is aimed at someone who has registered a domain name

It is the third I’ve received in 3 weeks, this one targets eNom clients, but I’m sure GoDaddy, Xin Net, Melbourne IT, and Netfirm might shortly be well represented.  

Designed to trick novices, it will also snare those net-savvies who should know better but are asleep at the wheel, err, keyboard.

Image, right: Click for full-size. Note the tool-tip at bottom-right that reveals real web address hidden beneath the stated enom.com

If the owner of only one domain name, you are at greater risk from assuming this message refers to it.  "They" are threatening to take your domain name away from you due to your oversight with wrong contact details. Allegedly.

Domain name registrars often nag us about such issues ("invalid domain contact information") via email, so it is not suspicious to get an email like this. Unlike messages from banks, who never communicate by email - especially unsolicited - and never invite you to login using the convenient link in an email, and tell them things about yourself.

Danger

That is the danger of this email: inviting you to visit a website, login, and do something. Urgently!

In our example (linked to at the end of this article) the link in the email looks like a simple helpful path to the eNom website. How can that be dangerous?

Pretending to be a plain text email, the message is really a ‘web page’ using that ole’ monospace font. But unlike a plain text email, being web code (html) things are easily hidden behind the text you read.

The innocent "http://www.enom.com" hides a completely different web address: "http://www.enom.com.sys43.ru" - and that’s your clue that this message is NOT what it seems.

Our detailed article explains how you can learn to determine for yourself that these never-ending emails are, indeed, fake.

I own more than 100 domains, so this sort of email grabs my attention because I am still updating contact information I know is incorrect. I got a similar scam message recently purportedly from ICAAN the non-profit that oversees domain names on the Internet .. and it made my toes curl. If that email was really from ICAAN, I was seriously worried. Never having been reprimanded, I had no idea if this is what to expect when someone complains about false/faulty domain name registration details. But that email, like this eNom scam, did not specify a domain name. Odd, maybe, but entirely possible.

The ICAAN email was not, happily, from ICAAN. Neither was the coincident scam email from networksolutions.com, Nor is the eNom message.

Which is why you are reading this - to be certain, and learn the skills to sort this muck in the future, again and again.

Are you being scammed?

So, how do you, an Internet novice who just wants to get their work done, easily and quickly prove you are being hoaxed, or worse, scammed?

After all, this is technical stuff, domain names, and you don’t know how to deal with it confidently.

You might reply to the email, but it will never reach your domain name registrar because they didn’t send it. You can go directly to their website and generate a support ticket. They will then likely ask what domain name you are talking about. Unless the helpdesk person realises you are on about a scam email, he and you will be sidetracked for awhile about details, and support will tend to shrug off your enquiry, telling you to just check the details.

Since we all get a dozen hoax emails like this every day, most of which are painfully, obviously, stupid emails and easily dismissed, you still need a method of evaluating the tough, ambiguous, and genuinely deceptive message that you have no choice but to assume is real till proven false.

The generic process to determine if an email is a scam or hoax is here. It is a series of simple steps and uses the eNom email scam as an example, with illustrations showing screen shots and the hidden text behind them.

The scam is discussed on the Sophos anti-virus vendor’s website in Graham Cluley’s blog. Graham connects a few dots in the domain registrar industry, questioning the simultaneous release of targeted emails seeking to gather domain name owner’s credentials.

A quick mention of that most obvious-in-retrospect gotcha when wandering around seedier websites. While adult content sites willingly try this trick, the danger must spread, as a matter of dark business, to more innocuous-seeming websites.

In other words, it’s no longer the feral surfing habits of household males that will place your computer, and the family’s integrity, at risk. The ladies and kiddies will be - and probably are being - confronted with this dangerous choice on the Internet.

I refer to the missing "Codec."

What’s a ‘codec’?

What’s a "codec"? Software (part of your computer’s media player) that allows you to watch videos and sound on the web.

A few years ago it was a headache. Microsoft Windows Media Player and Apple QuickTime would only play every second media file one came across on music and video download or streaming sites. So they would nag you about a "missing codec" just when you expected some entertainment.

And why do you care?

You do care, don’t you?

The criminals lighted upon this as a marvellous opportunity for social engineering - aka, tricking you. Since the best way to infect a PC is get the dumb human in charge to tell it to infect itself, the crooks realized they could ask you to do their dirty work by trickery - like click "Yes please, install that codec so I can watch the video of Angelina and Brad with their new baby."

Your request for this reasonable action might work, or simply be  ignored. Even if it worked, a compromised codec can be installed (’compromised’ = one that has extra malicious instructions written into it, code not in the original codec) or you are ignored altogether and though nothing seemed to happen, malware was directly installed without your knowing.

Above is a typical screen, which you click and nothing happens. No video of Hollywood’s premier couple. You give up, but it’s too late. Something did happen and you will NEVER know - or, when it’s far too late, perhaps you will.

A Trojan was installed (right beneath your uncomprehending nose) designed to record the login and password to your banking website and quietly phone home to the bad guys when mission accomplished.

How to avoid installing codecs you think you need

You DO NOT need codecs. If the video or sound won’t play, move on.

However, if your boss gave you a DVD containing a video that your computer won’t play because Windows Media player actually means what it says when it complains of a missing codec (and this is nothing to do with a bogus web site) then you have three options:

1. Spend all night trying to find the codec on the Internet - not recommended.
2. "Boss, I couldn’t play it. Can I see IT for advice?" - also not recommended, speaking as an IT tech :0)
3. Install VideoLAN’s VLC media player on your computer. It plays just about everything, codecs be damned.

PS: There’s far more to it than space permits. I’ll stop here for simplicity’s sake. Plenty of related posts down the line.