Heads up: eNom phishing emails
A recent post at the Webmaster World turned a lot of heads when it announced the visibility of an extremely large-scale phishing attack against enom underway.
“The emails are sent randomly to common (e.g. sales@, info@, admin@ etc), dictionary and to randomly-generated addresses, and so will mostly be received by people without enom accounts. However, the mails are quite well-crafted and might catch out the unwary.
The emails I’ve seen so far use randomised subjects like the below:
- Attention: Inaccurate whois information.
- Inaccurate whois information.
- Inaccurate whois information. [IncidentID:33631]
- Maintenance at eNom
- Maintenance at eNom – attention
- Maintenance at eNom – warning
- Maintenance at eNom.com
- Maintenance at eNom.com – attention!
- Maintenance at eNom.com – warning!
- Problem: Inaccurate whois information.
- Warning: Inaccurate whois information.
- Your domain must be deleted today!
The sender is also randomly selected from a list including:
The emails vary from merely mentioning maintenance and including an account login link, to enticing clicks by saying that your domain has been suspended unless you login and verify data. Links will take you to a non-enom site such as enom.com[0-9]+.biz which will store your logon details for later exploitation.
It’s quite well done, as there is a minimum of grammar and spelling errors, and overall is more subtle, and more consistent than most phishing attacks.
The messages themselves seem to be sent via an extremely large network of zombie PCs – I’ve seen many thousands sent to a single domain name. There are a few other footprints within the message headers, but I’ll spare you the gory tech details.
Needless to say, if you have an enom account and have clicked on a link in such a message, and entered account details, you are mostly likely on a list of compromised accounts somewhere. I recommend that you immediately change your login details, and contact enom to let them know you think you have been the victim of a phishing attack.”
Here are some of the commnets to this post:
Yup — I received one of those today (“Maintenance”) … sent to a spam-trap address.
It was generated from/via Poland.
Thanks, Receptional Andy, for the heads-up! -Laker
We got one of these as well and followed the domain to the registrar onlinenic.com — after much digging we found a support email address. I just got the following response. Fairly weak. -Space2Burn