A new phishing campaign is targeting the owners of internet domains in an attempt to spread malware. The emails are presented as a notice of domain suspension, claiming that the user’s domain (registered website address) has received several complaints and that they are suspending their service. Help Net Security reports that the emails contain “the valid domain registration and the recipient's full name, which the attackers must have harvested online, via the whois query. The sender's email address is also spoofed to make it look like the sender is the domain registrar.” A whois query is a protocol used to look up the owners of an internet resource such as a website domain. Utilizing publicly available information to target users is a form of social engineering, psychologically manipulating people into performing actions or providing sensitive information by gaining their confidence. 

In this campaign, the perpetrators are utilizing publicly available domain registration details to target users and gain their trust. The emails also appear to originate from a valid domain registration company with which users have already communicated, as the emails utilize a spoofed (fake) email address to appear legitimate. Hoax-Slayer reports that these messages are attempting to spread malware through an attachment: “The messages advise you to click a link to download a copy of complaints received…If you open this file in the hope of viewing the supposed complaints, the malware will be installed.” 

A number of domain registrars have announced this scam to their user base including companies located in Australia, the United States and India, as well as Google Domains.  The subject line of the emails typically takes the form of Subject: [Domain name] Suspension Notice but as news of this campaign spreads the methodology will probably be amended to trick more users. The emails bear the hallmarks of classic phishing tactics including the implication of urgency, as they claim that “Multiple warnings were sent by [name of Registration Company]." The perpetrators have done a better job than most of posing as a trustworthy entity to coerce users into downloading their malware. The geographic scope and attention to detail in these phishing emails suggests a widespread, coordinated campaign.