First Enom Phish, now Network Solutions Phish

Yesterday we reported that in the wake of ICANN's actions against ESTDomains, a new phishing campaign against eNom had begun. eNom holds the keys to more than 9 million domains, so that was pretty big news. Today the phishers have turned their attention to Network Solutions, which is listed as the Number Three registrar by domain count with more than 6.5 million domains.



With email subjects such as:

Attention: domain is expired
Attention: domain will be expired soon.
Attention: domain will be expired tomorrow.
Attention: domains are expired.
Attention: domains will be expired tomorrow.
Please, renew your domain
Please, renew your domains
Your domain are expired at this time!
Your domain is expired today!
Your domain will be deleted soon
Your domain will be deleted today

the phisher hopes to get the attention (and the userid and password) of the legitimate owners of domains registered at Network Solutions.

The email body looks like this:

---

Dear Network Solutions Customer,

We recently notified you that the registration period for your Network Solutions domain name had expired. As a benefit of having previously registered a domain name(s) with Network Solutions, you are eligible to receive a percentage of the net proceeds that were generated from the renewal and transfer of the domain name you chose not to renew. Since you have chosen not to renew the domain name listed below during the applicable grace period, we were successful in securing a backorder for this domain name on your behalf and it has been transferred to another party in accordance with the Service Agreement.

Renew your domain now - http://www.networksolutions.com

You must click on the following link, enter your domain name, and confirm your contact information in order to claim these funds. If your contact information is not correct, you must enter Account Manager and make the appropriate changes prior to clicking "submit" from the confirmation screen. If you do not do this, you will be confirming inaccurate information and will not receive any payment. Checks will only be made payable and mailed to the Account Holder of record.

Sincerely,

Network Solutions® Customer Support

---

With Senders such as:

NetworkSolutions Inc
NetworkSolutions Support
NetworkSolutions Support Team
NetworkSolutions Team
networksolutions.com
networksolutions.com Tech Support

and From addresses such as:

support@networksolutions.com
customerservice@networksolutions.com
tech@networksolutions.com

and nonsense tags such as:

NSCC0+2351620824@networksolutions.com

We expect more URLs will be added, as we are still on the early side of this phishing spam campaign, but here is what we have seen so far at the UAB Spam Data Mine.

http://www.networksolutions.com.com21.asia
http://www.networksolutions.com.com42.asia
http://www.networksolutions.com.com55.asia
http://www.networksolutions.com.sys42.mobi
http://www.networksolutions.com.sys44.mobi
http://www.networksolutions.com.sys49.mobi

We've reported these domains and hope to see quick action by the registrar for them.

As with every current top spam campaign, the registration WHOIS information indicates the registrant as being "Shestakov Yuriy" AKA Alexey Vasiliev - the registrant behind all the top "Russian girls" spam domains and most of the Canadian pharmacy spam domains, who has also used email addresses "alexvasiliev1987@gmail.com" and "alexvasiliev1987@cocainmail.com" as his identity when registering domains.

Hopefully OnlineNIC will terminate these domains quickly.

As with yesterday's eNom domains - these domains are fast flux hosted on the same site as a great deal of child pornography. More details are available to law enforcement.