In this campaign, the perpetrators are utilizing publicly available domain registration details to target users and gain their trust. The emails also appear to originate from a valid domain registration company with which users have already communicated, as the emails utilize a spoofed (fake) email address to appear legitimate. Hoax-Slayer reports that these messages are attempting to spread malware through an attachment: "The messages advise you to click a link to download a copy of complaints received...If you open this file in the hope of viewing the supposed complaints, the malware will be installed."
A number of domain registrars have announced this scam to their user base including companies located in Australia, the United States and India, as well as Google Domains. The subject line of the emails typically takes the form of Subject: [Domain name] Suspension Notice but as news of this campaign spreads the methodology will probably be amended to trick more users. The emails bear the hallmarks of classic phishing tactics including the implication of urgency, as they claim that "Multiple warnings were sent by [name of Registration Company]." The perpetrators have done a better job than most of posing as a trustworthy entity to coerce users into downloading their malware. The geographic scope and attention to detail in these phishing emails suggests a widespread, coordinated campaign.
Emails sent from Mirata Ltd relating to renewals, payments, account updates etc, are all displayed within your personal customer area. By logging in and clicking "Email History", you can verify if an email has been sent from our system.
Monday, March 28, 2016