Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Please transfer this email to your CEO or appropriate person, thanks SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Please transfer this email to your CEO or appropriate person, thanks

The following domain name registration scam has been making rounds at least for a couple of years. Its longevity suggests that it remains effective at separating the victims from their money. The scam's email messages usually begin with the phrase:

"(It's very urgent, Please transfer this email to your CEO or appropriate person, thanks)"

The message is typically addressed to the generic title of CEO, President or Principal without specifying the person's name. It claims to come from a Chinese domain registration organization and states that some company is trying to register Asian versions of the domain name associated with the recipient's company, in TDs such as:

.asia, .cn, .co.in, .com.cn, com.hk, com.tw, .hk, .in, .net.cn, .org.cn, .tw

The text urges the recipient to contact the sender to protect this domain from the alleged impostor. Here's a sample:

"After our initial checking, we have found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If you have not, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for 'Arub Asia Investment Ltd'."

The sender signs off with "Best Regards" and includes an email signature block that usually looks like this:

"Best Regards,
Charles Chen
Tel:+86-5515223114    Fax:+86-5515223113
No.1688 Taihu Road,Baohe District,Hefei,Anhui,China"

The text of the email message is mostly the same as it was when we saw this scam in 2010, though the sender's name, company association, domain name and address details are different.

Blogger Michael Lerner described his email interactions with the company sending such email messages in 2010, which confirmed that the scammers' goal was to convince the victim into registering the domain names in question through their company. Here's an excerpt from a response to Michael's correspondence:

"If you think his registration will confuse your clients and harm your profits, we can send an application document to you and help you register these domains within our approving period. This is a better way to prevent domain name dispute"

The most recent variant we've seen asked the sender to respond to "charles.chen@dnsip-net.com.cn". The website residing at that domain claims to belong to a "comprehensive company engaged in the Internet intellectual property services that mainly provides network-based service, network intellectual property service, network promotion service, etc." The organization's website includes the slogan "The Better Network, The Better Solutions." Searching for this slogan reveals lots of websites with nearly identical text and similar design.

If you analysed this old, yet still widespread scam, or if you have additional details to share regarding it, please contact us.

-- Lenny Zeltser

zeltser.com
@lennyzeltser

Lenny

216 Posts
ISC Handler
Out of interest, I whois'd the domain dnsip-net.com.cn and got some of the results back in chinese.
Then I ran it through google translate

It seems the company that the domain is registered under is called: Shanghai Activity Adams Network Technology Co., Ltd.

With "Sponsoring Registrar" as: Guangdong era of Internet Technology Co., Ltd.

Contact email is laughably chinesedomainname AT hotmail DOT com

Romanized name of the Registrar is: Cheng Xu

.. Totally legit... not.
Anonymous
We have received numerous of these types of email and fortunately, each person that has received has reached out asking if it seemed legit before acting on it. We at least once a year remind employees to be cautious of emails that state eminent doom. Just goes to show that awareness truly can be a very effective first line defense.
DTraser

3 Posts

Sign Up for Free or Log In to start participating in the conversation!