Domain Name Phishing, Domain Phishing or Registrar Impersonation is a form of Phishing attack targeting the domain name registrants. Similar to a typical phishing, it also involves impersonated fraudulent e-mails and fake web pages. The attacker uses an impersonated identity of a domain name registrar and sends a spoofed correspondence to the registrar's customer a registrant regarding a domain name related matter. The majority of Domain name registrars use electronic mail for many types of domain name registration related communication. The attackers exploit this fact in conducting the socially engineered and fraudulent correspondence with the registrants. The emails sent by the phishers describe a domain name related matter that requires or encourages a customer's immediate attention e.g.

• Domain name renewal notices, transfer notices, or order confirmations
• Registration request confirmations
• Registration and DNS information change confirmations
• WHOIS data accuracy reminders
• Notices of domain name expiry or cancellation
• Notices related to some account management issue etc.

The phisher can use the existing WHOIS information, e.g. Domain creation/updation/expiration date, DNS information etc., to further personalize the phishing mails for targeting the Domain name owners. In this way the phisher is able to use WHOIS information to build a list of registrants of a targeted registrar. An example of a phishing email is shown below:

Similar to the typical phishing, these phishing mails convinces the registrant to provide their domain management credentials by means of visiting a web link hyperlink given in the fake email. The hyperlink given in the email redirects the user to a spoofed web site where the customer may inadvertently disclose account credentials to the attacker. This spoofed site is also created by the attacker and is misleadingly similar to the registrar's legitimate web site.

These stolen credentials then provide the phisher with unauthorized access to a domain name management account. The attacker can use these credentials to conduct additional attacks like:

• Alter the contact information to abet domain hijacking and business disruption
• Modify the DNS records to abet malicious redirection or flux phishing attacks, i.e. by changing the A or AAAA and TTL resource record values
• Alter or add mail exchange MX to use the domain name to send the spam mails
• Access information that is not published
• Use credit or billing information associated with the account to purchase additional domains to use in attacks

Users & Registrants:

• Exercise caution while clicking on any hyperlinks included in email messages sent by the registrars
• Use email client that reveals hyperlink references and verify the hyperlink before clicking
• Type a web address into the browsers address bar instead of clicking on the hyperlinks given in the emails
• Use anti-spam and antiphishing software
• Special care for the emails that claim an urgent response is required
• Read the email message carefully before taking any action
• Do not trust an email simply because it is personalized
• Always verify the login forms authenticity Certificates etc. before submitting the account credentials
• Use a unique and strong password for the account and change it regularly
• Report suspected phishing emails to the registrar, respective CERT and antiphishing organizations

Domain Registrars:

• Use of digital signatures can help the registrars and registrants to ensure the authenticity of their emails
• Include only necessary information to convey the desired message in customer correspondence
• Avoid the use of hyperlink references in the emails. Warn customers against clicking on hyperlinks included in any correspondence
• Awareness should be created among the registrants regarding such attacks
• Multi-factor authentication, Extended Validation EV certificates can be used in all sensitive transactions