The web page listed my name and email address, so the riskiness of clicking it seemed low, but ALL KLAXONS were going off in my head about this being phishing. I also received another email threatening to suspend my domain if I did verify it.<\/p>\n
\nReceived: from mx.registrarmail.net (mx.registrarmail.net [216.40.35.248])\n\tby myemail-mx26.g.emailprovider.com (Postfix) with ESMTP id 999AA999999DDD\n\tfor <myemail@mydomain.com>; Mon, 28 Mar 2016 05:43:25 -0700 (PDT)\nReceived: from cron01.endurance.prod.tucows.net (unknown [64.99.53.70])\n\tby mx1.registrarmail.net (Postfix) with SMTP id B5999999E51\n\tfor <myemail@mydomain.com>; Mon, 28 Mar 2016 12:43:24 +0000 (UTC)\nReceived: by cron01.endurance.prod.tucows.net (sSMTP sendmail emulation); Mon, 28 Mar 2016 08:43:24 -0400\nX-MP-Host-Origin: front04.endurance.prod.tucows.net\nMessage-Id: <999999.0.28Mar2016084324-osrs-registrant_verification-999999@endurance.registrarmail.net>\nDate: Mon, 28 Mar 2016 08:43:24 -0400 (EDT)\nX-OSRS-Id: osrs-registrant_verification-999999\nFrom: \"Domain Registrar\" <support@registrar.com>\nTo: <myemail@mydomain.com>\nSubject: Important: Please validate your domain name<\/pre>\n<\/blockquote>\nThe original sender is tucows.net? There’s no way a real\u00c2\u00a0company would be using such a site to send these emails. After all, that’s some lonely script kiddie in their mom’s basement BS. This had to be phishing.<\/p>\n
One last check. I did a dig on verify.domain.com and compare that to the www for the company. Two very different IP spaces, but crucially the nameservers have “dyn” in the name which red flagged that it was one of those dynamic DNS services so it could be anything anywhere. Definitely not legitimate.<\/p>\n
So I go to the registrar’s\u00c2\u00a0site to report this phishing and look at my domain’s record to see if anything really had changed. It had not, but I noticed there was a phone number I’ve not used since 2003, so I update the record. There is a notice that they need me to verify the information. I go looking for it and see… another copy of the phishing email at the time I updated the record. At this point, I suspect maybe I am completely wrong. Since the risk seems low, I do click the link and verify button and go back to the registrar’s\u00c2\u00a0site to see if the warning about needing to verify my information cleared. It did. Dammit!<\/p>\n
Turns out the phishy email is actually ICANN not the registrar.<\/p>\n","protected":false},"excerpt":{"rendered":"
Received an email that looked phishy: Greetings, Please read this important e-mail carefully. Recently you registered, transferred or modified the contact information for the following domain name: ezrasf.com In order to ensure your domain name remain active, you must now click the following link and follow the instructions provided. http:\/\/verify.domain.com\/registrant\/?verification_id=999999&key=BFrrpxGDbb&rid=999999 Sincerely, Domain Registrar The web […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1198],"tags":[1123],"class_list":["post-8374","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-phishing"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1rUBW-2b4","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts\/8374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/comments?post=8374"}],"version-history":[{"count":0,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts\/8374\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/media?parent=8374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/categories?post=8374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/tags?post=8374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}