Fake domain close to our domain name and sending emails to people. What can we do?
Posted by JiggityJoe1@reddit | sysadmin | View on Reddit | 118 comments
Someone registered a domain with ourdomainHR.com and has been finding users on linked in with "OpenToWork" that matches our job description and reaching out to them and scamming them with a job offer. These are people we have never had any connection with.
Going through legal and they are saying it could take months to take that down. Anything else we can do?
hifiplus@reddit
Block their domain for starters
DickNose-TurdWaffle@reddit
Go with what legal says. They say months but it's usually because they have to track down the service provider and wait on the 30-45 days notice requirement.
creamersrealm@reddit
Domain abuse contact or UDRP (Legal Route) unless you own a brand protection service. UDRP requires them acting in bad faith. If you can determine the email service they're using you can try that method as well for abuse takedowns.
OkGroup9170@reddit
This is the best process to get control of domain before it expires but it does cost about $1500 to file.
InfinityConstruct@reddit
Yea I've had this happen. All you can really do is report the domain to their registrar, block the domain on your end and send clients notice. At that point it's up to clients to have their email security configured correctly to check spf/dkim stuff.
Valkeyere@reddit
This isn't your problem, ultimately.
A company that isn't affiliated with you, using a domain that is not yours, is talking to people who aren't affiliated with you.
You are in no way responsible.
Youight maybe have a moral or ethical obligation to try and help now you know, but you don't have any legal obligation here.
You can try reaching out to the registrar but that's likely to take forever and go nowhere. And if you get nowhere at least you tried.
Jarebear7272@reddit
Does your email filter have any domain age policies? I'm assuming the bad actors domain was likely under 30/60/90 days
serverhorror@reddit
Legal, mit IT, is who takes care of this. If you don't have a legal department, consult a lawyer.
Fyunculum@reddit
Don't just contact the registrar, also report the site to the provider hosting the site, and anyone upstream of that.
Also, if you can find evidence of malware/phishing on the fake site that will usually speed things up.
HybridAthlete98@reddit
Let Legal or HR contact them, I'd advise against doing this yourself. Or at least discuss prior with legal and include them in any e-mails sent. CYA
wazza_the_rockdog@reddit
Multi pronged approach works best - if the registrar is slow to respond you may be able to get their DNS provider or email provider to take action, and achieve the same goal.
caribbeanjon@reddit
This is a problem for your Legal Department or Management. Capture the DNS Domain registration information, and forward it. If it gets fixed, it’s going to be a while. You also may want to contact LinkedIn. They can identify and close those bogus accounts.
LousyRaider@reddit
Look up the registrar for the domain to get the contact info for reporting abuse.
redbluetwo@reddit
I've never had much luck with this. Have you had it actually work? I've never even received a response.
Travisx@reddit
I’ve had luck with legitimate registrars. Thee are a few that are black holes.
HoustonBOFH@reddit
They are probably resellers. Contact their registrar.
theBananagodX@reddit
Just did it successfully last week. I find it helps to mention ICANN rules, specifically a URS complaint. The attacker is using your company’s likeness, trademarks, and branding without your permission and for illegal purposes.
Look up URS complaint. There are specific things you need to include to prove who you are and that this is your company’s trademarks, but it’s not that hard.
texags08@reddit
I’m 3 for 3 in getting registrations suspended
False-Ad-1437@reddit
My favorite is when they just go "We've forwarded your abuse report to the customer. Please be aware that they may reach out to you for more details."
StoneCypher@reddit
"Okay, that's great. I need your name, your badge number, and a case number for this call. Why? Well, we apparently need to take this to court to get it fixed, as you're trying to say that the scam artist should self regulate, so I need to be able to identify you to your company's lawyer."
"Yes, I'll hold."
fatoms@reddit
I fond no reference in that link to a 30 minute limit on anything, which clause are you refering to ?
murrayofearth@reddit
There’s nothing in the 2013 RAA that creates a "30-minute" or "half-hour" deadline for registrar action on phishing/fraud reports, nor any rule that a registrar is "at risk of losing its license" after 45 minutes...
https://www.icann.org/resources/pages/abuse-2014-01-29-en CANN’s own materials and FAQ reiterate the 24-hour review expectation (not 30 minutes), otherwise the standard is reasonable and prompt, with enforcement happening through ICANN’s normal compliance process.
Wish this was true from the perspective of someone that has had to report these a lot but its simply not.
StoneCypher@reddit
Well, there is, which is why I linked it, instead of the wrong link you gave
But I see you're here to insist that the thing I already successfully used doesn't exit
buddy, this is for registrar abuse, not mimicing fraud. you're in the wrong document in the wrong year talking about the wrong crime.
sure thing, slugger. it is, but, if you're not able to stop arguing, it won't be true for you, because you'll never learn what to do or how to do it.
AppleSky@reddit
Look, I also wanted to believe you. But the 24 hour timeline (for abuse reports from e.g. law enforcement) or “reasonable and prompt” standard (for other reports) is literally from the link you shared initially (sections 3.18.2 and 3.18.1, respectively).
Ctrl-F in your link has no matches for anything related to 30 minutes (the only reference to minutes at all is a 5 minute interval for RDDS probes; all references to 30 apply to days).
The link you posted also references a separate Uniform Rapid Suspension (URS) system: https://www.icann.org/en/contracted-parties/registry-operators/services/rights-protection-mechanisms-and-dispute-resolution-procedures/urs
Here too we find no faster than a 24-hour turn around to lock a domain (“Review the Rules” section 3.1, following a permitted 2-day administrative review by the URS provider in “Review the Rules” section 3.2).
Since you claim to be in the right document and year, I’d love to know where in your link is support for your 30 minute claim—I appear to be incapable of finding it. If true, it would make for good trivia at parties (though I’d prefer to see the evidence myself before sharing).
Maybe you’ve had specific dealings with a company called OpenProvider? They profess sending emails in response to complaints within 30 minutes and claim domain parking within an hour: https://www.openprovider.com/blog/handling-abuse-at-openprovider
Or maybe you didn’t share the link you meant to share?
For what it’s worth, not calling you a liar or questioning your memory; just observing that you currently have not meaningfully supported a rather surprising claim in the way you evidently intended to support it (and then responded a bit aggressively when (imo, politely) questioned about it).
gibbysmoth@reddit
A quick google on this username shows they're pretty much hated in every community they are a part of, so its not really worth feeding the trolls.
StoneCypher@reddit
That's nice.
No, and I'm not interested in any other wild random-assed guesses you want to make either, where you wholesale insert fiction into my mouth.
False-Ad-1437@reddit
Oooh I'm gonna quote it in my next e-mail. What section and subsection is it that says the half hour requirement?
All I could find from your link was in 3.18.2, but that referenced 24 hours.
gibbysmoth@reddit
Really be sure to ask for their badge number, too! Because every ICANN registrar employee has unique one like a ~~Geek Squad Agent~~ Police Officer.
False-Ad-1437@reddit
I'll credit you with the idea. Thanks.
gibbysmoth@reddit
This is so hilariously inaccurate that I'm not sure its a bad troll or someone who has absolutely no idea what they're talking about. But either way I enjoyed it.
StoneCypher@reddit
cool story, irc moderator
gibbysmoth@reddit
👍👍👍
baube19@reddit
When I then contact their registrar's registrar for abuse / not addressing abuse it got things moving lol
mtgguy999@reddit
Take it all the way up to Al Gore!
Viharabiliben@reddit
He invented the Internet
jfoust2@reddit
Well, actually... the information superhighway series of tubes.
EVERGREEN619@reddit
Weird, I have not had any issues getting the registrar to shut down a domain. Typically i set a reminder to buy that domain if it becomes available in a year also.
baube19@reddit
Pro move right there! ☝️☝️☝️
BoltActionRifleman@reddit
Regustrarception
secret_configuration@reddit
Same, never had luck with this.
tommy-turtle@reddit
I’ve had multiple abuse domains cancelled doing this - it’s my first line of attack - even with domains that don’t match ours but are clearly social engineering attacks- it’s worth a go for sure!
TheMcSebi@reddit
I did, for a domain that wasn't even concerning to me but a random steam login page scam. Reported two domains, one of them got taken down. Pretty good experience.
Lets_Go_2_Smokes@reddit
Every time I have done it I get response in less than 24 hours and they shut it down. Provide all the proof.
StoneCypher@reddit
it works the second you say lawyer
aoteoroa@reddit
I have reported fraudulent websites three times and all three times the registrar took down the domain within 48hrs. Maybe it helps that in my case I was able to prove actual fraud that was occurring with forwarded emails, and screenshots.
Pristine_Map1303@reddit
https://www.icann.org/resources/pages/abuse-2014-01-29-en
redbluetwo@reddit
Thanks!
RookFett@reddit
I just reported a domain that was doing a typo phishing scam, and the next day the site was offline and not accessible.
Then the sent an email asking for more evidence to show they were scamming.
So guess your mileage may vary!
FLATLANDRIDER@reddit
Yes, we had this same thing happen to us earlier this year. They had actually scammed on our our customers out of a 5 figure amount by pretending to be us with a similar domain.
We contacted the domain registrar it was registered to, sent them proof of the fraudulent emails, and within 48 hours they suspended the domain. We verified that the domain shows suspended when looking it up.
We tried to buy the domain as well but they wouldn't sell it to us until it expires.
hasthisusernamegone@reddit
Guess it depends on the registrar. We had to do this a couple of months back and the domain was disabled within four hours.
TrueStoriesIpromise@reddit
I think I've done this 1 time and it was successful, I control the lookalike domain currently.
LousyRaider@reddit
I have only had to do this 2 times in my career so far and both times the domain was taken down within 24 hours.
Depending on who the registrar is, your mileage may vary.
bageloid@reddit
Yes, but we use a service for this.
Tough-Disastrous@reddit
This is the right answer. We had this happen at our company too and we're eventually able to get control of the domain.
Funny-Comment-7296@reddit
Also have your lawyers send them a cease and desist. Surprisingly they don’t seem to have a clear legal obligation to pull domains used for abuse, but there seems to be an established history of them doing so when presented with evidence.
Frothyleet@reddit
The only real obligation is usually related to trademarks, and while there is an enforcement system with ICANN for that, it's slow and bureaucratic.
Funny-Comment-7296@reddit
There are a lot of variables. Big brand and big registrar? Quick results. Try impersonating Disney on GoDaddy.
Frothyleet@reddit
OK, BRB
Funny-Comment-7296@reddit
Lol I don’t recommend it. The mouse has a mean streak. And notoriously one of the strongest IP teams in the world.
cjbarone@reddit
Well, I use IPv6... I bet they only use IPv4!
StoneCypher@reddit
the icann registrar agreement of 2013 puts extremely strict limits on them.
i've had icann douse godaddy for me before, and godaddy is actual satan. you have options.
Funny-Comment-7296@reddit
From what I recall, the language is kind of ambiguous. Basically that they just have to ‘provide the means,’ which could be an abuse inbox they respond to a year later.
StoneCypher@reddit
no. they have half an hour to take down the fraudulent domain.
slapjimmy@reddit
This.
doctorevil30564@reddit
We have a similar issue going on. A "recruiter" on LinkedIn that claims to be from our company is contacting folks for a fake remote customer support position. They added a S to our domain name (example: motorcycleSparts dot com)
One of the people they contacted contacted our HR to report it and I got pulled in to work on the issue.
I located the registrar for the fake domain, and determined it was using a Google business account for the email server. I have the form pages for the registrar to report it but I need full email headers and the content of the message to put in the report. Ditto for the form to report it to Google.
I tried to walk the person who reported it through the steps to export the original message as a .eml file but they are not technical and aren't able to follow my instructions.
OutsideLookin@reddit
I contacted the registrar on a domain that replaced an “i “ in our name for an “l”. (That’s a lowercase L for clarity). The registrar revoked their domain and I bought it within a few hours. So, it can work…
jfoust2@reddit
Is that JiggetyJoe1 or JiggetyJoel?
SevaraB@reddit
Not without doing something illegal yourselves. The registrars are the ones who have to take the typosquatters’ toys away. Once the domain is down, whoever manages your portfolio of domains needs to take that one and park it. You could then do three things with the stub: black hole it, CNAME it to the correct spelling, or land it at a 301 redirect if you want to collect metrics on how frequently it’s typoed (might make good ammo to tell the branding guys they’ve got a branding problem if it’s really common).
Stephen_Dann@reddit
I have seen recommendations to register similar domains. However there are only so many you can do, that are affordable from a budgeting since. However do make sure you own some of the common domain extensions of your main domain. See companies caught out because they own .com, .org, .co.uk etc and then not bought .eu when it was released
pdp10@reddit
You have to be in an EU member state to do this, according to the rules. Unfortunately, that means that a scammer in the EU probably has more right to the domain than you do, if you have no EU presence.
Stephen_Dann@reddit
Formally EU based so did own some, had to give them up after Brexit
LForbesIam@reddit
Do you have a Trademark on your name? That will shut it down.
pizzacake15@reddit
If this is a regular problem for your company, i'd suggest getting brand protection services. They'll monitor and take down domains/websites like these on your behalf.
stedabro@reddit
ICAAN. and IP infringement.
Exploding_Testicles@reddit
Block their domain and IP blocks.
Due_Peak_6428@reddit
yeah you dont understand the question silly
Exploding_Testicles@reddit
You're correct, I didnt read the assignment fully..
Aboredprogrammr@reddit
Try the registrar first. If that fails, enter a dispute with ICANN.
Here's a post from another with a similar issue: /r/cybersecurity/comments/1bhv35i
fubes2000@reddit
Lawyer.
bstevens615@reddit
I’ve had to do this a few times. Once my client had 2 E’s in the name and the hacker used 3 E’s. They had spf, dkim, and dmarc configured. I emailed abuse@ for the resisters and they took it down. The frustrating part is they never actually communicated with me. I just checked the mispelled name daily on MX Toolbox and one day it was no more. If I recall, it took about a week.
Good luck!
LorektheBear@reddit
Does no one use DDOS as a tool any more?
Competitive_Run_3920@reddit
I just went through something very similar. Instead of my company's domain.com the scammers registered domaiin.com and even got ahold of a few of our employees' email signatures, presumably from a vendors breach. Then the scammers started sending financial scam emails, as our employees, to random people. Except they didn't change the phone number or email address in the email signatures so tons of random people were contacting our employees asking what the email was about.
I reported the domain and activity to the domain registrar (via whois), the company they were using for email service (via mx record record) and reported it to IC3 https://complaint.ic3.gov/
it took about a week but eventually it was taken down.
Notkeen5@reddit
We use fraud watch service for this.
Jezbod@reddit
I got a site that was using our work address as the point of contact for scam holiday accommodation, made local / regional news.
I'm in the UK and reported the abuse to the hosting site abuse email and the National Cyber Security Centre (NCSC) - part of GCHQ.
It was taken down within a week.
awkwardnetadmin@reddit
While that maybe isn't as fast as one might like it is good that they got it shutdown.
Jezbod@reddit
I guess they get more than one report a day...hopefully they will find a role for "AI" in the processing of this type of thing.
SecTechPlus@reddit
+1 for engaging your local/national CERT/CSIRT, they do this routinely
Jezbod@reddit
Some of the people had not paid on credit card, so most likely lost their money. The one paying on credit card were advised to contact their bank and get a refund that way.
cyberbro256@reddit
Submit a complaint to the registrar with evidence of attempted compromise. I have had domains taken down with a day doing that.
reegz@reddit
I imagine your company has the name trademarked, if so you should be able to seize the domain. If it continues to happen you should look into a brand protect service to automatically submit takedowns.
If the register doesn’t okay ball they get sued too.
AppIdentityGuy@reddit
Put out a message on all your social media,including your own website explaining what is happening.
Investigate starting a trademark infringement case but that could be a long winded process.
There is not much you can do on a tech level unless they start contacting your staff firectly. I would flag the domain as impersonation and quarantine all email. Keep though as evidence and see if you can glean some info on who to go after.
awkwardnetadmin@reddit
How quickly you can shutdown a trademark infringer would really depend upon where the offending services are running. Some places may be more responsive to responding to takedown requests than others. That being said definitely give your customers/vendors notice that somebody is trying to impersonate your organization.
Detrite12@reddit
This is commonly referred to as “typosquatting” and adding “hr” or “-hr” is a common tactic. If you wanted to try and identify more there’s a free service called dnstwist that’ll try and find these close looking domains for you (A lot of paid services are just using dnstwist under the hood).
All you can do is report abuse to the domain registrar or issue a takedown request with services that have a bit more weight such as netcraft.
Can obviously block that domain in/out of your actual network and try and register similar domains yourself to avoid it in the future but I get that’s not really what you were asking.
Kwantem@reddit
In addition to reporting, perhaps put a notice on your web page alerting customers.
br01t@reddit
Report abuse and block that domain in your mail server for incomming traffoc
mcdithers@reddit
We had this happen, except instead of trying to scam our employees, they were attempting to scam our customers into changing the bank information for the payments they make to us.
You can report it to the F.B.I., contact the registrar for the domain, but the most important thing is to alert all employees and customers of what's happening because it's really out of your control when it comes to stopping it.
We contacted all our customers and agreed on a policy to verify any banking changes by calling known good numbers for our accounting department, not our public main line.
BlackV@reddit
block the domain, report to abuse, make ALL external emails as EXTERNAL so user have a better awareness that its id not your domain
Michichael@reddit
There's services for brand protection that basically handles takedown for you, if you can afford it. We use Minecraft brand protection for it.
creamersrealm@reddit
They bought Segasec and use them. Really cool when I meet the crew years ago.
Ihaveasmallwang@reddit
So many comments here from people who didn’t take 2 seconds to read the original post.
frozenstitches@reddit
You can block domains with transport rules
Ihaveasmallwang@reddit
You can, but that doesn’t fit this situation at all. Not even close.
coomzee@reddit
This has many TTP of UNC3944. Check for any MFA registration that use the same device,. phone number etc. Block the domain in question, do some fuzzy searches, block any user's that flag suspicious login's.
https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations
shiftend@reddit
If your company's name is trademarked, you could reach out to the company that helped your company with getting that set up. We had the same kind of issue where scammers were mailing customers using a slightly different spelling of the company name, using the logo, etc. On both occasions I reached out to our contact at the company that helped with the getting the company name and logo trademarked. They got those scammers' domains suspended pretty quickly.
Funny-Comment-7296@reddit
Can confirm. Married to IP lawyer. They send demand letter with big numbers on them.
Funny-Comment-7296@reddit
Any luck tracking down the owner of the site? And does the hosting provider or domain registrar do any business in your country? Your legal dept should be able to have a C&D on someone’s desk Monday morning.
F7xWr@reddit
buy it
doa70@reddit
Put a banner at the top of your website explaining you are not recruiting and have nothing to do with those emails.
CheatingPenguin@reddit
Reach out to the domain registrar, and I'd start looking into brand protection services. They're one of the few services I actually think are worth it.
timwtingle@reddit
Block the domain in your email filter.
Humble-Plankton2217@reddit
Block that domain.
muttmutt2112@reddit
Best way is to intercept all mail from that domain and tag it as SPAM on your edge mail router. Then quarantine them.
BoringLime@reddit
My company has had this fight happen a couple of times. We have always had to get in-house legal counsel involved, to take them down. I don't know what they do, but we get the domain registration and have to transfer them to our register of choice. Just because the name is close is not enough to win a legal argument, you have to have proof they sent fake invoices and such. Basically send stuff as if it coming for our legal name and affiliated with our company.
Intrepid_Pear8883@reddit
Zero Fox. Proof point.
Don't just go to the registrar you need to get weight behind it.
hkeycurrentuser@reddit
You also get your website team to put an obvious splash across your real recruitment page advising people of the scam. Date the post and refresh the date regularly so it doesn't appear stale.
Proof-Variation7005@reddit
Alert potential targets (employees, most likely) - Block the domain in your filters and contact sender/registrar abuse department and explain what's going on
anmghstnet@reddit
Directly from the post:
h8mac4life@reddit
Look into Redsift, we have been using them for over a year and they have services to help with this.