A Phishing Scheme That Very Nearly Worked – a New Scheme Using Namecheap

Phishing for Credit Card Data – A Very Clever Twist on an Old Scheme

The Setup – A Very Convincing Email

In my inbox today, I found a warning that immediately grabbed my attention. The payment information in the account where I have my website’s domain name registered had apparently failed. The sender showed as Namecheap support, and the subject line said simply, “Your payment method isn’t valid.”

Opening the email, it simply said:

Update it now or risk losing your products.

Hey, We couldn’t renew one or more items in your account.
That’s not a big problem — as long as you take care of it immediately.

Domain : cheapestwaytoship.net

Expired : April 10, 2021

Here’s the email:

A Quick Read – Looks OK

Looks straightforward enough. It has the Namecheap logo, and the message and tone are casual, as you might expect from a modern online service provider. And, it contained the name of a domain I own, which I wouldn’t expect anyone but my registrar to be able to connect to the registrar, and to my email address. (Note: It wasn’t actually my email address – it was a default email address for the domain that is forwarded to me.) The message actually downplays the urgency of the issue. As a domain name owner, though, you’d want to take care of this as soon as possible, to avoid possibly losing an important (and sometimes very expensive) domain name.

Although I consider myself savvy about potential online scams, I did click on the “Renew Now” button, confident that the email was, indeed, from Namecheap. When the new tab opened up, the page looked very much like the Namecheap login page. I login to Namecheap quite often, so remember a lot of detail about the site – and no alarms went off yet. The only odd thing was that the username field was empty, although the password field seemed to be filled in. That was enough of a tip to cause me to pop open another browser tab, and go directly to the Namecheap site myself.

Upon Further Investigation…

Checking the payment info Namecheap had on file, it actually hadn’t expired, and furthermore, the domain name wasn’t actually due for renewal yet. Only then did I think to go back and check the email itself.

Of course, there were two telltale signs that I had failed to see – the warning email had seemed so innocuous. First, looking at the email sender address, it actually read, “Namecheap Support <info@pubg-game.info>. Oops. Obviously, not Namecheap’s email address.

Secondly, I hovered over the “Renew Now” button, and it read, “https://namelogin.bifm.fr/cheapestwaytoship.net”. Oops.

Luckily, I had woken up about the potential phishing scam before actually entering credit card information, but I think this was a pretty ingenious scam – they got the details of my domain registration right, the tone of the message was convincing, and the mockup of the fake Namecheap site was well done enough that, even though I log in there quite often, I thought it was the real site.

Lesson Learned (Again) – Never Click on an Email Link…

Well, I often do click on email links – I get many, many useful emails that include links to articles I’m interested in, and probably subscribed to. So, my rule is, never click on a link to an account you own, regardless of how authentic and helpful it appears to be.