14 DAY TRIAL // A crook running several tech support scam operations has managed to register 135 domains, most of which are used in his criminal activities, without anybody preventing him from doing so, which shows the sad state of Web domain registrations today.
His name and email address are tied to 135 domains, as MalwareHunterTeam told Softpedia. Over 120 of these domains are registered and hosted via GoDaddy and have been gradually registered across time.
The full list is available at the end of this article (text version here), but most of the domains look shady just based on their names. Really, how safe do you feel navigating to "security-update-needed-sys-filescorrupted-trojan-detected[.]info"? How about "personal-identity-theft-system-info-compromised[.]info"?
Some domains are still online with active tech support scams
While some are still active and are running active tech support scams and scareware, a large part are also offline, either taken down or yet to feature any content. Google's Safe Browsing API detects some of the URLs, but not all.
"This is a big business," MalwareHunterTeam told Softpedia. "And no one on Earth does anything against them," it adds, reflecting on the lack of any blacklist that can prevent certain individuals with a known history from registering new domains.
"The main problem is that this man could register 100+ scam domains (the domain names are telling that they are scam) starting from the first days of April, without any problem," MalwareHunterTeam goes on to say. "It's simply crazy... And it's just one man."
MalwareHunterTeam also claims that GoDaddy, the company where most of these domains are hosted, was informed of the problem. "They got the whole list... But their abuse [department] is not really good. Sometimes nothing happens even after a week of contact."
Web registrars / hosting firms are completely overwhelmed
JamesWT, another security researcher member of the MalwareHunterTeam, also says he submitted the same list of suspicious domains to GoDaddy, but the company still hasn't taken the domains down, something that he's used to from them.
Many security researchers seem to have a problem with GoDaddy's slow abuse reporting process. For example, a researcher that goes by the name of Techhelplist on Twitter has had problems with the company when he reported a set of TeslaCrypt C&C servers last December.
An entire week had passed, and GoDaddy's abuse department still hadn't reviewed the report. If you think this has changed since December, it has not. Here's another report from ten days ago. The tech support scam in that tweet is still alive at the time of writing.
Nobody's saying that GoDaddy is protecting such activities, but its abuse department is completely overwhelmed at the moment. To be fair, there are plenty of other Web hosting firms that don't even run an abuse department, and the only way to reach them is through the national CERT teams. But, there are also awesome hosting firms, that kill these sites in three or seven minutes, only after a tweet and without having to fill in countless of forms.
User education is the secret
Since Web registrars aren't willing to stop these crooks from registering hundreds of domains, even if they have a history of abuse to their names, the only way to fight this epidemic is through the work of security researchers and by educating users about the dangers of such websites.
Malwarebytes has a good tech support scam guide that you can read. So do other security vendors, if you take the time to search their wikis or support pages.
At the start of June, the FBI's Internet Crime Complaint Center (IC3) issued a public alert regarding a surge in tech support scams. The agency reported on a series of new tricks used in these types of social engineering attacks. IC3 also reported 3,669 cases that caused victims damages of $2,268,982 only in the first four months of the year.
