Ask HN: Namecheap is refusing to halt a novel phishing scam. Please Help

[throwawaykwt01]

There is a relatively clever phishing scam that's active right now where the site only shows the phishing scam when it's visited by a smart phone. Visiting it from a regular desktop browser redirects to some other service. (can still be seen using dev tools)

A cursory investigation showed that Namecheap is providing both registrar and hosting services for this phishing site. I reported the offending site to namecheap but they have refused to act, likely because they haven't been able to trigger the scam.

What should I do? How do I get the attention of the security team at namecheap?

Since this is a throwaway account, I'm afraid I might trigger some spam protection if I share this url in the OP. I'll share it in the comments once this post gets some engagement.

IF YOU CAN HELP PLEASE DO. I only managed to stop one of my family members from falling victem to this scam by accident. I'm sure many have not been as lucky.

Thank you.

[LinuxBender]

Get the IP of the server the phishing site is hosted on. Look up who owns it. [1] Try to determine if they are resellers or the primary owner of the address space. Give any logs or URL's to the hosting provider. Make sure they understand that the site changes based on user-agent or network so they will have to test from a mobile device.

[1] - https://bgp.he.net/

[liambowen]

OP says: "A cursory investigation showed that Namecheap is providing both registrar and hosting services for this phishing site." So he already contacted the host, Namecheap.

[LinuxBender]

I missed that. Well then... some other options might be gather evidence and upload to IC3 [1] understanding they may be understaffed or alternately discuss it on 4chan of whom I will not link. CC email the people at Namecheap when conversing with IC3.

[1] - https://www.ic3.gov/

[throwawaykwt01]

Thank you for the advice. I'm not a citizen of the US so I'm not sure if me contacting IC3 would be appropriate. I'll probably reach out to them in a couple of days if the phishing site remains up.

I posted the scam link publicly now that this post has been approved: https://news.ycombinator.com/item?id=30616831

[tomklein]

Or alternatively, a DNS lookup + WHOIS of the IP to get the Abuse contact of the hosting provider

[throwawaykwt01]

Already tried that without avail.

Namecheap is listed in WHOIS as the registrar. The domain's reverse DNS record points to namecheap servers. I posted the scam link publicly now that this post has been manually approved: https://news.ycombinator.com/item?id=30616831

[throwawaykwt01]

Here is the url lightly obfuscated if anyone is interested in investigating further: https:// kuwaitpostparcel [DOT] express / KW343

You can trigger the website by using "responsive mode" in dev tools and selecting a common android device.

Please note that this site /is/ malicious. Investigate at your own risk.

[LinuxBender]

They have some management daemons listening. [1] That could be how they were compromised. Did you try emailing all the addresses listed on this page? [2]

[1] - https://www.shodan.io/host/162.0.229.161

[2] - https://bgp.he.net/ip/162.0.229.161#_whois

[davidandgoliath]

Call them out on Twitter, they'll reply. Be aware much of their team is in the Ukraine, so expect some potentially belated replies.

[throwawaykwt01]

> Call them out on Twitter, they'll reply. Be aware much of their team is in the Ukraine, so expect some potentially belated replies.

That's unfortunate. That would explain why they haven't taken action yet. If that's indeed the case, then I expect more scammers to start abusing namecheap once they realize that namecheap's ability to purge abuse is degraded.

Already tried that without avail.

I posted the scam link publicly now that this post has been manually approved: https://news.ycombinator.com/item?id=30616831