ICANN SSAC (Security and Stability Advisory Committee) has published an advisory SAC 028 “Registrar Impersonation Phishing Attacks” (PDF).

This Advisory describes a form of phishing attack that targets domain name registrants. The attacker impersonates a domain name registrar and sends an expected or anticipated correspondence to a registrar’s customer (a registrant) regarding a domain name related matter. Examples of expected correspondence include a notice of pending expiration of a domain name registration, a promotional email, a notice informing the registrant of an account management issue, or generally, any correspondence that requires or encourages a customer’s immediate attention. The correspondence, however, is bogus. The phisher creates a web site that is deceptively similar to the registrar’s site to induce the customer into accessing his domain management account and unwittingly disclose his account credentials to the phisher. The phisher will use the customer’s captured credentials to access the customer’s domain name portfolio, alter DNS information of domain name(s) in that account and use the domains to abet additional attacks.

What are the main risks from this kind of attacks?

1. Someone can steal your domain name having intercepted your authentication credentials by a phishing site.
2. A malicious user can change the DNS records in your domain’s profile to point to his server.
3. Having your DNS changed to a server under his control, a hacker can set his MX records and read your emails.
4. A hacker can also set his A records and change your website or completely replace it with a site of his own.
5. A hacker can change the owner/admin and other details in your domain’s profile.

Tags: icann, phishing, Threats