Hackers attempt to dupe NetRegistry customers

By Brett Winterford on Mar 15, 2010 12:31 PM
Filed under Security

Attackers try to open new accounts.

Scammers using a Brazilian domain name have targeted customers of large Australian domain name and hosting company NetRegistry, seeking usernames and passwords in order to launch new malware attacks.

NetRegistry, which lays claim to being Australia's largest domain name registrar and second largest web host, today warned its customers to ignore emails being sent from the domain coras.com.br with the subject line Please Update.

The offending message asks that NetRegistry subscribers provide their username and password in order to "verify a subscriber's profile" - and warns that failure to do so would "render your email address deactivated" [see full message below].

NetRegistry CEO Larry Bloch told iTnews he was not aware of any customers being affected as yet, but has his technical team monitoring services for any abnormal behaviour.

"There has been a little bit of an uptick in phishing scams targeting non-financial accounts," he said. "By that I mean that giving over your username and password won't necessarily give the hacker any financial gain, but they may use that account to upload malware on existing accounts or use it in conjunction with stolen credit card details to set up new accounts and spawn other nefarious scams," he said.

The challenge for NetRegistry is to identify compromised accounts, he said. This may become apparent, he said, should a single source (IP address) attempt to log-in to multiple accounts, which is unusual behaviour.

Bloch said NetRegistry won't be asking subscribers to update their security credentials until it is sure such a measure is absolutely necessary. "In all cases we have to find that balance between customer security and convenience," he said.

"In this case the best defence is the common sense of customers."

The phishing scam:

Subject: Please Update
From: Netregistry Account Billing support <fjbortolim@coras.com.br>
Date: Sun, 14 Mar 2010 23:18:16 +1100

Dear Netregistry Subscriber, We are currently verifying our subscribers Profile in order to increase the Efficiency of our mail features.

Due to the congestion in all Profile users and removal of all unused Account, Netregistry Will be shutting down all unused Profile,

To Join in the Recent Upgrade Taking Place at Netregistry ,You must Reply to this email by Confirming your account details below,

UserName:

Password:

Failure to do this will immediately render your email address deactivated from our database.

Thanks for using Netregistry !

We are sorry for any inconvenience.

Regards,
Netregistry Customer Care Team.