Subscribe to RSS Feed

12|17|2014 11:18 am EDT

ICANN systems compromised through phishing attack

by Frank Michlick in Categories: ICANN / Policy

Tags: , ,

A number of ICANN’s staff email accounts have been compromised by a phishing attack, which lead to administrative passwords to other systems being exposed as well, as Necraft reports.

The Internet Corporation for Assigned Names and Numbers (ICANN) has fallen victim to a phishing attack which resulted in the attackers gaining administrative access to some of ICANN’s systems, including its Centralized Zone Data Service (CZDS).

In an email alert sent this morning, ICANN said it believes a spear phishing attack in November resulted in several ICANN staff members’ email credentials being compromised. The stolen passwords were then used to gain unauthorised access to multiple ICANN systems, which could have resulted in other usernames and passwords being compromised.

Although CZDS passwords are stored as salted hashes, ICANN has taken the precaution of deactivating passwords and API keys used on the compromised CZDS service. ICANN implemented some security enhancements earlier this year, which it believes limited the extent of the unauthorised access, and has implemented further measures since this attack.

Here’s the email that ICANN wrote to users of is CZDS:

ACTION REQUIRED: CZDS Security Disclosure

ICANN is investigating a recent intrusion into our systems. We believe a
“spear phishing” attack was initiated in late November 2014. It involved email
messages that were crafted to appear to come from our own domain being sent to
members of our staff. The attack resulted in the compromise of the email
credentials of several ICANN staff members.

In early December 2014 we discovered that the compromised credentials were
used to access certain ICANN systems including the Centralized Zone Data
Service (CZDS). 

You are receiving this notice because the attacker obtained administrative
access to all files in the CZDS including copies of the zone files in the
system. The information you provided as a CZDS user might have been downloaded
by the attacker. This may have included your name, postal address, email
address, fax and telephone numbers, and your username and password. Although
the passwords were stored as salted cryptographic hashes, we have deactivated
your CZDS password (and API key if applicable) as a precaution. Additional
information about the attack is included in an announcement that is posted at

In order to continue using CZDS, please visit and follow
the instructions there to request a new password. We suggest that you take
appropriate steps to protect any other online accounts for which you might
have used the same username and/or password.  

This notice was not delayed as a result of a law enforcement investigation.
Earlier this year, ICANN began a program of security enhancements in order to
strengthen information security for all ICANN systems. We believe these
enhancements helped limit the unauthorized access obtained in the attack.
Since discovering the attack, we have implemented additional security

We are providing information about this incident publicly, not just because of
our commitment to openness and transparency, but also because sharing of
cybersecurity information helps all involved to assess threats to their

If you would like further assistance or information, you may contact us by
email to or by telephone at +1-424-277-3192 or U.S.
toll-free at +1-800-401-1703.

Thank you for your attention to this. We sincerely regret any inconvenience or
concern this incident may cause you.

ICANN Registry Services


11|05|2013 10:25 am EDT

Demand Media to Spin Off Domain Registration Business into RightSide [Press Release]

by Frank Michlick in Categories: Registrars

Tags: , , , , , , , , , , , , , ,

Rightside websiteAs already predicted by Andrew over at DNW:

Demand Media Announces Key Executives and Name for Proposed Domain Services Company

Company Will Lead Expansion of Generic Top Level Domains under Rightside Brand; Taryn Naidu Selected as Incoming CEO

SANTA MONICA, Calif.–()–Demand Media, Inc. (NYSE: DMD), a leading media and domain services company, today announced that Taryn Naidu, who currently serves as Demand Media’s Executive Vice President of Domain Services, will become the CEO and a Director of the newly formed domain services company that is proposed to be spun off from Demand Media. Demand Media also announced that it has selected the name Rightside Group, Ltd. (“Rightside”) for the spun off domain services business.

“It’s an exciting time for us, as new gTLDs start going live this year and our path to becoming an independent public company as a leader in our industry progresses.”

Rightside will be a Kirkland, WA based technology and services company for the Internet domain industry. The company will advance the way consumers and businesses define and present themselves online through a comprehensive technology platform making it possible to discover, register, develop, and monetize domain names. Rightside will play a leading role in the historic launch of new generic Top Level Domains, and the name represents a new way to navigate the Internet, while establishing the new company as the one to guide users in the right direction. It’s everything to the right of the dot – and beyond.

Taryn Naidu, who has led Demand Media’s domain services business since 2011 will become Chief Executive Officer of Rightside, upon completion of the separation. Additionally, Rightside executive management will include Wayne MacLaurin as Chief Technology Officer and Rick Danis as General Counsel. David Panos will be appointed as Chairman of the Board of Directors and Shawn Colo, Demand Media’s Interim President and Chief Executive Officer, will be appointed as a Director of Rightside in connection with the separation.

“Establishing the leadership team and brand identity of the proposed new company marks an important milestone in achieving our plan to separate our business into two distinct market leaders,” said Demand Media Interim President and Chief Executive Offer Shawn Colo. “I am pleased to announce a very strong executive team led by Taryn. This team has a wealth of industry experience, has played an integral role in building the largest wholesale domain registrar and is driving the transformation of this business into one of the largest end-to-end domain name service providers in the world.”

“Rightside’s mission will be to help millions of businesses and consumers define and present themselves online. We’re able to deliver on this through our distribution network of more than 20,000 active partners, one of the leading domain services technology platforms, a large number of applications for new generic Top Level Domains (gTLDs), and a deep bench of industry talent,” said Taryn Naidu, newly designated incoming Chief Executive Officer of Rightside. “It’s an exciting time for us, as new gTLDs start going live this year and our path to becoming an independent public company as a leader in our industry progresses.”

About Rightside

Rightside plans to inspire and deliver new possibilities for consumers and businesses to define and present themselves online. The company will be a leading provider of domain name services, offering one of the industry’s most comprehensive platforms for the discovery, registration, development, and monetization of domain names. This will include 15 million names under management, the most widely used domain name reseller platform, more than 20,000 distribution partners, an award-winning retail registrar, the leading domain name auction service and an interest in more than 100 new Top Level Domain applications. Rightside will be home to some of the most admired brands in the industry, including eNom,, United TLD and NameJet (in partnership with Headquartered in Kirkland, WA, Rightside will have offices in North America and Europe. For more information please visit

About Demand Media

Demand Media, Inc. (NYSE: DMD) is a leading digital media and domain services company that informs and entertains one of the internet’s largest audiences, helps advertisers find innovative ways to engage with their customers and enables publishers, individuals and businesses to expand their online presence. Headquartered in Santa Monica, CA, Demand Media has offices in North America, South America and Europe. For more information about Demand Media, please visit

04|18|2011 05:14 pm EDT

Phishing GoDaddy WDRP Emails Going Around Once More.

by Frank Michlick in Categories: Registrars, Up to the Minute

Tags: , , , , ,

It appears that another phishing scam is making the rounds trying to get users to reveal their GoDaddy username and password to the scammers. According to “silentg” who received the email and posted on DNForum about it, the email links users to “” (registered at Melbourne IT) instead of The email mimics a GoDaddy notice under the Whois Data Reminder Policy of ICANN (WDRP).

[via DNForum, silentg]

12|04|2009 12:50 pm EDT

McAfee calls .CM “Most Dangerous Country Domain”

by Frank Michlick in Categories: ccTLDs

Tags: , , , , , , , , , , , , ,

By Incurable Hippie (Flickr)

By Incurable Hippie (Flickr)

With some of the recent sales of .CM (Cameroon) domains at various domain auctions, we  asked what those domains were actually worth. Well, it seems their resale value just took another drop, as McAfee called .CM the “Most Dangerous Country Domain” in their latest “2009 Mapping the Mal Web” report. .CM replaces .HK (HongKong) from this spot and .JP (Japan) is considered the world’s safest ccTLD and .GOV the safest non-country TLD.

“This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer,” said Mike Gallagher, chief technology officer for McAfee Labs. “Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught.”

Cameroon, a small African country that borders Nigeria, jumped to the number one spot this year with 36.7 percent of the .cm domain posing a security risk, but did not even make the list last year. Because the domain .cm is a common typo for .com, many cybercriminals set up fake typo-squatting sites that lead to malicious downloads, spyware, adware and other potentially unwanted programs.

More details can be found in McAfee’s report summary.

10|30|2008 02:51 pm EDT

Network Solutions Proactive in Fighting Recent Phishing Attack

by Adam Strong in Categories: Registrars

Tags: , , ,

Emails from NetworkSolutions to their client base reveal that Network Solutions is taking measures to alert and keep customers informed on the recent NSI phishing scam.  It appears as well that NSI is taking necessary defensive measures to combat any unauthorized access to customer domain names resulting from the phishing attempts.

The first email sent out informed customers to be aware of the phishing attempt :

Customers who have registered domain names through Network Solutions, as well as several other domain name providers are currently a target of a large scale phishing scam. A fraudster is sending e-mails to customers asking them to log in to renew or edit their domain name registration, and providing a link to a fraudulent site designed to look like and to capture customer username and password information, or other private information. If you receive a message asking you to log in to your account, we recommend that you type directly into your browser.

In a follow-up email NSI account reps let customers know that they are filtering out access and working to monitor customer log-in attempts.

1. We have put in place additional email filtering to block this traffic.
2. We have been and continue to very closely monitor and perform customer login analysis, to assist in determining if a customer account is suspect for nefarious logins/activity (for those unfortunate customers who trusted this phony email and followed the link to login).
3. Storefront and email messaging is being prepared to notify our customer base of the email phishing activity.

We advise any Customers who did follow these phony links to our Account Manager to immediately update their user id and password.

We want you to know that we are taking every possible measure to protect our Customers from this attack and mitigate its impact. We are working very closely with the Registries as well as ISPs to detect any new domains from which these attacks are coming and shut them down.

It’s good to see NSI working to tighten up security and keep customers informed of issues like this.

10|29|2008 09:19 pm EDT

WARNING: Network Solutions Phishing Scam

by Adam Strong in Categories: Miscellaneous

Tags: , , , , ,

Fast on the heels of the recent Enom phishing scam, another phishing attack attempting to con domain name registrants into providing their customer information is under way. Network Solutions (NSI) domain customers are the target this time.  The spam email messages being sent out warn the user of their domain expiring.  Current reports show that the domain name is being used and disguises itself as a site that looks identical to  As the public and internet providers become aware of the abuses, both the Enom and NSI phishing attackers are adapting to these reports by changing the domain name addresses they use.  See full phishing email after the link. (more…)

10|28|2008 06:28 pm EDT

WARNING: Enom Phishing Scam

by Adam Strong in Categories: News

Tags: , , , ,

We have received several reports of phishing scam emails that at first glance appear to be coming from domain name registrar The emails warn of a complaint for invalid whois information and ask the user to login. Of course the link that the email directs you to is not a valid Enom domain name. The site is likely harvesting user names and passwords to access legitimate Enom accounts.

The link in the email actually takes you to the domain name .  When we attempted to visit the site McAfee put up a warning page that said

Reported Web Forgery!  This web site at has been reported as a web forgery and has been blocked based on your security preferences.

Web forgeries are designed to trick you into revealing personal or financial information by imitating sources you may trust.Entering any information on this web page may result in identity theft or other fraud.

If you do get to the site it is designed to look exactly like the enom home page. The domain is registered by a Russian at the Chinese registrar OnlineNic . A copy of the email is below. (more…)

03|20|2008 12:54 am EDT

eNom registrants target of phishing scam

by Frank Michlick in Categories: Up to the Minute

Tags: , ,

After the previous phishing attempts targeting TrafficZ customers it appears that now eNom customers are the target of a new email scam. The best protection against these types of attacks that try to get you to enter your username and password on a fake site, is to enter the URL directly into your browser instead of clicking links in your email.

02|28|2008 01:39 am EDT

Anti-Phishing act to outlaw Whois-Privacy?

by Frank Michlick in Categories: ICANN / Policy

Tags: , , , , , ,

For those of you who haven’t heard about it already, Sen. Ted Stevens is proposing the Anti-Phishing Consumer Protection Act of 2008 (APCPA), which is also being supported by CADNA. We were first alerted to this topic by Michael Berkens’ post on The Domains. A recent article by Larry Fischer points out these are the reasons why this act is a bad idea:

  1. There are already laws against Phishing.
  2. This act makes whois-privacy illegal.
  3. The bill would also allow businesses to take over generic domains if they match their business name.

[via The Domains, Direct Navigation, CNET]

02|11|2008 04:02 pm EDT

TrafficZ customers targeted by phishing scam

by Frank Michlick in Categories: Up to the Minute

Tags: , ,

According to an email by TrafficZ, customers of the parking company have been target of a phishing scam. The email entitled “TrafficZ | Domain Termination Notice” states that one of [the customer’s] domains has been deleted from [their] TrafficZ account and asks them to visit within 72 hours in order for their account not to be blocked. The link in the email leads the user to instead of going to The originators of this phishing scam are attempting to capture the usernames and passwords of the mislead users.