Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails

from the for-best-results,-enable-macros dept

Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.

Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) – icann-monitor[dot]org

These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp:// calling out to

The email appears to orginate from somewhere legitimate, as seen in this screenshot:

But the quasi-legit URL ( was only very recently registered through eNom, which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names.

Domain ID: D402200000001096932-LROR
WHOIS Server:
Referral URL:
Updated Date: 2016-12-29T15:25:14Z
Creation Date: 2016-12-28T20:19:57Z
Registry Expiry Date: 2017-12-28T20:19:57Z
Sponsoring Registrar: eNom, Inc.
Sponsoring Registrar IANA ID: 48
Tech Email:

Ironically, the emails containing this malware inform recipients that their domain is “being used for spamming and spreading malware.” The spam email invites site owners to download a malware-laced “report” for further instructions on how to remove their site from the blacklist, warning them they only have 24 hours to fall victim to ransomware respond.

The researcher is now “counting the hours (days?)” until either eNom or ICANN act in response to this spoofing/ransomware attack. Don’t hold your breath. ICANN has yet to say anything publicly about this and, as of this point, eNom has yet to deactivate the account. For now, the fake ICANN still lives and breathes and poses a threat to recipients of this official-looking email.

Filed Under: , ,
Companies: icann

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails”

Subscribe: RSS Leave a comment
Skullduggery says:

Re: MSFT Word?

Sorry, but the internet runs on UNIX, not “Linux”.

Linux is a kernel, not an operating system.
Linux kernel based operating systems are not ready for production with the plethora of shortcomings like no real memory manager (it uses a pretend memory manager that doles out memory like congress does money), shitty filesystems that suffer from bit-rot just like Windows NTFS as well as the never-ending problem with them going read-only in the middle of operations. Add in problems with OoM-Kill causing them to hang entirely and systemd offering all kinds of hooks for malware to attach and you’ve got a mish-mash hodge-podge of garbage that isn’t any better than anything Microsoft offers.

Now, if you’d said, Solaris, HPUX, AIX, I wouldn’t have argued. Let’s face it, Linux kernel based operating systems are just toys at the current time.

Ehud Gavron (profile) says:

Re: Re: MSFT Word?

Sorry, but the internet runs on UNIX, not “Linux”.

Sorry but the Internet runs on GNU/Linux not UNIX™. Very few people use UNIX and those include AT&T in their old DMS switching systems and some government operations. Everyone else uses some open-source variant based on either BSD Unix or Linux.

> Linux is a kernel, not an operating system.
Most people who say “I use Linux” refer to the modern-day meaning which is the “GNU/Linux ecosystem.” If you want to be a stickler and insist that Linux only refers to the kernel you might want to start capitalizing “Internet” since lower-case Internet means some random internetwork.

> Linux kernel based operating systems are not ready for production…
This, and the rest of your rant is factually wrong, technically incorrect, demonstrates a lack of understanding of how operating systems work, conflates file systems with operating systems, and in general represents a decent view of the state of the art of Linux in 1991.

> Now, if you’d said, Solaris, HPUX, AIX, I wouldn’t have argued.
Yes, you’re definitely stuck in 1991. Thanks for informing the world that if everyone said the thing you think you wouldn’t argue. Fortunately the world is not hear to hear you argue nor prevent your arguments.

Argue away. You’re still wrong and 15 years behind the times.

Happy New Year.

In 2017 you’ll be 16 years behind the times. Start counting down till midnight tomorrow.

nasch (profile) says:

Re: Re: MSFT Word?

Linux kernel based operating systems are not ready for production

Google doesn’t agree.

"Linux is also the leading operating system on servers and other big iron systems such as mainframe computers and on 99.6% (including top 385) of the fastest (TOP500) supercomputers"

Sounds like Ehud is right, you haven’t updated your information about Linux in a long time.

Anonymous Coward says:

Re: MSFT Word?

It has been solved already ages ago:

Polaris is a package for Windows XP that demonstrates that we can do better at dealing with viruses than has been done so far. Polaris allows users to configure most applications so that they launch with only the rights they need to do the job the user wants done. This simple step, enforcing the Principle of Least Authority (POLA), gives so much protection from viruses that there is no need to pop up security dialog boxes or ask users to accept digital certificates. Further, there is little danger in launching email attachments, using macros in documents, or allowing scripting while browsing the web. Polaris demonstrates that we can build systems that are more secure, more functional, and easier to use.

Too bad it didn’t get sold, HP labs then offered it for free to Microsoft to include it in the next version of Windows. But apparently that never happened.

We have a new chance:

Ehud Gavron (profile) says:

Freedom of expression - until you don't like it

“…which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names. “

Yes, that’s exactly how the freedom to express oneself by registering a domain name works. Can you just imagine the horror if registrars refused to register names that “appear” to be “associated” with other entities.

It would make registrars worse than the USPTO.

I’m surprised, Tim, that you would say this, implying therein that censorship of domain name selection is a goal to which registrars should strive.

Happy New Year. (Feel free to register that as a domain name, if you like. Oh shoot, never mind, it’s taken.


Anonymous Coward says:

Re: Freedom of expression - until you don't like it

I assume you are being deliberately obtuse and ignoring the obvious security problems with allowing domains like this to be purchased by any random person. If I am wrong however, you deserve the life of ruined computers and hacked passwords that clicking on legitimate looking emails will give you.

Ehud Gavron (profile) says:

Re: Re: Freedom of expression - until you don't like it

First, you assume incorrectly. Second there are no “security problems” in allowing people to register domain. Finally, thanks for wishing me a life of misery for expressing the idea that anyone should be able to register any domain name or speak their minds or publish their words.

I am a consultant on security, have an RFC on domain names, and don’t wish ill on people who fight for free expression nor do so anonymously.

happy new year.


Anonymous Coward says:

Re: Re: Re: Freedom of expression - until you don't like it

So if someone went around and purchased very similar domain names to all of your business domains and then goes on to spearfish your likely contacts and associates with those domains, you are still perfectly fine with that happening?
So if someone for instance registered and started sending all likely contacts notices of a malware infection as in the above article with a ransomware link to respond or for more information, you would still be perfectly ok with the idea?

Ehud Gavron (profile) says:

Re: Re: Re:2 Freedom of expression - until you don't like it

You’re hilarious. My “likely contacts and associates” aren’t stupid.

I’m perfectly ok with people registering whatever domain names they like. This is still a country where we value freedom of expression. The ends do not justify the means, and we do not support censorship.

Now go troll elsewhere. I’m off to enjoy the NY weekend. I don’t have time to answer rhetorical questions posted by people too cowardly to sign their name, too cowardly to allow speech they don’t like, and I’m sure the next “analogy” will have something worse than confused business associates, like, say the poor children we should be thinking of.

Hide under your bridge; happy new year. Be literate.


orbitalinsertion (profile) says:

Re: Re: Freedom of expression - until you don't like it

Like if ICANN-MONITOR.ORG were, say, some group against the USG officially cutting ties with ICANN or some watchdog group?

All sorts of names may be registered and there is nothing to stop that. Even domain squatting. You can try to go through ICANN or sue over trademark or just try to buy the domain from the holder. But there isn’t something that is going to stop one from registering almost any sort of name, whether used for nefarious purposes or not.

kenichi tanaka (profile) says:

Who would be dumb enough to fall for these scams? My webhost provider sends me email messages via a support ticket when my domain renewal is up. Neither ICANN nor ENOM ever sends me any messages regarding my domain. I’ve had to contact ENOM because my previous webhost refused to unlock my domain name so I could transfer and that’s the only contact I’ve had with ENOM.

Nick (profile) says:

Re: Who falls for this?

If there’s one thing I’ve learned as the official “internet guy” in my extended family, is that a LOT of people are using many many internet features that they do not really understand. Old people in particular are very trusting when it comes to scary-looking emails and website popups.

Not-so-old people are not that much better. I’ve been called by my own mother, who gets a lot of spill-over techy knowledge from when I speak to my father, still almost fell for that “Microsoft Bob” voice that hijacks your browser and pretends to be a BSOD.

Not to mention the oodles and oodles of emails like this I get for video game services. Blizzard game services seem to get targetted the most, and I like keeping a copy of some of them (wish I kept more) so I can go back and laugh. But I know that even some close friends of mine will fall for it.

Now, imagine any of the above people that were “suggested” by me to buy their own domain name for private use. They don’t host a website, simply use the domain for email purposes. And they get one of these scary emails. Most people vulnerable to the scam would use Windows and Microsoft office products. They’ll certainly find “simple, easy steps” an easy thing to do, I won’t bother my hard working son/grandson/husband with a quick call – oh crap – now I’m either out lots of data or hundreds of bucks.

Anonymous Coward says:

Why should either entity act? TechDirt has had stories in the past about domain registars booting off domains because some random entity had a tantrum. You praise some registars for requiring a court order to deregister domains, but you expect eNom to deregister this domain because some random people are complaining?

And why should ICANN act? Is it going to give itself some special privileges to boot off any domain that uses the name “icann”? Then what? Other entities start demanding their own special privileges too?

Frankly, the only thing that is remotely noteworthy on this is that the domain is impersonating ICANN. There are thousands of other spoofed entities and fake domains for phishing, but they don’t get special treatment or mentions.

ICANNotbelieveit'snotbutter says:

Alice: Well, I can’t believe the stuff that is not I Can’t Believe It’s Not Butter is not I Can’t Believe It’s Not Butter. And I can’t believe that both I Can’t Believe It’s Not Butter and the stuff that I can’t believe is not I Can’t Believe It’s Not Butter are both, in fact, not butter. And I believe… they both might be butter… in a cunning disguise. And, in fact, there’s a lot more butter around than we all thought there was.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...