This phishing attack impersonates domain registrar, Namecheap, and might be the best I’ve seen. It grabbed my attention because I’ve fought expired certificates before and they’re always a major hassle to deal with.
But wait a minute. Namecheap is my domain registrar, but I never bought any certificates from Namecheap. Why would I have expiring certificates?
And Namecheap knows the email address I use. Why email infrasupportetc? If I could go back to 1999 and correct a naming mistake, I would have never used infrasupportetc – just infrasupport. Today, infrasupportetc is just an alias for infrasupport. So, why are these guys sending notifications to that old name?
And then, look at the advertised sender. Who is skaates.com? Well, that could work. Sometimes these notifications come from different domains. And it’s root, after all. Nice touch.
I think I’ll give this one an A-. If they had used infrasupport instead of infrasupportetc, and advertised a different sender, it would be an A. Yes, I contacted Namecheap about this. If you’re from Namcheap and reading this blog post, please say thanks and leave a comment.
For more phishing samples, see my phish collection.