Security and Stability Advisory Committee (SSAC)

The SSAC is a volunteer group of specialists in the technical security field that provides advice and insight to the ICANN community and the Board.

SAC028 | Executive Summary for SSAC Advisory on Registrar Impersonation Phishing Attacks

[PDF, 101 KB]

Phishers exploit many forms of email that merchants or financial businesses send to customers. The goal of such email messages is to lure a customer to a web site that appears to be the customer's bank or merchant and cause the customer to disclose his account information. The phisher uses this information to fraudulently use the customer's credit cards or financial account, or steal the customer's identity. Domain name registrars control domain name information of behalf of their customers (registrants), and mostly correspond with registrants by email. They are thus a particularly valuable phishing target, and a registrar-impersonating phisher tries to lure a registrar's customer to a bogus copy of the registrar's customer login page, where the customer may unwittingly disclose account credentials to the attacker who can then modify or assume ownership of the customer's domain names.

The Advisory recommends ways registrars can reduce phishing threats. For example, including only the information necessary to convey the desired message in customer correspondence, the registrar can reduce the opportunities for phishers to personalize messages and thus make them more convincing. Registrars can also avoid the use of hyperlink references in email messages, provide some form of non-repudiation of origin, and educate customers of the phishing threat and consequences registrars use to minimize the exposure of their registrants to phishing risk in email correspondence and at registrar web sites.

This Advisory also recommends ways for registrants to detect and avoid falling victim to this type of phishing attack. For example, customers should avoid clicking on hyperlinks in all email correspondence, be suspicious of email correspondence from a registrar that claims an urgent response is required, and should not trust an email simply because it is personalized. The Advisory also recommends services registrants should consider when choosing a registrar.