Skip to main content

SAC 028 | Registrar Impersonation

[PDF, 101 KB]

Phishers exploit many forms of email that merchants or financial businesses send to customers. The goal of such email messages is to lure a customer to a web site that appears to be the customer's bank or merchant and cause the customer to disclose his account information. The phisher uses this information to fraudulently use the customer's credit cards or financial account, or steal the customer's identity. Domain name registrars control domain name information of behalf of their customers (registrants), and mostly correspond with registrants by email. They are thus a particularly valuable phishing target, and a registrar-impersonating phisher tries to lure a registrar's customer to a bogus copy of the registrar's customer login page, where the customer may unwittingly disclose account credentials to the attacker who can then modify or assume ownership of the customer's domain names.

The Advisory recommends ways registrars can reduce phishing threats. For example, including only the information necessary to convey the desired message in customer correspondence, the registrar can reduce the opportunities for phishers to personalize messages and thus make them more convincing. Registrars can also avoid the use of hyperlink references in email messages, provide some form of non-repudiation of origin, and educate customers of the phishing threat and consequences registrars use to minimize the exposure of their registrants to phishing risk in email correspondence and at registrar web sites.

This Advisory also recommends ways for registrants to detect and avoid falling victim to this type of phishing attack. For example, customers should avoid clicking on hyperlinks in all email correspondence, be suspicious of email correspondence from a registrar that claims an urgent response is required, and should not trust an email simply because it is personalized. The Advisory also recommends services registrants should consider when choosing a registrar.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."