May 312015

DNS hijacking or plain host hijacking is pretty common these days. It’s a safe low-tech attack to get username and passwords of key hosting accounts. Recently I received an email that was 10/10 where quality of Phishing emails applies. None of the broken English words, in fact see the screenshot. Well written with an official disclaimer with an address to boot.

Decipher Inc phishing email screenshot

Scam phishing email

Few points to note here of why this email is well crafted but still a scam.

1. Yes I am a customer of Linode. How do they know?
Normally these emails are crafted using WHOIS information. However my Whois record is private for the domain in question. This is where it gets interesting.
The Nameserver is with Linode and it is a good guess that if the name server is on Linode (ns* is pretty obvious) then I am a customer of Linode. It grabs my attention.

2. This email did not go to spam folder. Private Whois lists a proxy email. When they sent the email to Whois contact it reached the proxy email who forward to me. The Gmail spam is pretty good at picking scan emails up but this one passed right though. If you see the screenshot they have taken every precaution to not use common words like “account” that alert Gmail. Linode ofcourse has my email so they would not send it to my Whois proxy email. Another reason you should get Private Registration

3. The database is not updated for atleast 3 months. I am not using the Linode Nameserver for this domain anymore. Atleast for the past 6 months. It would seem that the data is mined and collected.

4. Decipher Inc. This is indeed a legit company and offers surveys like survey monkey for free. It is not as blatant as free email sign up but ofcourse it must not be hard to get. You request a free demo and they give you a test account. That’s it. The email ends up looking perfectly Legit.

* Google also allows you to create surveys but you cannot add text boxes for password field and will prevent it from being created with name “password” AFAIK.

I emailed Linode support about this. They confirm that this is happening and they are aware of it. They claim SOA records from DNS are being used but in my case the SOA record has no email address. I believe they use NS record for sure to know if the domain is on Linode and that’s about it. Emails are still sent to Whois Contact blindly.

I hope the Linode will send out an informational update before they get overrun with confused noobie admins.