Casual reminder that 9/10 phishing scam domains you come across will be hosted on NameCheap and the company couldn't care less, probably too valuable as revenue. This is so well known that blackhat discussions recommend NameCheap as the registrar of choice. Maybe they exploit vulnerabilities like this one.
If the CTO or CEO or whatever C-level comes on here to do damage control every now and then tries to disagree (probably citing how big their $3/hour Eastern European legal team is) keep in mind it's all PR junk and the proof is in the pudding. It's been years -- no action, no change. Just more scams.
Do you have some more supporting evidence for this, without me having to waltz into a blackhat forum? I'm not trying to be the "citation needed" guy, but as someone who regularly reports internet abuse to blacklists (and is sick of all the attacks that "neutral" places like Cloudflare send to my sites), I'd like to know more.
> 2020: UK National Cyber Security Centre: Figure 1 shows that NameCheap became the most popular host of UK government-themed phishing during 2020. By December 2020 we found that it hosted in excess of 60% of phishing in this category.
> 2017: As of today around 38% of the domains reported to us since we began recording on 8/23/17 are sponsored by NameCheap INC. These domains are allowed to continue to scam consumers long after they are reported. An example of this is “ecojetexpress.us” which has been reported repeatedly by both petscams.com and victims who have lost money. When victims of this scam filed an abuse report NameCheap did not “take reasonable and prompt steps to investigate”. Instead they forwarded the abuse report with the victims information to the criminal. 5 months later, ecojetexpress.us was still online scamming new victims.
> Facebook sues Namecheap to unmask hackers who registered malicious domains. The social networking giant claims that Namecheap has refused to cooperate in an investigation into a series of malicious domains that have been registered through its service and which impersonated the Facebook brand.
> Some of the sample domains included the likes of instagrambusinesshelp.com, facebo0k-login.com, and whatsappdownload.site.
> Dubois said lookalike domains like these -- which abuse the Facebook brand -- are often used for phishing, fraud, and scams.
Wow, thank you very much for this. I honestly wasn't aware of any of it.
And double-Wow on that first PDF published by GCHQ. (Pages 8 and 9 are specifically their data on Namecheap as the #1 phishing threat, for anyone else wanting to read it). That's astonishingly bad performance from Namecheap. The data in that PDF is very useful with my own anti-botnet research. I bet the GCHQ data will be persuasive if I do bring this up with politicians considering removing the Safe Harbour provisions for hosts.
They'll take down a single domain and pretend to not know how to take down the other 300 registered on the same user's account.
The argument that NameCheap (and its supporters) provide is that this is a good thing that makes them stay because NameCheap shouldn't be policing domains or some other free speech nonsense ignoring that this is pure facilitation of crime. Ignoring that this is blatantly violating their own T&Cs and the ICANN guidelines.
No, the argument is it's either this "free speech nonsense" or gestapo filtration like the Apple's/Google's app review process, where the big company is the judge and the jury, and I prefer the former.
Not my experience. I tried their abuse email address, their abuse report form and I even made an account to contact support, but did not even receive a reply. Over 30 websites are still up. But to be fair, the websites are about selling certain pills and not about phishing.
Not in my experience either. I received phishing (physical) mail [1] pointing me to a domain that was registered with namecheap. I reported it to them in March, I followed up a few months later, and I still see the website operating today, with no response from namecheap.
The domain is even listed on the USPTO site as a scam operation [2], yet no action has been taken yet.
Not OP of this post, just came across it. I'm a heavy namecheap user, and will continue to use them, but this did make me a little concerned. From the post:
> so, setting up 2fa on namecheap prevents anyone from just logging into your account if your credentials get leaked or stolen. great, they can't just manage your domains. HOWEVER, the namecheap support portal (at http://support.namecheap.com) uses the same credentials for login BUT it never asks for 2fa. if you get leaked credentials you can just sign in to the support portal. because of how badly designed it is you can even change the support email for the account with no confirmation and no info being sent out to the old email.
> how is that a big deal?
> well, you can just open domain transfer tickets from the support portal and hijack domains anyways, you can probably even pretend to not understand how anything works and ask them to change dns for you, etc...
I only used support once many many years ago and was asked for a one time support code from the main account. So I never worried about the lack of 2factor. But now I worry…
Namecheap's support pages seem to be a completely different system to their main site. I've sometimes been unable to log into the support page even though I can get into the main site fine, and contacting support about it got nowhere. Maybe the support is outsourced?
In my experience, the support people ask for a PIN which you can only see by logging in to the main site with 2FA, so while this problem is not great, I don't think it's as bad as this article suggests.
At my company, our support portal isn’t run by the software engineering team, but by a different department. The integration is limited and doesn’t support 2FA. Changing this is very much not a priority, because we don’t want to be responsible and the point of contact for a dozen more services.
Why is NameCheap getting thrown under the bus across the board?
I've used them for 10+ years without issue. In fact, it's been stellar.
Sure, the interface is a little outdated. But does anyone honestly spend any amount of time there, other than pointing the nameservers to Cloudflare? After that, I rarely ever even log in.
I moved away from Namecheap because they threaten to deactivate one of my domains within 24 hours after receiving a fabricated abuse complaint from a reputation management company. I saw from my logs that Namecheap did not even visit the page in question. I couldn't trust Namecheap after that and moved to Porkbun. I can't say with any certainty Porkbun would handle that situation any better. But I like the fact that if they try to pull some Google-esque automated ban, I can drive to their HQ.
To avoid the "all eggs in one basket" issue with companies that have arbitrary rules and little to no support, on purpose. Same reason I don't use Stripe or Shopify or SendGrid.
I have over 20 domains with cloudflare. I have been transferring all my domains to cloudflare one by one over the years and now I am worried about getting randomly flagged like this.
Does anyone know if cloudflare has provided any justification?
Are we at HN's mercy to publically shame them to get them to fix this if it's happens to us?
'In February 2022, Namecheap announced that they would terminate services to Russian accounts due to the Russian invasion of Ukraine, citing "war crimes and human rights violations". Existing users were given a one-week grace period to move their domains. The company also announced that it would be offering free anonymous domain registration and web hosting to all protest and anti-war websites in Russia or Belarus. Namecheap at the same time said it had over 1,000 employees located in Ukraine, comprising most of its support staff, mostly in Kharkiv (which was a major location of fighting).'
Yes, I'm aware of the war going on, and that it affects politics and economics, and therefore, valuable lives. But the complaint originated with the lack of 2FA, and then went straight under the bus for completely unrelated items.
2FA is a certainly a useful layer to add, but also not the be-all-and-end-all of account security.
There isn't a list of 1) secure trustworthy companies because of 2FA, and 2) everyone else is untrustworthy and dangerous. Wells Fargo doesn't even require 2FA.
If the lives of 1 000 employees are threatened by a third party I think it's quite reasonable for a company not to continue offer its services to monetary supporters of this third party. Seems like a good business decision regardless of any sanctions.
I once had a domain at Namecheap show "Ownership change pending approval" to another username with a cancel link beside it and I recognized the username as someone who made offers before out of band. Never got an email or saw any kind of notification, and I've been in the game 25 years and know those extremely long domain transfer emails and read them carefully. Started transferring domains away after that.
I contacted them once before moving over and once after and they were good to me. I'm happy with them for domains but I wouldn't recommend them for email.
I’m quite happy with Glauca [1], they’re not quite as cheap but their DNS stuff is pretty good and they are friendly and helpful. Only downside is their website being a bit slow sometimes.
I've had a horrible experience with zone.ee (aka zone.eu) and will always caution clients against using them.
I had a client with a domain and some VPS hosted in zone.ee, and one day out of the blue with no prior communication, the client received a notice from a zone.ee employee that they had disabled a production service on a VPS, because apparently the Docker configuration of that service was causing some issues in their infrastructure, which was already quite strange.
The real scary part was that the they didn't just turn off the VPS - the employee had actually backdoored into the running VPS and had manually disabled docker.service. The fact that they would do this without any communication beforehand just left me stunned and we immediately migrated away from zone.ee after that.
That sounds unfortunate. I imagine it must've been time-critical, some side-effect of Docker being virtualised? I'd guess the hands-on approach was to avoid a full service disruption that a full shutdown would've caused.
That aside, shielded VM's are very rare, most providers have the ability to see inside VM's, issue commands in them.
When switching away from DreamHost, I researched different domain registrars. I chose to try Namecheap and Dynadot, so I sent half of my domains to Namecheap, and the other half to Dynadot.
After the transfer lock peroid, I moved my domains from Namecheap to Dynadot. The prices were pretty much the same, but the interface was better, and Dynadot also passes on "name tasting" to the user (users can request a refund if they change their mind after buying a domain name).
I've also sinced used Dynadot's customer service one time, and it was good.
My only gripe with Dynadot is at the login screen: I set up 2FA, and they call it a "Google code", when you can use any other 2FA manager besides Google.
Their domain name prices are higher, and I feel like their might have been something else, but I don't remember. I still have shared hosting with them because I haven't bothered to shop around on that yet (I have more domain names than sites I host).
Thanks for the response. I have been a Dreamhost customer for about 20 years and have never had a significant problem with them. I don't find their domain name prices to be an issue, but I might be less price sensitive about that than others.
Their email service - Private Email - (which is otherwise pretty decent) also has a similar issue where they support 2FA and application passwords for the web interface, but don't enforce those rules via the IMAP/SMTP/POP/etc APIs - https://twitter.com/symbioquine/status/1362907237048479745
I’m really glad I migrated off Namecheap. Was a long time customer but when they had that massive dnssec outage and their support had no idea what it was doing, that was the last straw for me. I moved everything over to google (I know I know) and haven’t had a single second of downtime. Would love ideas for better alternatives, preferably privacy oriented.
I’ve been using gandi.net for years. They seem to care about playing by the rules and supporting privacy if their supported projects is anything to go by: https://www.gandi.net/en-US/gandi-supports
DNSSEC signing happens at the nameservers run by the registry (verisign for .com, for example). Unless it was an issue with their API servers not properly calling the upstream APIs, I don't think namecheap is to blame here.
I personally think namecheap is dangerously close to being the next Godaddy, but I wouldn't hold DNSSEC issues against Namecheap any other registrar.
While this incident is certainly concerning a bigger question is which registrars can properly ward off attempts at social-engineering and other account access fraud and not sweep it under the rug. Even seemingly well intentioned companies utilize plain-text email for customer communication which is not exactly reassuring either.
MarkMonitor used to be a thing. Trusted by big companies but even the act of attempting to get information about their services has been met with difficulty. Regardless they have been acquired by an investment firm and there has been some concerns of quality-of-service because of that.
Porkbun has always been pretty solid. They support 2FA with TOTP and HOTP, the support is no bullshit email support that's reasonably fast, and the prices are quite low too.
Not affiliated, just a happy customer paying about $500 a year for a bunch of domains at Porkbun.
Your paying for a more premium service but DNSimple take security and service fairly seriously.
www.dnsimple.com
Including recently.
“Secure your account with WebAuthn & FIDO2 security keys.”
You do need a subscription though:
“A DNSimple subscription is required to register, transfer, or renew domain names. Domain registration, transfer, and renewal fees are not included in your subscription.“
That said I’m still currently a namecheap supporter, their backing for an open internet over the years has built my broader confidence in them, but I agree they need to be investing in pinging improvement especially when it comes to security practices.
> randomly cancelling thousands of peoples domains on short notice simply due to the country they are from
Not wrong, but for more context, they made their Russian customers transfer their domains, when their Ukrainian offices started getting shelled by Russian invaders. It’s hard to stay politically neutral when your staff are literally being bombed
Choosing not to allow renewals would have been been acceptable but they straight cancelled those domains prematurely before the term of registration had ended. Basically pulling the rug out from underneath people without giving them adequate time to migrate. Allowing domains to be sniped by unscrupulous parties who put malware on them which hurt many thousands of people (mostly foreigners who had nothing to do with Russia). Totally irresponsible and criminally negligent behavior for any registrar. I hope they get sued for for breaking their own contracts and causing widespread destruction via malware.
While I don't really care about the Ukraine crisis (its just being used as a political tool here), Namecheap offices were being blown up by an invading force.
If Russia wants to have free commerce with Ukraine, including domain registration, then it shouldn't have invaded. As soon as war started, all trade requirements cease. In fact, I'm surprised it didn't become illegal immediately to have any commerce with Russia.
United States. Biden and Congress are just using "Ukraine Aid" as money for special interests (read corruption) and funding the military industrial complex as arms dealers.
I know every comments on HN should bring something to the discussion, but there is nothing to add here. 100% agree, US should have been sanctioned for the invasion of Iraq (and much more).
I get it, but this is like kicking Barron Trump (the kid) out of your home because you don’t like his father.
I get that you’re angry, I get that they’re related, but the kid doesn’t really have a say in how the father behaves. Same with Putin and most Russians.
I could be protesting in Moscow and you’re still pulling the domain from me. That’s not ok.
-
I don’t have a stake in this, I just don’t want to deal with shit if my prime minister 10k miles away is an asshole.
It wasn't how a registrar should act. But it was a completely understandable way to act, and given their emotional distress at the time, I think they deserve a fuckton of slack when judging how bad this mistake was.
I probably would have done the same thing in their shoes.
As for prime ministers being assholes affecting you, that is just the reality of global politics. I could say 'vote better' but that doesn't help much.
Also I would remind you what other services were cut immediately:
> Additionally, and with immediate effect, you will no longer be able to use Namecheap Hosting, EasyWP, and Private Email with a domain provided by another registrar in zones .ru, .xn--p1ai (рф), .by, .xn--90ais (бел), and .su. All websites will resolve to 403 Forbidden, however, you can contact us to assist you with your transfer to another provider.
Also I would point out to the other comment in that thread: https://news.ycombinator.com/item?id=30505934 Looks like someone wasn't satisfied with the ban by the country and resolved by greping by the names/last names. Doesn't remind you anything?
You know, "gave plenty of time (1 week)" and "gave plenty of time ONLY AFTER PEOPLE ACTIVELY COMPLAINED (still less than 4 weeks)" are two different things.
>Received the same email. I'm based in Lithuania and I have a Russian first name. No Russian addresses, IPs, billing info etc (because I have never been there!). How do you even select people to target with this? It's past midnight, I'm trying to figure out my options here. How exactly do the Euros I pay you from EU contribute to the Russian aggression?
The minimum length of registration at practically all registrars is 1 year. Its practically unheard of, and against all professional standards for registrars to cancel a persons domains prematurely. Nobody expects it and they knew that and they pulled the rug anyway because apparently they value virtue signaling more than security.
According to other comments here, their offices were being shelled by the Russians.
At that point, taking action against Russians isn't virtue signalling.
>Choosing not to allow renewals would have been been acceptable but they straight cancelled those domains prematurely before the term of registration had ended.
As a Russian who was (and technically still is) one of their custmores: this is not accurate or at least only is true for some domains.
I've had two domains registered and managed via NC and decided to only transfer the former.
I doubt it was their customers bombing them. If anything, taking money out of the country should be a good thing if they don't want to support that country.
They appear to take security seriously. You can choose to receive emails upon each successful and/or failed login. You can view a list of recent logins to your account on the website. You can force log out all sessions. Additional authentication methods include two-factor codes, WebAuthn w/ physical keys. You can download a set of backup, one-time-use codes. You can restrict IP addresses allowed for login. They also check if your email address is present in known password leaks, and prompt you to turn on 2FA for added security.
The web interface is quick, has a simple design (Bootstrap/Foundation? for CSS), and doesn't feel flimsy.
If the CTO or CEO or whatever C-level comes on here to do damage control every now and then tries to disagree (probably citing how big their $3/hour Eastern European legal team is) keep in mind it's all PR junk and the proof is in the pudding. It's been years -- no action, no change. Just more scams.