Who’s Behind the DomainNetworks Snail Mail Rip-off? – Krebs on Safety

Should you’ve ever owned a website title, the possibilities are good that in some unspecified time in the future you’ve obtained a snail mail letter which seems to be a invoice for a website or website-related providers. In actuality, these deceptive missives attempt to trick folks into paying for ineffective providers they by no means ordered, don’t want, and possibly won’t ever obtain. Right here’s a take a look at the newest incarnation of this rip-off — DomainNetworks — and a few clues about who could also be behind it.

The DomainNetworks mailer could reference a website that’s or was at one level registered to your title and tackle. Though the letter consists of the phrases “advertising providers” within the higher proper nook, the remainder of the missive is deceptively designed to appear to be a invoice for providers already rendered.

DomainNetworks claims that itemizing your area with their promotion providers will lead to elevated visitors to your web site. It is a doubtful declare for an organization that seems to be an entire fabrication, as we’ll see in a second.  However fortunately, the proprietors of this enterprise weren’t so troublesome to trace down.

The web site Domainnetworks[.]com says it’s a enterprise with a publish workplace field in Hendersonville, N.C., and one other tackle in Santa Fe, N.M. There are a couple of random, non-technology companies tied to the telephone quantity listed for the Hendersonville tackle, and the New Mexico tackle was utilized by a number of no-name website hosting corporations.

Nevertheless, there may be little related to those addresses and telephone numbers that get us any nearer to discovering out who’s operating Domainnetworks[.]com. And neither entity seems to be an energetic, official firm of their supposed state of residence, not less than in accordance with every state’s Secretary of State database.

The Higher Enterprise Bureau listing for DomainNetworks provides it an “F” ranking, and consists of greater than 100 critiques by folks offended at receiving considered one of these scams by way of snail mail. Helpfully, the BBB says DomainNetworks beforehand operated underneath a distinct title: US Area Authority LLC.

DomainNetworks has an “F” status with the Higher Enterprise Bureau.

Copies of snail mail rip-off letters from US Area Authority posted on-line present that this entity used the area usdomainauthority[.]com, registered in Might 2022. The Usdomainauthority mailer additionally featured a Henderson, NC tackle, albeit at a distinct publish workplace field.

Usdomainauthority[.]com is now not on-line, and the location appears to have blocked its pages from being listed by the Wayback Machine at archive.org. However looking on an extended snippet of textual content from DomainNetworks[.]com about refund requests exhibits that this textual content was discovered on only one different energetic web site, in accordance with publicwww.com, a service that indexes the HTML code of current web sites and makes it searchable.

A misleading snail mail solicitation from DomainNetwork’s earlier iteration — US Area Authority. Picture: Joerussori.com

That different web site is a website registered in January 2023 referred to as thedomainsvault[.]com, and its registration particulars are likewise hidden behind privateness providers. Thedomainsvault’s “Continuously Requested Questions” web page is kind of much like the one on the DomainNetworks web site; each start with the query of why the corporate is sending a mailer that appears like a invoice for area providers.

Thedomainsvault[.]com consists of no helpful details about the entity or individuals who function it; clicking the “Contact-us” hyperlink on the location brings up a web page with placeholder Lorem Ipsum textual content, a contact kind, and a telephone variety of 123456789.

Nevertheless, looking passive DNS records at DomainTools.com for thedomainsvault[.]com exhibits that in some unspecified time in the future whoever owns the area instructed incoming e mail to be despatched to [email protected].

The primary consequence that at the moment pops up when trying to find “ubsagency” in Google is ubsagency[.]com, which says it belongs to a Las Vegas-based Search Engine Optimization (search engine marketing) and digital advertising concern generically named each United Enterprise Service and United Enterprise Companies. UBSagency’s web site is hosted on the similar Ann Arbor, Mich. based mostly internet hosting agency (A2 Internet hosting Inc) as thedomainsvault[.]com.

UBSagency’s LinkedIn page says the corporate has places of work in Vegas, Half Moon Bay, Calif., and Renton, Wash. However as soon as once more, not one of the addresses listed for these places of work reveal any apparent clues about who runs UBSagency. And as soon as once more, none of those entities seem to exist as official companies of their claimed state of residence.

Looking on [email protected] in Constella Intelligence exhibits the tackle was used someday earlier than February 2019 to create an account underneath the title “SammySam_Alon” on the inside adorning web site Houzz.com. In January 2019, Houzz acknowledged {that a} knowledge breach uncovered account info on an undisclosed variety of clients, together with person IDs, one-way encrypted passwords, IP addresses, metropolis and ZIP codes, in addition to Fb info.

SammySam_Alon registered at Houzz utilizing an Web tackle in Huntsville, Ala. ( Constella says this tackle was related to the e-mail [email protected], which is also tied to a number of different “Sammy” accounts at totally different shops on-line.

Constella additionally says a extremely distinctive password re-used by [email protected] throughout quite a few websites was utilized in reference to only a few different e mail accounts, together with [email protected], and [email protected].

The [email protected] tackle was used to register a Twitter account for a Sam Orit Alon in 2013, whose account says they’re affiliated with the Shenhav Group. Based on DomainTools, [email protected] was answerable for registering roughly two dozen domains, together with the now-defunct unitedbusinessservice[.]com.

Constella additional finds that the tackle [email protected] was used to register an account at whmcs.com, a website hosting platform that suffered a breach of its person database a number of years again. The title on the WHMCS account was Shmuel Orit Alon, from Kidron, Israel.

UBSagency additionally has a Facebook page, or perhaps “had” is the operative phrase as a result of somebody seems to have defaced it. Loading the Fb web page for UBSagency exhibits a number of of the photographs have been overlaid or changed with a message from somebody who’s actually disenchanted with Sam Alon.

“Sam Alon is a LIAR, THIEF, COWARD AND HAS A VERY SMALL D*CK,” reads one of many messages:

The present Fb profile web page for UBSagency features a brand that’s much like the DomainNetworks brand.

The emblem within the UBSagency profile photograph features a graphic of what seems to be a magnifying glass with a line that zig-zags by bullet factors inside and out of doors the circle, a singular sample that’s remarkably much like the emblem for DomainNetworks:

The logos for DomainNetworks (left) and UBSagency.

Constella additionally discovered that the identical Huntsville IP tackle utilized by Sam Alon at Houzz was related to yet one more Houzz account, this one for somebody named “Eliran.”

The UBSagency Fb web page options a number of messages from an Eliran “Dani” Benz, who’s referred to by commenters as an worker or associate with UBSagency. The final check-in on Benz’s profile is from a seashore at Rishon Letziyon in Israel earlier this yr.

Neither Mr. Alon nor Mr. Benz responded to a number of requests for remark.

It could be troublesome to imagine that anybody would pay an bill for a website title or search engine marketing service they by no means ordered. Nevertheless, there may be loads of proof that these phony payments typically get processed by administrative personnel at organizations that find yourself paying the requested quantity as a result of they assume it was owed for some providers already offered.

In 2018, KrebsOnSecurity printed How Web Savvy are Your Leaders?, which examined public information to indicate that dozens of cities, cities, college districts and even political campaigns throughout the USA bought snookered into paying these rip-off area invoices from an identical rip-off firm referred to as WebListings Inc.

In 2020, KrebsOnSecurity featured a deep dive into who was seemingly behind the WebListings rip-off, which had been sending out these snail mail rip-off letters for over a decade. That investigation revealed the rip-off’s connection to a multi-level advertising operation run out of the U.Okay., and to 2 brothers residing in Scotland.