With email subjects such as:
Attention: domain is expired
Attention: domain will be expired soon.
Attention: domain will be expired tomorrow.
Attention: domains are expired.
Attention: domains will be expired tomorrow.
Please, renew your domain
Please, renew your domains
Your domain are expired at this time!
Your domain is expired today!
Your domain will be deleted soon
Your domain will be deleted today
the phisher hopes to get the attention (and the userid and password) of the legitimate owners of domains registered at Network Solutions.
The email body looks like this:
Dear Network Solutions Customer,
We recently notified you that the registration period for your Network Solutions domain name had expired. As a benefit of having previously registered a domain name(s) with Network Solutions, you are eligible to receive a percentage of the net proceeds that were generated from the renewal and transfer of the domain name you chose not to renew. Since you have chosen not to renew the domain name listed below during the applicable grace period, we were successful in securing a backorder for this domain name on your behalf and it has been transferred to another party in accordance with the Service Agreement.
Renew your domain now - http://www.networksolutions.com
You must click on the following link, enter your domain name, and confirm your contact information in order to claim these funds. If your contact information is not correct, you must enter Account Manager and make the appropriate changes prior to clicking "submit" from the confirmation screen. If you do not do this, you will be confirming inaccurate information and will not receive any payment. Checks will only be made payable and mailed to the Account Holder of record.
Network Solutions® Customer Support
With Senders such as:
NetworkSolutions Support Team
networksolutions.com Tech Support
and From addresses such as:
and nonsense tags such as:
We expect more URLs will be added, as we are still on the early side of this phishing spam campaign, but here is what we have seen so far at the UAB Spam Data Mine.
We've reported these domains and hope to see quick action by the registrar for them.
As with every current top spam campaign, the registration WHOIS information indicates the registrant as being "Shestakov Yuriy" AKA Alexey Vasiliev - the registrant behind all the top "Russian girls" spam domains and most of the Canadian pharmacy spam domains, who has also used email addresses "firstname.lastname@example.org" and "email@example.com" as his identity when registering domains.
Hopefully OnlineNIC will terminate these domains quickly.
As with yesterday's eNom domains - these domains are fast flux hosted on the same site as a great deal of child pornography. More details are available to law enforcement.