Domain Spotlight:

Fake ICANN Update Email Helps Thief Steal Domains

As reported on Nametalent earlier today, respected DnForum member Tim Schoon aka Toilet-Monster had his Godaddy account hacked and emptied.  Obviously everyone wanted to know how someone could get into his account and Tim figured it out.  They got it through a fake ICANN email that lead to a fake mirror site.  Here is the email he received.

The link is masked and lead to GobDaddy instead.<<<<——–Tim points out what happened

****************************** ***********
Important ICANN Notice Regarding Your Domain Name(s)
****************************** ***********

Dear User,

it is that time of year again. ICANN(the Internet Corporation for Assigned Names and Numbers) annually requires that all accredited registrars (like ask their domain administrators/registrants to review domain name contact data, and make any changes necessary to ensure accuracy. According to our records you are the ADMINISTRATIVE CONTACT for one or more domains registered at, Inc. as of May 1st, 2010.

To review/update your Account data, simply:
+ Login to default.aspx?isc=ICANN0908a& amp;ci=8987
+ You will be taken to a landing page and asked to enter your account information
Please take a look that your account and domain information is up to date.

If, however, your domain contact information is inaccurate, you must correct it. (Under ICANN rules and the terms of your registration agreement, providing false contact information can be grounds for domain name cancellation.) To review the ICANN policy, visit: whois/wdrp-registrant-faq.htm

Should you have any questions, please email us at [email protected] or call our customer support line at (480) 505-8877.

Thanks for your attention and thank you for being a, Inc. customer.

Sincerely,, Inc. Domain Support

If you are the domain administrator of more than one domain account, you may receive this notice multiple times.

There is no better way to scam a person than to become part of a routine and getting ICANN emails is certainly a regular routine for domainers. We get them weekly and I would be that most people click blindly. Luckily for me a thief probably hacked into my account and saw all the shitty domains and figured it wasn’t worth his time moving them.

To read the thread and how it went down you can go over to DnForum

Domain Spotlight:

6 Replies to “Fake ICANN Update Email Helps Thief Steal Domains”

  1. “Luckily for me a thief probably hacked into my account and saw all the shitty domains and figured it wasn’t worth his time moving them.”

    ^ Funny Stuff! ^


    A, never click a link in an email
    B, Dear User should have been clue #1 it was a fake
    C, Hoover over any link and really know what you are looking at in the lower browser wind, if you intend to click it.
    D, If you suspect you clicked a link like this, change your passwords ASAP

  2. What took them so long?

    When that idiotic WDRP policy was instituted I surmised pretty well instantly that this would be the major takeaway: An ICANN mandated phishing attack vector against all domain holders.

    The policy solves nothing, introduces confusion and makes problems worse. Thank you ICANN. Why don’t you go do something effective for a change?

  3. Called the Godaddy account executive. All names now locked down. No push or transfers without a phone call and password.

    Before, I was changing all the contact info on all the names at the same time to reset the “60 day no transfer” policy they had in place. But it didn’t protect against internal transfers/pushes.

  4. John, how did you ‘lock down’ your Godaddy account? I called in awhile back hoping to do the same thing, and they told me that such a thing was not possible. Any help would be much appreciated!!!

  5. @Bernard

    If you have at least 300 names at Godaddy , you’ll be assigned an account executive. If not, there isn’t a whole alot you can do.

    Another option is, if you have have a limited amount of names, is to look at and their security key for domains.

  6. A simple solution to prevent accidents like this: disable html for the admin e-mail you use for your domain’s whois records. That way you will see the actual URL and not just the masked/fake one.

    I’m glad you got your names back so fast Tim. I’m sure you had some nerve wrecking moments in the middle of this one!

Comments are closed.