Saturday, July 27, 2013

Tariff DNS Scam Email - DreamHost Phishing Scam

Recently, I received an email that was supposed to have come from my hosting company. It said I needed to confirm a request for changing of a tariff plan. Although, the wording was awful and it was very non-specific as to the recipient. The email I got was as follows:

Dear DreamHost client,

In your account has been created request for changing of a tariff plan. 
It is necessary confirmation of this request. 
You can do it in the section (Change tariff) Virtual Offices :


DreamHost hosting Team.

Someone who is rushing may not read the contents of this email and just click link. This clever scammer set up a catch-all subdomain so that the link would even appear to be directing to dreamhost. The link would take you here:

At first glance, this appears to go to, but notice that it is really all part of a complex sub-domain meant to confuse the recipient. The root domain is actually:

Looking at the whois record for this domain we can find out the following information.

This domain is hosted by and resolves with domain servers to by a company with the following registration record:

XOL Holding
Beirut, Beirut xxxxx

The technical contact information for this domain is:
Nassar Center
5th Floor
Charles El-Helou Avenue, Rmeil
Beirut,  20727508

This happens to be the ISP end point, a company in Lebanon called Terra Net. This company has chosen to not disclose more information about the scammers.

So looking at the main website for, we find out some interesting information. One, that they used a company called art-promotion to build and design their site. This company happens to also be in Lebanon, so I looked up their whois and found that they were also hosted on and contact information.

Saab, Jean
Art Promotion
Nahr el Mot
Beirut, -

So I went to look closer at and found that this might be a cover site (or some poor site that got hacked). The poor design and lack of ecommerce functionality is what seem to indicate that there was more than what meets the eye.You can't checkout with any of the items they sell. It's difficult to think that isn't part of the scam.

Regardless of who this phishing scam came from, be sure to take the time to read your emails before you go clicking links and signing in.


Post a Comment

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Bluehost Review