Thursday, January 30, 2014

Network Solutions Is Most Likely Not Phishing

You may have read my rant earlier this week about Network Solutions trying to trick me into allowing them to send me spam. As part of that dark pattern, Network Solutions asks me to verify my contact information, and then tries to up-sell me, and then suggests that I need to verify my contact information (but which is really a spam opt-in).

You can imagine I am primed against being asked to confirm my information by Network Solutions.

For a little extra context, since I receive a few emails a week from Network Solutions (such as this one to auto-renew, or this one for SEO, or this one to obfuscate my WHOIS info), which jumps to daily after I partake in any activity on the Network Solutions site, I typically filter them into dev/null/i-mean-it.

So I was wary when I received the following email once yesterday (the day after I renewed my domain) and once again today:

Screen shot of the offending email.
I block Outlook from downloading embedded images to prevent spammers tracking when I have opened their emails, hence the missing images.

The message within:

Dear Customer,

New Regulations now require that domain account holders confirm their email information otherwise their domain will be deactivated. If your domain is deactivated you will still own the domain but you will not be able to have a live website until you verify your contact information.

To ensure your domain(s) remain active, please click the CONFIRM button below to confirm the email address we have for you is accurate.

Note the explicit threat. Note the lack of a link to the new regulations, let alone the source of those regulations. Note the shiny red all-caps CONFIRM.

I think we've all spent enough time as family tech support to know that you aren't supposed to click links in emails. My bank tells me this, the government tells me this, it's on general support sites, and even Network Solutions has had to tell people not to click links in emails (not to mention recent news of a GoDaddy hack). Heck, robots know this — f you type don't click into the Google search box, it will auto-complete with on links in email:

Image of Google's auto-complete search box.
I know this is anecdotal, but it's a great image to make my point.

Because I am a child of the internet age, and because the support phone number in the email could point to anyone, I contacted Network Solutions on Twitter to see if this was for real:

It's like I'm texting with a 13-year-old.

Reassured the phone number in the email is a true Network Solutions number, I called and navigated the menu system. After I explained the situation and why I don't want to click the link, the representative explained that my domain will be shut down if I don't do it. He could not offer a time frame (but he hadn't seen anyone shut down because no one has waited more than two weeks). He also said he cannot do this over the phone and that I must click the link.

When I pressed for the regulation, he said it's an ICANN regulation but could not tell me where to find it. He explained that if I don't respond, eventually my domain will point to a parked page (my word), though he didn't know if it's an advertisement-laden Network Solutions page or an ICANN page.

When I got off the phone, I looked around for an ICANN regulation. The closest thing I found was in a PDF dated June 27, 2013 (page 43, under WHOIS Accuracy Program Specification):

Registrar shall implement and comply with the requirements set forth in this Specification […]

  1. […] within fifteen (15) days of (1) the registration of a Registered Name sponsored by Registrar, (2) the transfer of the sponsorship of a Registered Name to Registrar, or (3) any change in the Registered Name Holder […]
    1. Verify:
      1. the email address of the Registered Name Holder (and, if different, the Account Holder) by sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar, or
      2. the telephone number of the Registered Name Holder […]
      In either case, if Registrar does not receive an affirmative response from the Registered Name Holder, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information.

Having registered and renewed domains since July, and given that this was a renewal, the fact that I just got this for the first time does seem like the implementation has been delayed.

So by that language, yes, Network Solutions can do exactly what it is doing. Given Network Solutions' constant spam, constant final notice of deactivation messages that are not, in fact, final, and folded in with its dark patterns on the web site, I don't trust anything I get from Network Solutions as far as I can spit it. It doesn't help that I saw no notifications of this (unlinked) nameless regulation when I was in my account two days ago, so I also wasn't primed for it after I had just verified my contact information.

So what's the takeaway here? Don't do what Network Solutions does and you will have taken a big step to avoid being viewed as a spammer or phisher by your own customers.

Related

Update: February 7, 2014

The day after I posted this, Network Solutions offered some explanation on its blog: "Domain Verification Emails from Network Solutions Related to New ICANN Security Regulations." I found out about it today when Network Solutions responded to my latest related tweet:

Update: February 19, 2014

As you can see in the comments below, one user commented on the Network Solutions blog post, was acknowledged, and then Network Solutions removed the commenting feature altogether. He was able to provide me with a screen capture of the comments (and reply) from Disqus:

Screen shot of the Disqus discussion.
Screen shot of the Disqus discussion. Transcript now available.

Update: April 10, 2014

Meanwhile, after telling me to click the link in the email (see above), NetSol is telling other users not to click links in email, "to be safe." This certainly doesn't help reduce confusion.

30 comments:

  1. I feel the same way you do. I have not clicked on the big red confirm button, but I manage a couple of websites and I'm afraid that they will eventually shut me down. I was actually more afraid that it was a virus of some type that may damage my computer or worse, steal all my contact information and send them spam mail from me! I have 13,000 email addresses in my database! This is ridiculous!

    ReplyDelete
  2. If it looks like a phish, swims like a phish, and sounds like a phish, then it probably is a phish

    http://msmvps.com/blogs/spiderwebwoman/archive/2014/02/07/1968813.aspx

    ReplyDelete
  3. I got two of these 26 hours apart. The whole email smells of phish. The header shows that the email originates from rcom.com, and not networksolutions.com, and the wording in the email set off my BS-o-meter. The generic "Dear Customer", ominous "New Regulations" (with no link for verification), threat of imminent domain shutdown with no timeline, and vague instructions beyond clicking the glaring red button are all warning flags to a cautious internet user in charge of maintaining the security of any domain.

    This email was sent to the email address that is publicly listed on the WHOIS for my domain; anyone could have sent this email. NS could have included the last portion of my account number, or described the recent activity that triggered the email. Some sort of information that only I would know to verify its origin.

    If this is a legitimate email, shame on Network Solutions for such a poor implementation. I would expect an email asking me to sign in to my Network Solutions account and verify any information there. That way I can separately navigate to networksolutions.com and sign in without clicking any link in an email.

    ReplyDelete
  4. Interesting, I posted some comments suggesting the rethink their approach on this page:
    https://www.networksolutions.com/blog/2014/01/domain-verification-emails-from-network-solutions-related-to-new-icann-security-regulations/#comment-1243245230

    My comments remained online for a few days, then I received a comment reply from NetSol saying:

    "Thank you for your feedback, Tyler. Your input is important to us. You've made some valuable points and we’ll consider for future updates to the process."

    Then they promptly deleted my comments from their site and removed the feature allowing people to comment.

    ReplyDelete
    Replies
    1. I recall seeing your comment on the Network Solutions post, I believe on February 7 when I updated this post. I did not screen cap it, though. Any chance you got one?

      Delete
    2. I am also receiving these requests from NS - it is always after renewing a product OR logging into my account. I refuse to give Network Solutions any additional information - in fact, I'm sure embedded somewhere in the link they have hidden language allowing them to spam your e-mail and once again begin the barrage of telemarketing calls.

      I have also noticed that they have changed ALL of their menus (on user accounts when changing configuration / or adding mailboxes etc) to default to OPTING IN on upgraded services that will be billed automatically if you do not actively OPT OUT by contacting them via Telephone.

      I am cannot wait until the end of my agreement when I can move everything to another host.

      Delete
  5. No, I wish I had done that! I can give you a screen cap of my Disqus thread though...it's all in there. I'll send you a separate message via your contact form.

    ReplyDelete
  6. Thanks Adrian for the info. I just received one of these emails today after adding some new domains last week. This email just screams "phishing!" - cannot believe what I am seeing. After reading your blog, looks like I have no choice but to click and hope. Terrible.

    ReplyDelete
  7. I received one of these notices during the overnight and Google in its wisdom, decided it was Spam and gently placed it in my Spam folder along with 70 other messages.

    I don't know why, but I happened to notice it when I cleared my Spam folder this AM.

    I called Network Solutions and used my outside voice on a Representative, followed by a person who said she was a Supervisor. They said that it is my problem and I will need to take up the Spam folder problem with Google.

    I will be moving whatever I have to Go Daddy, as soon as possible.

    ReplyDelete
    Replies
    1. Mike, FWIW, I am not a fan of GoDaddy so I can't help my suggest you look at some other registrars as well and weigh your options. I have been looking at Hover, for example, but I haven't made a final decision on where to move my domains.

      Delete
    2. Thanks, I'll ask my Server Admin. He has more experience and may know of a better choice.

      In the meantime, I am in the process of filling out an online form with the NYS Attorney General. I can't say that it will accomplish anything other than lower my blood pressure, but if the get about 50 of these, I bet they will at least give NS a phone call. Link is here:
      http://www.ag.ny.gov/internet-bureau-online-complaint-form

      Delete
  8. Thanks for the heads up on this Adrian. The email from NetSol certainly smelt of phish to me.

    @ Mike Ellsworth

    I had a domain registered with GoDaddy years ago that expired with no notice from them. It was immediately purchased by a squatter who wanted several thousand dollars to transfer the domain back to me. I refused to pay.

    ReplyDelete
  9. A further thought. A few days ago, one of my users received an email demanding a changed password: "Dear Email User,

    In 10 days, your Network Solutions email passwords will expire, resulting in an interruption of your email service."

    I reported it to NetSol's helpdesk. I will be reporting the current phish to NetSol. Perhaps if they receive a sufficient number of helpdesk requests, they will desist.

    Just a thought. And the helpdesk requests must surely be sufficient confirmation that the domain is active to comply with the ICANN regulation.

    ReplyDelete
  10. Just got this today. Not sure what to do. So did you click the button? What happened?

    ReplyDelete
    Replies
    1. Joe, I did indeed click the button. I don't feel I had much choice. No viruses, no stolen identity, just a verification screen with a terse message that underwhelmed me given all the stress the email created.

      Delete
  11. Not only did I receive this today, I also got notice that my order of a .info domain was complete for a cost of $0. I ordered no such domain, but now I am subject to this email verification. Very shady.

    ReplyDelete
  12. Thanks so much for all the effort you put into this blog - and for all the comments. Also, thank Adrian for saying you clicked the button and nothing untoward happened. I guess that buys me some time before I figure out how to leave Network Solutions forever. Thanks! DHC

    ReplyDelete
  13. Well, I took the plunge and clicked the link after reading your post/comments and a few others. But I'd also recommend that everyone log into their NS account, hit the "contact us" link and take a few minutes to explain (politely but firmly) what you think of this behavior. Given how many alternative services there are for domain registration they really shouldn't feel like they can send this kind of crud out with impunity. If there IS a legitimate reason for something like this, the right way to do it is to ask people to go to NS and log into their accounts, not send them a link in an email that reeks of phishing.

    ReplyDelete
  14. I just received the same email and based on this blog and comments clicked that scary looking "confirm" button.

    Fingers crossed.........

    ReplyDelete
  15. To the best of my knowledge, I have not recently renewed or changed anything with any domain names I have with Network Solutions. However, I am receiving emails to click to confirm my email address. There is no information to indicate what domain this regards, or any personal information to indicate it is truly from Network Solutions. Thank you all for your posts, it helped me at least decide that I am calling them before doing anything. I will also be logging on to see if things have changed, or someone has given me a "free" domain name or something! I agree, this is very poor business practice on their part, if it is truly from them, and it should be outlawed. This type of email goes against all security basics. If this is from them, in my opinion, they should be setting a good example, not causing un-due stress and confusion, let alone using our time to handle their lack of integrity and professionalism.

    ReplyDelete
  16. I got this too, and of course after it was identified as SPAM by every SPAM engine we use. But I found it, reviewed it, researched it (which brought me here) and then called NetSol to complain. They were then able to verify me over the phone, which they said is something they have had to start doing because they've received so many complaints about this email (don't know if that's true or not). So if you don't want to give in to clicking on this email out of sheer principal alone, call them and waste their time and money (call center calls aren't cheap) and have them do the work for you. On the downside it took 3 different agents 30 minutes to do this, but that's 30 minutes out of their days wasted on this. Hopefully they see that cost (multiplied by hundreds or thousands of other calls), and the fact that I'm inclined to move my accounts away from them due to this and all the other unsolicited marketing materials I get from them, as a good enough reason to try harder to make this more legit next time.

    ReplyDelete
    Replies
    1. Handy to know (for those who don't mind blasting hold music on speakerphone for their office mates). Referenced this in a tweet today for yet someone else frustrated by the process: https://twitter.com/aardrian/status/459423118906634240

      Delete
  17. Apparently you can now complain to this address: listen@networksolutions.com

    ReplyDelete
  18. Just opened a support ticket with NS telling them that this thing looks ridiculous and is not the way to go about doing it. Even Gmail thought it was spam.

    ReplyDelete
  19. the http://whoisaccuracy-portal.networksolutions.com hostname makes the email look LESS legitimate- it looks like any othe phishing scam trying to maks an illigetimate domain.tld with an official-sounding hostname.!

    ReplyDelete
  20. I created a ticket number with Network Solutions and they said:

    With regard to your concern, please be advised that the valid e-mail address where ICANN Validation e-mails should come from is support@networksolutions.com. Please be informed that the e-mails that you have received are spoofed e-mails. Please refrain from clicking any buttons available on the e-mail.

    So, being the case, it makes you wonder if this blog is fraud and representing it in some way.

    ReplyDelete
    Replies
    1. This blog or one of the URLs referenced above?

      Delete
  21. Hi everyone I need your help. We've been with networksolutions since about 2005 and have been experiencing a lot of issues lately. Mostly that they have been forcing us or tricking us into purchasing upgrades for things we do not want. Also noticed that our email users are being prompted upgrades that would result in charging us though it doesnt state this.

    How does someone move their entire account to another service? We still have over a year with them before everything expires. Has anyone had a smooth transition with their domains to another service or does network solutions hold them ransom on you?

    ReplyDelete
    Replies
    1. Choose your Domain Name Service provider, unlock domain in NetSol, get auth key, start transfer process with new DNS provider.
      Make sure to backup all website and email accounts.
      Then get new host, point DNS to new host, restore/upload website and email.
      Fairly straight forwards. I could blog about it, as I have one more domain to transfer.

      Delete
  22. To add to the furor, I got an email telling me my .info domain is about to expire today (my .com will expire next month, and I've been getting notices about that for weeks). I thought what the hell I never asked for a .info domain! So I typed in my domain.info. Voila it forwards to my .com domain. So I assume they are now trying to trick customers into registering a .info domain as well. Needless to say I didn't click on anything to download the pics. What a bunch of a$$holes. I just called my ISP to see what was up and they confirmed that NS wants me to add .info (and apparently other get a notice for .us as well) to add to the registration fees, and what they need to do to transfer me to transfer me to their registration service. The only reason I still used them is because they were the only option 20 years ago (yikes!). So long jerks!

    ReplyDelete