Network Solutions Is Most Likely Not Phishing

You may have read my rant earlier this week about Network Solutions trying to trick me into allowing them to send me spam. As part of that dark pattern, Network Solutions asks me to verify my contact information, and then tries to up-sell me, and then suggests that I need to verify my contact information (but which is really a spam opt-in).

You can imagine I am primed against being asked to confirm my information by Network Solutions.

For a little extra context, since I receive a few emails a week from Network Solutions (such as this one to auto-renew, or this one for SEO, or this one to obfuscate my WHOIS info), which jumps to daily after I partake in any activity on the Network Solutions site, I typically filter them into dev/null/i-mean-it.

So I was wary when I received the following email once yesterday (the day after I renewed my domain) and once again today:

I block Outlook from downloading embedded images to prevent spammers tracking when I have opened their emails, hence the missing images.

The message within:

Dear Customer,

New Regulations now require that domain account holders confirm their email information otherwise their domain will be deactivated. If your domain is deactivated you will still own the domain but you will not be able to have a live website until you verify your contact information.

To ensure your domain(s) remain active, please click the CONFIRM button below to confirm the email address we have for you is accurate.

Note the explicit threat. Note the lack of a link to the new regulations, let alone the source of those regulations. Note the shiny red all-caps CONFIRM.

I think we've all spent enough time as family tech support to know that you aren't supposed to click links in emails. My bank tells me this, the government tells me this, it's on general support sites, and even Network Solutions has had to tell people not to click links in emails (not to mention recent news of a GoDaddy hack). Heck, robots know this — f you type don't click into the Google search box, it will auto-complete with on links in email:

I know this is anecdotal, but it's a great image to make my point.

Because I am a child of the internet age, and because the support phone number in the email could point to anyone, I contacted Network Solutions on Twitter to see if this was for real:

@aardrian From us. ^rr

— Network Solutions (@netsolcares) January 30, 2014

@aardrian Please click the link to verify the information to eliminate additional notices. ^rr

— Network Solutions (@netsolcares) January 30, 2014

@aardrian If u continue to get the notices after u click please call the number at the bottom of the notice so our support team can check.

— Network Solutions (@netsolcares) January 30, 2014

@aardrian It is possible. Please call the number in the communication and they can explain the entire confirmation process. ^rr

— Network Solutions (@netsolcares) January 30, 2014

It's like I'm texting with a 13-year-old.

Reassured the phone number in the email is a true Network Solutions number, I called and navigated the menu system. After I explained the situation and why I don't want to click the link, the representative explained that my domain will be shut down if I don't do it. He could not offer a time frame (but he hadn't seen anyone shut down because no one has waited more than two weeks). He also said he cannot do this over the phone and that I must click the link.

When I pressed for the regulation, he said it's an ICANN regulation but could not tell me where to find it. He explained that if I don't respond, eventually my domain will point to a parked page (my word), though he didn't know if it's an advertisement-laden Network Solutions page or an ICANN page.

When I got off the phone, I looked around for an ICANN regulation. The closest thing I found was in a PDF dated June 27, 2013 (page 43, under WHOIS Accuracy Program Specification):

Registrar shall implement and comply with the requirements set forth in this Specification […]

1. […] within fifteen (15) days of (1) the registration of a Registered Name sponsored by Registrar, (2) the transfer of the sponsorship of a Registered Name to Registrar, or (3) any change in the Registered Name Holder […]
   6. Verify:
      1. the email address of the Registered Name Holder (and, if different, the Account Holder) by sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar, or
      2. the telephone number of the Registered Name Holder […]
      In either case, if Registrar does not receive an affirmative response from the Registered Name Holder, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information.

Having registered and renewed domains since July, and given that this was a renewal, the fact that I just got this for the first time does seem like the implementation has been delayed.

So by that language, yes, Network Solutions can do exactly what it is doing. Given Network Solutions' constant spam, constant final notice of deactivation messages that are not, in fact, final, and folded in with its dark patterns on the web site, I don't trust anything I get from Network Solutions as far as I can spit it. It doesn't help that I saw no notifications of this (unlinked) nameless regulation when I was in my account two days ago, so I also wasn't primed for it after I had just verified my contact information.

So what's the takeaway here? Don't do what Network Solutions does and you will have taken a big step to avoid being viewed as a spammer or phisher by your own customers.

Related

• Network Solutions and Dark Patterns
• Network Solutions and Yet More Dark Patterns

Update: February 7, 2014

The day after I posted this, Network Solutions offered some explanation on its blog: "Domain Verification Emails from Network Solutions Related to New ICANN Security Regulations." I found out about it today when Network Solutions responded to my latest related tweet:

@aardrian Thanks for your feedback, Adrian. We have posted info regarding this process to our blog: http://t.co/hxlyD0PG9Y ^kh

— Network Solutions (@netsolcares) February 7, 2014

@aardrian There's always a chance! We'll definitely share your input so that it can be considered for future updates or process changes. ^kh

— Network Solutions (@netsolcares) February 7, 2014

Update: February 19, 2014

As you can see in the comments below, one user commented on the Network Solutions blog post, was acknowledged, and then Network Solutions removed the commenting feature altogether. He was able to provide me with a screen capture of the comments (and reply) from Disqus:

Screen shot of the Disqus discussion. Transcript now available.

Update: April 10, 2014

Meanwhile, after telling me to click the link in the email (see above), NetSol is telling other users not to click links in email, "to be safe." This certainly doesn't help reduce confusion.

@deepsoul13 Just don't click on links to be safe! You should always keep your WP updated. ab

— Network Solutions (@netsolcares) April 9, 2014

Network Solutions and Yet More Dark Patterns

In late 2012 I related my extreme displeasure of trying to register a domain through the intentionally confusing Network Solutions ecommerce flow. In my post, Network Solutions and Dark Patterns, I used a whole lot of screen captures to show the convoluted flow that I believe Network Solutions uses to trick its customers into agreeing to add-on services (and cost).

I noticed a fresh one today as I had to go in and renew a personal domain and quickly recognized that it behooves you as the customer to read every piece of text Network Solutions puts on the screen, else you'll agree to things you did not intend. I walk through the process below (in far fewer screens than last time).

Upon Signing In

The screen immediately after logging in, with a form asking for contact verification.

As soon as I sign in, Network Solutions wants me to verify my contact information. This makes sense to me. After all, it's hard to notify someone that his/her domain name is about to expire when he/she has changed email addresses and not updated it here.

The text is straightforward:

To ensure that you receive essential information about your account and services, please confirm the contact information that we have on record for you.

Now the First Pitch

This screen is trying to get me to add the Private Registration service. Note the red italic style in the graphic for the word exposed.

Unsurprisingly, I am asked to buy into Network Solutions' obfuscation service. Using scary language, this is the first pitch to try to get me to add some services:

Your name, phone number, and address are listed in the public WHOIS database for your domain(s).

Apply Private Registration to your domain(s) to safeguard your personal information.

The phone book, among many other public databases, has had my information on file for years. I can skip this and its undisclosed costs.

Check Your Contact Information

This is where it goes all wrong.

This screen is ostensibly asking me to verify my email and phone number, but a careful read shows that's not the case.

Now I am presented with a screen asking me to Check [My] Contact Information. On my first visit to this page I was just about to click the submit button when I remembered that I had already confirmed my contact information when I logged into the site. So I opted to read the opening sentence:

Please confirm the contact information for Adrian Roselli to ensure that you receive important communications about your account.

Yep, this sounds like what I already did. Time to read the small print at the bottom:

* By submitting the contact information above, you expressly consent to Web.com and its affiliates contacting you regarding your services and offering new services via the contact information you provide (including your mobile number), via an automatic telephone dialing system or pre-recorded call. You are not required to give consent in order to make a purchase with us or our affiliates and you can find additional information in our Privacy Policy. Click here to remove your consent.

I emphasized the hyperlinks above. Affiliates. Privacy Policy. Click here. That last one is key. You have to click here to remove your consent. It's carefully hidden (note the red arrow in the screen shot above) behind the awful link text click here and suggests that I am already opted in.

I reproduce the small text on this screen below.

As I dutifully click there, the content expands to show me the following checkbox — which is unchecked:

I do not consent to Web.com and its affiliates contacting me through automated telephone dialing systems, pre-recorded calls or text messages on my mobile phone, or through pre-recorded calls on my residential line.

As I read that text I realize I am giving Network Solutions, and anyone it and Web.com deem worthy, the right to send me text messages. I note that because many people have to pay for their text messages. The robo-calls are just as annoying, of course, but I personally take umbrage with the text message approach.

Apparently I cannot not submit information.

I check the box and, just to be on the safe side, clear my phone number before I submit the form. I get this seemingly offshore-call-center-poorly-localized error message:

Please, fill the empty fields.

Once I enter a number again I am allowed to continue and am thanked with this absurd message:

Processing…

To be fair, that's not a dark pattern. However, waiting an additional 5-6 seconds after wasting a few minutes with this stupid process of trickery just to see an animated GIF imply that whatever is happening in the background must be so important to also affect my ability to spend my money warrants some mocking. Deep breath.

Conclusion

Network Solutions may be less evil than some other registrars (sideways glance at the despicable GoDaddy), but by all means read every piece of text and every button before you sign away your text message limits or, as in my previous post, end up paying for services you cannot cancel.

By the way, if I do accidentally give my permission, I challenge you to find where in the interface I can revoke that permission.

Network Solutions and Dark Patterns

We should be familiar with anti-patterns in user interface design — counter-intuitive or ineffective user interface techniques.

Dark patterns are user interface design patterns that intentionally try to steer users into taking actions that are in the best interest of the site owner, not the user. Sadly, users encounter these all the time. You can get a more verbose overview at the dark patterns wiki, which is from where I am stealing this phrase.

For example, do you ever notice how banner ads (typically for questionable weight loss or beauty aids) tend to vibrate every few moments, shaking just a pixel or two? This is intentional because our visual systems are trained to react to movement in our peripheral vision, like an attacking tiger (or liposuction ad).

The real problem comes when this intentional exploitation of user behavior is designed to ultimately confuse users into submission or to hand over (too much) money.

In the case of the latter, I have an example I'd like to take you through. I have used Network Solutions as my domain registrar for years, primarily because that's who I was with before ICANN opened up the registry business to others. I have stayed with Network Solutions because of the hassle of moving away from it, even though the hassle of staying has probably far outweighed it by now.

As an aside, I'd like to take this opportunity to explain that I will not use the morally bankrupt filth that is GoDaddy for a variety of reasons, not least of which is related to its absurd objectification of women, its founder's flimsily explained killing of elephants, its support of SOPA, or its status as a target to the likes of script kiddies.

Back to the meat of my post. I wanted to both register a new domain and renew an existing domain this week and found the process so overwhelming that I feel it's a great example of an ecommerce anti-pattern, a dark pattern. I'll run you through each process, both in my personal Network Solutions account and in my corporate Network Solutions account. I did this using two different browsers to avoid polluting my cookies, so I cannot say whether the differences in design elements are a function of my accounts or my browser.

For each screen capture you can click/tap/select it to see the full-size image.

Registering a Domain

My first test was to register a domain name using Firefox 16.02 and my personal account and Chrome 23.0.1271.64 with my company account.

The Network Solutions home page in Chrome (left, company account) and Firefox (right, personal account).

As you can see, the home page is pretty straightforward. There are a few sales pitches, and the link to log in may be hard to find, but the blue button is established as a prominent way of taking action.

Immediately after logging into my personal account using Firefox I am presented with a sales pitch. Note the use of the blue button in the green box surrounded by the gray border. The option to continue without adding this product is drawn in grays below the sales pitch.

On my Account Manager page, my company account (left) is straight to business, listing domains and actions I can take. My personal account is trying to pitch me on the private registration product and also continues to establish the blue button as a means of taking action.

As I move to conduct a search for a new domain name, in both cases the .com and .net are pre-selected as options. I know I am only interested in .com, so I de-select .net as an option.

This screen is fairly straightforward — it shows me what is available, offers me more extensions from which to choose, and allows me to remove a domain entirely. The blue button allows me to add my selection to my shopping cart.

Clicking Add to Cart immediately results in this overlay for both accounts. I can add a bundle of three or five more domains, using the blue button. Or I can skip this with the far less prominent No Thanks button.

Now it starts to get a bit tricky. In both cases I am being offered an opportunity to keep my information hidden with private registration. You'll note that in both cases private registration is pre-selected and the price is listed, though far less obviously in the Chrome view. There is no language saying that I am adding this to my cart (as I have seen on previous screens), just a Continue or Next button. There isn't an obvious "no thanks" option, either.

To get past this screen without adding $10 to your order you have to read the text, which means you are being subjected to its fear-mongering language (I'm already getting spam, and telemarketers call my house, so there's no real benefit to me). Then you have to choose the radio button for the standard registration, and then press the Next button. This is a departure from previous screens where the user has been trained to look for the gray "nope" option.

The Next button without an accompanying No Thanks gray button beneath it can cause users to breeze through this page without noticing the pre-checked option.

On this screen I am hit with the hosting pitch. Far stronger for my company account, but I still get the pitch when in my personal account. You may note the price difference between the cheapest plan for my company account versus the only plan offered to my personal account. The plans may in fact be different, but at a glance it looks like Network Solutions is playing a numbers game based on my account type.

You may also note that one screen offers a button to Continue Without Adding Hosting while the other simply uses a Next button with no hosting pre-selected.

These are the kinds of clues that suggest someone has made a conscious decision about what I should see as a customer and may be intentionally using these dark patterns.

Now I am getting hit with the leftover product pitches. For my company account (still in Chrome but spanning two screen shots) I see domain forwarding, email for my new domain, and SSL options. Reading the language for each, especially the SSL, these are clearly targeted to less technical customers. However, none of the options are pre-selected and just clicking the blue Continue button gets me past this screen.

For my personal account, I get similar product pitches. No SSL option is listed, but there is forwarding, email, and a "mobile" add-on option for the email. The "none" options are pre-selected, so in this case pressing the blue View Your Shopping Cart will get you past this screen without adding any products.

The shopping cart is your last chance to make sure you haven't added anything you don't want. For this demonstration I didn't add anything along the way, so it's easy to see what I have. Oddly, the shopping cart in Chrome for my company account shows me my "savings" and pitches me on why I should register my domain for five years. The shopping cart in Firefox (personal account) does no such thing.

I bet when you clicked the all-caps blue SECURE CHECKOUT button you thought you were done with the sales pitches. Not so. Here we see the the pitch to protect your domain if you forget to renew it, along with a blue Add to Cart button. At least there is a gray No Thanks, Continue button below it.

This may be a bit jarring in case you thought you were free and clear, after all you were just in you cart, just reviewed it and are ready to pay. If you do accidentally click Add to Cart, you are not presented with your shopping cart again to verify the charges. It just takes you right to the payment screen.

Here you see the total (I did not add the expiration protection), with no cart, as Network Solutions takes your credit card details and bills you. You may also notice that the auto-renew option is pre-selected. What isn't mentioned is that Network Solutions will bill your credit card 90 days before the domain is set to expire, well before the period when many organizations make a decision to switch registrars and well before the 60 days-to-expiration window many registrars impose when they won't allow a switch.

This screen shot is not part of the order flow. If you do select auto-renew accidentally you cannot simply deselect it in your account later, you have to call Network Solutions and sit through its CSRs' protestations and sales pitches to undo it.

Renewing a Domain

Assuming you weren't tricked into auto-renewing, this next test shows renewing a domain name using Chrome 23.0.1271.64 with my company account. I tried to do this in Opera, but had no luck:

@netsolcares Trying to renew a domain using @opera 12.2/Win doesn't work. Checking box, pressing "Renew" returns same page, unchecked box.

— Adrian Roselli (@aardrian) November 21, 2012

Regardless, the process will look very similar. For each screen capture you can click/tap/select it to see the full-size image.

Upon choosing my domain to renew I am promptly pitched on picking up yet more domain names.

Here is the pitch to make my already-public information private (for a fee). You may notice that this screen is different from the two analogous versions we saw above. Here the radio buttons next to the two options are replaced with a grid below, though the option to add the $10 charge is still pre-selected with the big blue Continue button cheerily prompting you to click it without paying attention.

This pitch confounds me. I am renewing my domain, which already has DNS managed elsewhere, but I am still being offered hosting. At least on this screen, unlike the previous screen, it is safe to click Continue.

The suggestion that I need a mobile site is laughable and belies the complexity involved in taking a pre-existing site and suddenly spinning up a mobile version elsewhere. However, I can safely click Continue. Someone who adds this, however, may end up spending more time and money to undo it as a result.

The shopping cart is a brief safe area, assuming I am comfortable with the five year registration period.

Once again comes an offer after I have reviewed the cart, and as I mentioned above, adding the product at this point doesn't bring you back to the cart. This screen makes it too easy to add more to your order without an easy way to verify it.

Wrap-up

Network Solutions is not the only one to make use of dark patterns. It just happens to be one that has tricked me before and has caught many of my clients as well. I simply consider the Network Solutions dark pattern order process to be low hanging fruit, an easy example of how a confusing ecommerce flow and user interface can negatively impact users, intentionally or otherwise.

Update, July 24, 2013

In a post titled The slippery slope, Harry Brignull provides even more examples of dark patterns.

Update, January 28, 2014

Not content to stop at just one stream of dark patterns, I found another one: Network Solutions and Yet More Dark Patterns