We All Work For Namecheap
So you want to start your first phishing site. First of all, you need to purchase a domain. Something that will trick unsuspecting internet users into clicking on it and submitting their credentials. Then you have to secure a good-value hosting package. Nothing too flashy, maybe a nice little shared server, hopefully for less than a fiver a month. However, your main priority is finding a host that isn’t concerned by your less-than-honorable intentions. So, what’s your best option?
Namecheap, of course.
We won’t be the first to write an article about Namecheap’s lack of passion for investigating unsavory sites, and we won’t be the last. It’s no secret that Namecheap is the platform of choice for internet criminals, and by diverting responsibility and lacking the urgency to act, they’re hurting the internet.
ICANN, But I Won’t
Namecheap offers both domain registration and hosting services. When it comes to taking down and preventing dangerous sites, it’s no surprise that the company hosting the site has more power than the registrar.
This doesn’t mean that the registrar doesn’t have a duty of care – they absolutely do, as laid out in ICANN’s Registrar Accreditation Agreement, where it states:
3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar’s website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.
This seems a little out of sync with Namecheap’s own policy that is outlined on their own site:
Some types of abuse may not be verified from our side if we only act as a registrar and the abusive content resides on third-party servers. Due to this, we will not take restrictive action in order to avoid false-positive cases. This policy particularly affects copyright/DMCA, email abuse/spam, fraud, malware/hacking activity, etc.
To expedite the resolution, we highly recommended escalating websites that are registered with Namecheap only to their respective hosting provider supporting your report with sufficient evidence. You might also decide to get in touch with the domain name holder directly by using the Whois details that are assigned to that domain name. If the Whois details are hidden by our Domain Privacy protection service, feel free to send your email to the protected email address. It will then be forwarded to the real email address of the domain holder.
To summarise – they don’t generally investigate and nor will they ever take ‘restrictive action’ if they are the registrar but not the host. They ‘highly recommend’ that you don’t tell Namecheap if a website registered by them is carrying out illegal activity – instead you should report it ‘only to their respective hosting provider’.
Better still, they also suggest contacting the domain name holder (in cases of abuse, this is basically the criminal who has created a site for illegal activity) directly – not generally the sort of person you want to be entering into a conversation with.
However, this is only if the criminal’s details aren’t protected by Namecheap’s WhoisGuard, which of course, comes free as standard on all plans.
So the bottom line is that you can register whatever domain name you want, and use it for whatever nefarious purposes you want, and Namecheap own policy reassures that they won’t stop you. They likely won’t investigate, they actively encourage people not to even bother reporting it to them, and even if a domain registered through them is being used to steal tens of thousand of pounds from people, they will never take action to stop this.
And they wonder why they have a reputation for being a phisher’s best friend.
They Rely On Us
But surely, when it comes to malicious sites being hosted on their platforms, they have to take action. Right?
No reputable hosting provider would feel comfortable knowing that there are dangerous sites being hosted on their servers. Not only is this bad for business and a threat to the general public, they’re also putting their genuine customers hosting on the same servers at risk.
If an individual is running a malicious website from your server, you can’t guarantee that hacking into neighbouring sites, spreading malware and hijacking their domains isn’t also on their agenda. Namecheap have a duty to protect their customers from people like this.
Unfortunately, it seems to be a case of doing the minimum because they have to, rather than doing everything they can because they care.
We actually got into a small Twitter bust up with them about this.
@PhishStats is a Twitter account that regularly reports on websites that are confirmed to be used for phishing.
Wherever possible, they identify and alert the host in the hope that they will take action and protect internet users from these kinds of sites.Today, they happened to alert Namecheap to a URL hosted on their platform which is blatantly a phishing site. They regularly report hundreds of sites each day via Twitter, and bear in mind they aren’t paid to do this, they do this purely to help hosting companies combat phishing.
The response from Namecheap was poor to say the least. Instead of “great, thanks for your help, we’ll look into this!”PhishStats were told to submit a ticket.
A Twitter account that runs solely for the purpose of uncovering thousands upon thousands of phishing sites, was told to submit an individual ticket for this one site that they’d alerted Namecheap to.
Of course, at this point PhishStats had moved onto the next set of sites they were investigating, so we took the liberty of responding:
Turns out we didn’t even need to wait for a response – Namecheap had already answered this question in a tweet they sent out in 2018.
Turns out it’s everyone’s job but theirs to combat fraudulent websites.However, they did indeed respond, but only to let us know that we need to find and provide all necessary data in order for their team to investigate properly.
Seemingly, the general public are better equipped to find out the full details than the company hosting the site. This feels like either a bad attempt at pushing the work onto other people so that they don’t have to do it themselves, or making the reporting process intentionally difficult so that no one ever has the time to submit a ticket.
If it was our site that had been spoofed, then of course, we would have no qualms submitting a ticket as we’d have a personal interest in getting the site taken down as quickly as possible. However when a phishing database reports one of many, many sites, they should not be laden with the responsibility of raising a ticket.
So You’ve Submitted a Ticket
It’s not right, it’s not fair, and Namecheap shouldn’t make you jump through hoops to report a site. But if you do jump through these hoops, surely it’s worth it?
Apparently not.
We’ve seen reports all across the internet from people who have submitted tickets when their sites have been cloned and then used to steal financial information from people, and Namecheap did nothing.
The above happened to this guy and whilst Namecheap were happy to confirm that the site was abuse, they didn’t have any desire to remove it. Only after taking Namecheap’s worrisome advice of contacting the fraudster directly did it get removed. Not by Namecheap, but by the fraudster, as they were threatened with legal action.
Surely Namcheap have a duty of care? What is the point of having an investigation which confirms a site is fraudulent if they aren’t then going to take steps to remove it? Or are they too scared to remove these sites because they don’t want to lose the income?
We are yet to see one report of someone being happy with how Namecheap have handled a case like this – all we have come across is numerous horror stories where they fail to take any kind of responsibility, and numerous posts from people who have reported Namecheap to ICANN.
We reached out to Namecheap to ask why they don’t proactively work to tackle phishing sites on their hosting platform and why at the very least, they can’t work effectively with people who do. We’re awaiting a response.
Senior Manager Corporate Finance at North Queensland Bulk Ports Corporation
3 年Oh the irony if a relative or friend of NameCheap CEO Rchard Kirkendall was scammed and it transpires that the scammers were using NameCheap.
Workplace Financial Consultant at Fidelity Investments & Fit and Fine with Evelyn Rhines
3 年You may think this post is bias but it’s not. Several fake websites were created with my information and several hundred people have been defrauded. They refuse to move the websites and when you file a claim via their abuse reporting email they give you a ticket and nothing is ever resolved. I have been trying to get these sites removed for over three months. I have people contacting me directly thinking I scammed them out of money. Next step attorney general. So yes some of use know what this writer wrote is true.
Digital Marketing & Lead Generation Specialist | Building & Positioning Brands Online to Create Demand & Drive Sales.
3 年I think your experience with NC is quite biased. For a company that serves millions of customers daily, this is you just trying to leverage a few cases to push your own twists onto people's minds. I have had experiences with tens of registrars and hosting companies, and none of them beat NC for their customer service. So you using a handful of cases to invalidate a company that serves its customers extremely well is, quite frankly baseless.
Experienced Customer Service Representative | Dedicated to Driving Customer Satisfaction and Resolving Issues with Efficiency | Committed to Delivering Exceptional Client Experiences
3 年This is an unfair judgement of Namecheap, this criticism is not valid. They have certainly rendered services like the others like godaddy etc, I moved over 20 of my domains from godaddy to another registrar and some to namecheap, having spent almost a decade with godaddy, they fell short and failed in many ways over the last 3 years. If you want to criticize any hosting service, criticize for the quality of their services. Namecheap responds faster and customer care is 100% any day anytime. Kindly pull down this unworthy biased and nonsense of an article.
Chairman & C.E.O. at JZeal Media Group Inc.
3 年We have been with namecheap for years, having various servers and domains with them, all I can say is that they are the best to work with in the industry. Before choosing them, we have tried a host of others and when we started with namecheap, our business has not be the same again.