NAMECHEAP: HOME TO PHISHING SITES

It's no secret that Namecheap has become a bulletproof host, and it's not news at this point. Thousands of people have written blogs, tweets and made videos about it, here's another one!

 

BULLETPROOF HOSTS

Hosting, as we know it, is what powers the internet. A hosting provider is a company that leases some computing power to costumers to use - usually for serving websites like this awesome blog 😏. This leased computing power is not limited to awesome blogs. They host mail servers, dns servers, databases, web apps, malware and phishing sites.... 

That is where bulletproof hosts come in. Most hosting providers have strict policies in that govern what can be hosted on their servers, bulletproof hosts do not. They choose to turn a blind eye to whatever is hosted on their servers and typically do not have much, if any, policies on what can and cannot be hosted on their servers. Naturally they are popular with cyber criminals. They host malware, botnet command and control centers, black market websites, phishing websites, etc.

On a high level, a bulletproof host has these properties:

  • Loose policies
  • Evade responsibility
  • Difficult to impossible report procedure
  • Slow to no response to reports

 

NAMECHEAP'S KEVLAR

Namecheap is both a registrar and hosting provider. A registrar is a company that registers domain names. Usually these companies also sell these domains, so much so that it's become "standard" that whomever you buy your domains from will register them as well. Since the registrar is in charge of the domain name, it naturally follows that the hosting provider will hold more weight in having phishing sites taken down - since they are the ones hosting the actual phishing content.

This is Namecheap's first line of defense to evade responsibility. ICANN clearly states that:

3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar's website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.

ICANN is a not-for-profit partnership of people from all over the world dedicated to keeping the Internet secure, stable and inter-operable. 

To reach another person on the Internet you have to type an address into your computer - a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn't have one global Internet.

Back to Namecheap. The guys that govern THE INTERNET state that a registrar should deal with phishing and malware associated with domains they registered but Namecheap thinks different. Their policy states:

 

Some types of abuse may not be verified from our side if we only act as a registrar and the abusive content resides on third-party servers. Due to this, we will not take restrictive action in order to avoid false-positive cases. This policy particularly affects copyright/DMCA, email abuse/spam, fraud, malware/hacking activity, etc.
 
To expedite the resolution, we highly recommended escalating websites that are registered with Namecheap only to their respective hosting provider supporting your report with sufficient evidence. You might also decide to get in touch with the domain name holder directly by using the Whois details that are assigned to that domain name. If the Whois details are hidden by our Domain Privacy protection service, feel free to send your email to the protected email address. It will then be forwarded to the real email address of the domain holder.

 

Basically they are saying as long as they're the registrar only, not providing the hosting service, they are not to be bothered with reports of phishing or malware or whatever else. They go on to say suggest that we talk to THE OWNER OF THE PHISHING DOMAIN and perhaps ask them nicely to stop

This is Namecheap's ultimate defense.

gaara's ultimate defense

 

With this shield they can hide away from taking responsibility for all sorts of nefarious actors using their services.  

 

WHAT ABOUT NAMECHEAP HOSTING?

NO! They do not care either. Whenever you submit a phishing site to them, either using their abuse email or twitter you are told to submit a ticket! 

NameCheap Support Ticket
Namecheap Support Ticket

 

In addition to domain(s), url(s) and targeted website(s), you are REQUIRED to provide a detailed report along with attached files! You have to WORK to send a report to Namecheap. Not only that, they RELY on us find and report malicious activity on their infrastructure - so they can properly turn a blind eye to them.

NameCheap SUS Tweet

 

Some one responded to this tweet with some domains and this is the response they got:

NameCheap Tweet Response

Yes! We are to open a ticket that will never be resolved! Like this one user:

NameCheap Does Not Respond to Tickets

 

Its clear that Namecheap has no intention of taking down phishing sites. They seem to have intentionally made the process of reporting difficult. 

 

HOW FAR DOES THIS GO?

The National Cyber Security Centre (NCSC) named Namecheap the most popular host of UK government phishing sites in 2020 with a staggering 60%! 

In 2018 they let malicious actors set up all manor of phishing sites, malware delivery, command and control subdomains on other customers' websites.

Just last year Facebook sued Namecheap for refusing to cooperate in an investigation into a series of phishing domains registered through Namecheap. These domains were clearly set up by the same actors but Namecheap would neither take them down nor reveal any information about the threat actors.

Search "Namecheap phishing sites" to witness how ugly Namecheap's gotten over the years.

 

KEY TAKEAWAYS

  • Namecheap SUCKS!!!