Namecheap and its Phishing Problem

I'm sure that if you've ever been on the internet, you've ran into phishing before. Maybe you got an email that said that you need to log into your Microsoft account in order to "verify its security". Maybe you got a text message that claimed to be from your bank telling you that your account has been hacked. Whatever the case is, I'm sure you've heard of phishing attacks before.

There is one domain registrar and hosting provider, Namecheap, that is very widely used by threat actors to deploy all sorts of websites, such as phishing, scams, and so much more. Let's take a look into this company, and look into why they seem to care so little about phishing attacks.

Namecheap Marketplace

The first thing I've looked into is the Namecheap Marketplace. If you don't know what this is, it's basically a place where you can sell and buy domains registered on Namecheap. This marketplace is mostly full of various domains that people believe they want to sell. It's mostly domain squatter bots buying up thousands of domains and throwing them on the marketplace hoping somebody will buy them, but there appears to be several threat actors on the marketplace too selling their old phishing domains. Let's look into this.

Using various search terms such as "payee" and names of popular companies such as Apple and Microsoft, you can very easily find several phishing domains on the Namecheap Marketplace. Here are some examples:

Using the search term "payee"
Using the search term "apple"
Another phishing domain from the seller of "signln-apple-ld.live"
Phishing domain for Lloyds, a bank in the UK
Searching for "office365"

As you can see, there are lots of these domains ready to be bought and used by threat actors, all at a very cheap price. However, the story goes deeper.

Phishing?

We ran into a possible phishing domain sold by the user "ncsuspend". However, this is not your ordinary Namecheap Marketplace phishing listing.

For one, the domain isn't even on Namecheap. It's on a totally different provider, Sav.com. In fact, testing several of the hundreds of domains listed on this account, they don't even exist anymore, or were purged almost a year ago!

As Namecheap has stated in their various articles on their Marketplace, you can only list actively registered domains that were registered on Namecheap. So the fact that domains that are on the Marketplace are registered on different registrars, or don't even exist at all, is kinda odd.

Based on the username "ncsuspend", or what could be interpreted as "Namecheap Suspend", and the oddities of domains sold on this account, one of our members has stated that this might be a case of Namecheap reselling suspended domains on the Marketplace. We have not confirmed this yet, but if this is the case, then threat actors might even be able to recover their domains after their suspension.

But there are more issues than this. Even if the above is true, it might not even matter anyways, because of Namecheap's reactions to phishing domains, which have been proven time and time again to be careless. Let's look into this.

The Suspension Problem

Getting domains suspended for phishing on almost any other registrar is incredibly easy and incredibly quick. You just submit a report, wait a day or two at most, and the domain is gone. Sometimes, you can even detect phishing domains before the links even get to victims. And some providers are great about phishing domain removal, and take only 15 minutes to a few hours to respond to most reports.

However, Namecheap is not very good at eradicating phishing domains. There are tons of phishing domains, some of which have been sitting around for almost two weeks at this point, and are still up even despite Namecheap claiming to have responded to the ticket that reported the domains.

Tweet mentioning initial report was on March 25th, 2021
Site is still active as of the time of publishing, almost two weeks later, despite Namecheap claiming in Twitter replies that they have responded to the ticket
Namecheap claiming they have responded

The worst part about this is that, on the surface, it appears to the average user that Namecheap cares about phishing. Search "very severe" on Namecheap's Twitter page and you get:

Our Legal&Abuse team is very severe to such websites.

It seems like they care if you look at stuff like their Twitter account, but if you look into it, they really do not. The fact that domains can sit for several days, or even almost two weeks, without being suspended is incredibly bad.

The fact that I can search something like page.asnname:namecheap AND task.visibility:public AND date:>now-24h AND (task.url:payee OR page.url:payee) on urlscan.io and get a whole wall of recent phishing results, all on Namecheap, many of which are already detected by Google Safe Browsing and other widely respected phishing detection systems as unsafe domains, goes to show how little Namecheap seems to care about the phishing problem it is facing.

It seems that Namecheap, with its utter lack of care, and Freenom, with its free domains, are the most common domain registrars used for phishing. However, Freenom is so much better about handling phishing domains than Namecheap is. With my experience of reporting domains to Freenom, it usually takes under a day for them to respond to your request and take the domain down. With Namecheap, as this article has shown, there are phishing and scam domains that have been sitting on Namecheap, who provides hosting and a domain for them at a cheap cost, for almost two weeks, that appear to have actually scammed money from people.

Thanks for reading this long article, and I hope this gives you some insight as to how Namecheap operates when it comes to the suspension of phishing domains.

Update (May 7th, 2021): The phishing domain that I showcased in this article (polkadotlive.network) has had its hosting suspended. However, the domain is still active, and could be used for future phishing attacks on another hosting provider. Considering Namecheap hosted the site and was able to suspend the hosting, there was no reason why Namecheap would've been unable to suspend the domain too. Nonetheless, this phishing domain can still be considered active, after almost a month and a half.