NameCheap is the preferred domain hoster for cybercrime activists!

NameCheap is the domain hoster of choice for cybercrime activities
Spread financial intelligence

Ian Becket (@IanBecket) is undoubtedly one of the leading financial investigators on Twitter. He regularly reports on financial cybercrime. Most recently, Ian outlined that domain hoster NameCheap has become the darling of pishing criminals since accepting Bitcoins as payment in Sep 2020. The UK National Cyber Security Centre (NCSC) statistic provides impressive evidence. The number of UK government-themed pishing campaigns via NameCheap exploded while GoDaddy numbers remained flat.

According to NCSC, NameCheap became the most popular host of UK government-themed phishing during
2020 and hosted 60% of the domains in this specific category.

NameCheap’s popularity is noticeable among the pushing perpetrators and in the field of scam brokers and unregulated (illegal) payment processors who increasingly register their domains there. Most recently, we have noticed IGC Trades or (www.igctrades.com) Paypound (www.paypound.ltd or ChargeMoney (www.charge.mone). We do not have any statistical data at the moment, unlike NCSC, but for sure we saw a trend over the last couple of months.

Especially in crypto scams and schemes, NameCheap is currently used preferentially. Of the last ten warnings against crypto scams the UK regulator FCA issued on 16 Feb 2022, 6 have used NameCheap.

  1. We All Work For Namecheap

    Richard De Vere
    Richard De Vere
    Head of Social Engineering, Ultima Business Solutions
    12. Feb. 2021

    So you want to start your first phishing site. First of all, you need to purchase a domain. Something that will trick unsuspecting internet users into clicking on it and submitting their credentials. Then you have to secure a good-value hosting package. Nothing too flashy, maybe a nice little shared server, hopefully for less than a fiver a month. However, your main priority is finding a host that isn’t concerned by your less-than-honorable intentions. So, what’s your best option?

    Namecheap, of course.

    We won’t be the first to write an article about Namecheap’s lack of passion for investigating unsavory sites, and we won’t be the last. It’s no secret that Namecheap is the platform of choice for internet criminals, and by diverting responsibility and lacking the urgency to act, they’re hurting the internet.

    ICANN, But I Won’t

    Namecheap offers both domain registration and hosting services. When it comes to taking down and preventing dangerous sites, it’s no surprise that the company hosting the site has more power than the registrar.

    This doesn’t mean that the registrar doesn’t have a duty of care – they absolutely do, as laid out in ICANN’s Registrar Accreditation Agreement, where it states:

    3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar’s website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.

    This seems a little out of sync with Namecheap’s own policy that is outlined on their own site:

    Some types of abuse may not be verified from our side if we only act as a registrar and the abusive content resides on third-party servers. Due to this, we will not take restrictive action in order to avoid false-positive cases. This policy particularly affects copyright/DMCA, email abuse/spam, fraud, malware/hacking activity, etc.

    To expedite the resolution, we highly recommended escalating websites that are registered with Namecheap only to their respective hosting provider supporting your report with sufficient evidence. You might also decide to get in touch with the domain name holder directly by using the Whois details that are assigned to that domain name. If the Whois details are hidden by our Domain Privacy protection service, feel free to send your email to the protected email address. It will then be forwarded to the real email address of the domain holder.

    To summarise – they don’t generally investigate and nor will they ever take ‘restrictive action’ if they are the registrar but not the host. They ‘highly recommend’ that you don’t tell Namecheap if a website registered by them is carrying out illegal activity – instead you should report it ‘only to their respective hosting provider’.

    Better still, they also suggest contacting the domain name holder (in cases of abuse, this is basically the criminal who has created a site for illegal activity) directly – not generally the sort of person you want to be entering into a conversation with.

    However, this is only if the criminal’s details aren’t protected by Namecheap’s WhoisGuard, which of course, comes free as standard on all plans.

    So the bottom line is that you can register whatever domain name you want, and use it for whatever nefarious purposes you want, and Namecheap own policy reassures that they won’t stop you. They likely won’t investigate, they actively encourage people not to even bother reporting it to them, and even if a domain registered through them is being used to steal tens of thousand of pounds from people, they will never take action to stop this.

    And they wonder why they have a reputation for being a phisher’s best friend.

Leave a Reply

Your email address will not be published. Required fields are marked *