Domain Services (DomainNotifyEngine.com): A Terrible Scam
- 1 The Gist Of It
- 2 The Scam – Small Business And Website Operators Beware!
- 3 My Response To These Potential Scammers
- 4 The Lowdowns And The Nitty Gritty Details
- 5 This Is Not New; Some Links
- 6 Of Course It’s On Social Media
- 7 Giving A Potential Scam A Platform; Meet NameCheap And Moniker
- 8 Miscellanea; Security Certificates And Web Analytics
- 9 More Contact Form Submissions
NOTE: The best way to fight alleged scams is to provide potential evidence they are a scam, so if you have had any experiences with companies like this or this “company,” leave a comment below or contact me through social media (or my contact form.)
UPDATE: Name Cheap, Moniker Online Services, and the host of this alleged scam Host Key have been notified of this alleged scam. They have done NOTHING to stop it. I am confident in my opinion that any investigation into this would reveal it as a scam, as it has historically been determined. I have notified them repeatedly via social media and the proper abuse forms and I have gotten almost no response. They refuse to do anything about this alleged scam, and I can only surmise they don’t care that their services are being used to allegedly scam people. Despicable.
The Gist Of It
You do NOT have to register your domain with a “search engine registration” company to be listed on most major search engines. There is no such actual service. Search engines do NOT rely on these companies for information whatsoever (to my knowledge) as they go to great lengths to develop their own software that finds and indexes sites.
As stated, be wary of any “search engine” (not necessarily a directory) that requires you to have to pay to be listed. As well, be VERY wary of ANY site that asks for a SIGNATURE. Your mileage may vary.
For the record, this is personal advice, not legal advice, and is not intended as legal advice, business advice, nor SEO advice.
The Scam – Small Business And Website Operators Beware!
The scam is simple. I know personally of an individual who, unfortunately, was conned out of a fair amount of revenue due to this scam and (other) scammers. Subsequent (other) individual(s) came along who took advantage of the situation with knowledge of the current scam ecosystem.
The idea is this: you open a business or simply a website (it’s better for them if it’s a business and more potentially at stake). You’ve registered the domain name, you’ve set up the hosting service, and you’re good. Or you’ve paid someone else to do it, and you don’t know how it works. You wonder about social media, yellow page-like listings (if it’s a small business, particularly if you are older), and search engines. How do you get on those dang things?
Suddenly, you receive an e-mail directly at your new domain name, or more likely these days (due to anti-spam laws), you receive a notification from an online contact form (which happens to not have spam filters on it). It reads something like this (this is from one of my own sites as an example):
Name: Barbra PeakEmail: [my email] Website: https://bit.ly/36VENk5 Message: DOMAIN SERVICES EXPIRATION NOTICE FOR [my domain] Domain Notice Expiry ON: Feb 18, 2021 We have actually not received a payment from you. We've tried to call you yet were incapable to contact you. Check Out: https://bit.ly/3rzoul2 For info and to post a discretionary payment for your domain website services. Time: February 18, 2021 at 12:47 PM IP Address: 126.96.36.199 Contact Form URL: [my website] Sent by an unverified visitor to your site.
Oh, noes! What do you do!? Well, you might click on the link to see what they’re talking about. After all, you apparently owe them something! “I thought they said my domain registration would last a year,” you think to yourself. Once you click on the link, you are presented with the following:
And you get particularly nervous when this pops up on your screen:
One of two things happens at this point: you either don’t read it in your panic that your domain is going to expire, or you do read it and realize this is a domain search engine registration “service.” If you aren’t already desperately filling out the form below to save your domain from the former, the latter pushes you to wonder if this is one of those website set-up steps that you (or your contractor) forgot to do. Either way, you may be inclined to fill out the form. Before you do that, though, here is some advice:
DO NOT FILL OUT NOR SUBMIT THIS FORM!
There are several reasons for this, which I will outline below. The number one reason is that this is a bogus service in my personal opinion and experience. As far as I know, it’s not even really a service. I doubt they do anything, mostly because search engines no longer have “registrations” like in the earlier days of the internet.
Registering on Google with Search Console is literally FREE.~ Me, here on this post.
Google, for example, now has YOU register your website personally and easily with their search engine using their Search Console and Webmaster Tools. It’s literally FREE, and even if someone else did it for you, the prices they are charging are obscenely high. You don’t even HAVE to register. Search engines use what are called “spiders” to crawl the web and find sites. Eventually, it will find and index yours; it always does.
Never Sign Your Written Signature Online, Particularly To Any Random Site!
Secondly, but MOST IMPORTANTLY, giving out your information not only compromises your website security but SIGNING YOUR NAME in the box is REALLY INSECURE. If you were to sign your name in the box with the signature you use in business, this signature image could then be copied and used by anyone. It could easily end up being sold on the Dark Web, and with it, people can easily forge your signature on all sorts of bogus contracts and checks.
Although no contract ever surfaced, this is what happened to my friend. They vaguely remember signing something on the internet but couldn’t remember what exactly. When multiple scammers came calling, they often claimed they had a contract they could produce with their signature on it, and often that was enough to convince my friend to pay. After they refused to pay, the contracts also never seemed to appear. With this signature box, though, they COULD, and that’s REALLY BAD.
These e-mails/contact form submissions are fishing for people that fit this profile. They word it consistently (and if you doubt the consistency see below) in their “cold pitch” to make it sound like you are already in a contract with them or already owe them some form of compensation. Unless you got roped into paying, YOU DON’T, and if you DID get roped in, STOP PAYING and DEMAND accountability. If they’re not rendering any real services, that means they’ve scammed you. On top of that, you have the right to CANCEL any subscription at ANY time. If collectors call you, and the amounts keep changing, the terms seem loose, and they are intimidating, they are potentially breaking the law (by harassing you and scamming you), and you owe them nothing.
My Response To These Potential Scammers
I filled out their contact form with the following:
I got an e-mail from my contact form from your company that stated, "We have actually not received a payment from you." The reason you haven't received payment is that I never actually signed up for your service, and never will. This is a really offensive way of saying I haven't purchased your service and is incredibly misleading. It's so misleading, in fact, that a friend of mine who runs a business with a website thought they had to fill out and submit the corresponding form to be listed in search engines (you are fully aware they do not) and because of that ended up being scammed by multiple companies claiming they had performed "services" they had never performed. They ended up paying several of them because they thought they had to since they filled out this form. That's all this form and website is: a gateway for ignorant people to "pass through" so that others, and possibly yourself, can claim that they're owed ridiculous amounts of money for services that almost never were actually rendered. It's disgusting, deceitful, misleading, predatory, and in my opinion is either illegal somewhere in some fashion, or should be. I will be reporting these e-mails, and this website to authorities and publicizing your operation so that others are not similarly scammed.
The Lowdowns And The Nitty Gritty Details
This particular operation is running under the following domain names:
Domain Names Registered With Namecheap Inc (Report Abuse)
Domain Names Registered With Moniker Online Services LLC (Contact)
I couldn’t find an abuse reporting form on Moniker’s website, however I was able to find the following contact information regarding abuse for the company: email@example.com phone +49.68949396850. That’s an international number, but they have a toll-free number for general use (U.S. and Canada) listed on their website at (844) 760-0251.
- domainproposalnotifications.com (at one time, now ‘down’ when accessed via HTTPS – DNS not assigned any ip)
Associated Domain Names Registered With DropCatch.com [numbers] LLC (Contact)
Here’s where things start to get really strange, and a rabbit hole begins to emerge.
I will document this rabbit hole as I learn more about it. In the meantime, these are domain names that I found to be associated with this potential scam enterprise possibly. The three I list here redirect the user’s browser through various means to a various number of redirect services, many of which land you on pages that try to trick you into downloading viruses and trojans. They also log IP addresses, so if you try enough times on the same IP address, they’ll potentially become tame and redirect you to a parked domain site (thus eluding the potential that you can capture evidence.) I have not linked to them directly for that purpose. I do not recommend visiting these domain names.
As an example of the “rabbit hole,” I found that domainsrvsreg.com forwarded me to a 1redira.com (owned by trellian.com) URL, which then forwarded me to another domain (with query parameter): testpc24.legendarysystemsupgrades.work (which is also registered with Namecheap Inc). This domain name was hosted on a server with the IP address 188.8.131.52, and although difficult, I was able to track down that as being operated under the domain name ip202.ip-135-148-59.us as well as being hosted with OVHcloud (their U.S. Report Abuse form).
However, while this is ancillary support for making a case that all of this is a big scam, it’s not really on the topic of this post. I digress, so I shall return to Domain Services.
Who Are Domain Services?
All of these currently operating domain names (not with DropCatch) currently claim to be operated under the same entity name of “Domain Services” (in fact, all of the domains point to the same server IP, see below.)
If you happen to fill out the form (NOT with your own or any legitimate information) you will eventually get the following payment information screen:
As you can see their current mailing address is:
1342 Military Rd
Niagara Falls, New York 14304
It appears that “Domain Services” rents/rented a mailbox from CBI USA Mailbox Rental at this address. I have contacted them on their Facebook page about this situation. Their contact e-mail address is firstname.lastname@example.org
Here are some other articles/posts that have previously addressed this scam:
- Sircles.net posts about this very potential scam in September of 2020. A commenter notes it as “shut down” as they reported to it to the FBI and the links are broken, but as you can see this result is not the case.
- NoScams.info posts about this potential scam here.
- Ad-Scams.com posts questions the potential scam domain names here, and here.
- Lambros posts about a very similar scam, showing that one potential scammer operating under this model has already made off with approximately $585,967 in Bitcoin.
- YourWebHoster.eu published an article detailing a very similar scam as well.
- KuduWebsites posts about a very similar scam involving domain services.
- SERoundTable.com also comments on another similar scam.
I’ve decided that one way to help combat this potential scam is to make people, and the companies that are enabling it, very much aware of the problem. Here are the results of this endeavor.
When I first came across this potential scam the website was being hosted on DediPath servers. It’s NO LONGER hosted on DediPath because they did the right thing and terminated their service (or at least nulled the ip address.) HEre is a tweet showing the end result of that exchange:
Please congratulate DediPath for doing the right thing.
They quickly hopped on to another hosting service, HostKey. I also contacted them on Twitter:
And still I have yet to receive a reply. HostKey’s latest Tweet at the time of this writing is:
Yeah, they sure are. Maybe a little too safe?
But Asher, I hear you say, what about their domain name?
Well, their domain name is registered with the Namecheap company. Here is their information: Facebook, Twitter. They are also protected by WhoisGuard Inc (they don’t seem to have social media accounts.) I have also contacted Namecheap on Twitter as well:
Eventually the Tweet thread produced this result:
But are they though? This eventually happened:
I did just that. This is what I got in reply in my e-mail:
Hello, Thank you for the report. We have thoroughly investigated your allegation to the extent of our capabilities, but we were unable to validate your claim. The issue would need to be addressed through the hosting provider to see if their terms of service have been violated. We have no way to police these issues as we do not control the hosting company in this instance. You are welcome to find the contact details of the company that owns the IP address currently assigned to the domain name below: https://whois.domaintools.com/184.108.40.206 If you consider the website owner is using our services in a bad faith, please report the issue to authorities for a proper investigation to be held [ed - emphasis added]. We will assist them in any way we can. Also, if you believe you are the victim of an internet crime, or if you are aware of an attempted crime, you can file a complaint through the Internet Crime Complaint Center at https://complaint.ic3.gov. Please let us know in case of any questions. ------------------------ Regards, Den M. Shift Leader Legal & Abuse Department Namecheap, Inc. Ticket Details Ticket ID: ************* Department: Fraud / Phishing Type: Domains L&A Status: Abuse not confirmed Priority: High
Yeah. Well, I feel a bit like this guy about all of that:
I’m going to personally be checking out the Namecheap Terms of Service… in the meantime, that is definitely one domain name registration company I would not do business with.
Here they are on the 3rd:
Maybe having to perform emergency maintenance for a possibly avoidable crisis just overwhelmed them and they couldn’t get back to me? Maybe?
I didn’t really think so either.
Miscellanea; Security Certificates And Web Analytics
These devious individuals also employ a couple of other services to which most usually pay no attention. They serve their site over HTTPS (using Apache server software). This means that a certificate authority somewhere had to issue them a legitimate certificate, in essence, lending their name to the credibility of the site. Just who was this organization? What are the details of their Secure Socket Layers certificate? Well, their certificate reads a bit something like this:
% echo | openssl s_client -showcerts -servername webdomainserv.com -connect webdomainserv.com:443 2>/dev/null | openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 76:ab:6b:50:9d:7a:12:ab:52:a7:67:c6:7f:aa:af:5d Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority Validity Not Before: Mar 4 00:00:00 2021 GMT Not After : Jun 2 23:59:59 2021 GMT Subject: CN=webdomainserv.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d4:ed:69:61:ef:39:ac:4b:65:79:3c:13:2e:b6: 41:db:44:92:19:d4:d2:20:b4:5a:01:59:ed:c2:1a: b0:9a:0f:be:a1:53:8c:f7:a5:93:87:ca:8e:dd:80: e5:44:42:63:ed:85:1d:1d:4f:87:31:07:14:a3:ca: ac:e4:5c:2b:f1:58:3b:af:06:ec:98:f3:0e:a0:aa: 0f:fc:0d:13:cb:e9:ef:e9:08:e0:09:8c:2c:4f:4e: 4c:c6:71:95:3a:83:ae:0a:72:e2:5a:e0:e6:26:b9: 1f:69:65:78:fa:66:e2:30:6d:b8:70:68:62:44:88: 34:71:46:f0:cc:da:4c:aa:b0:42:7c:14:d5:b6:62: 1c:a6:71:a2:03:0a:4b:aa:b4:3e:c4:3a:f4:81:a3: 14:2e:50:4f:7b:c4:e7:4d:61:56:1a:0c:c5:55:97: ef:f9:df:09:47:c1:74:d4:9a:19:bb:13:e0:3a:b2: c7:3f:6a:7a:7e:ef:f0:cd:69:67:fe:a3:0a:be:1f: a9:52:41:15:e8:a9:bc:aa:e6:98:c9:4c:37:e6:48: 58:f1:54:2c:25:60:77:07:ba:80:fa:3e:b3:e5:f9: d3:35:61:08:c2:62:9c:9d:93:6e:6c:c6:2e:93:36: 5f:7b:63:26:7c:3c:3f:6b:76:82:e3:67:52:d3:70: 9a:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:7E:03:5A:65:41:6B:A7:7E:0A:E1:B8:9D:08:EA:1D:8E:1D:6A:C7:65 X509v3 Subject Key Identifier: 15:63:BE:AF:8D:D9:8E:CF:3D:68:6D:BA:67:B5:62:CD:77:DD:EF:4E X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 220.127.116.11.4.1.6418.104.22.168.52 CPS: https://sectigo.com/CPS Policy: 22.214.171.124.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/cPanelIncCertificationAuthority.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/cPanelIncCertificationAuthority.crt OCSP - URI:http://ocsp.comodoca.com 126.96.36.199.4.1.11188.8.131.52: ......v.}>.....Uh$....R.y+..x...j.h.~".....w.,.......G0E. !..y.....N..d.+..=..f.5..V..}..B.!..f^m^.o.o..3.J..'?T......n...M^lO.=a.N/XM.....w.,.o.....F0D. 3....-.?..m..7F8v...........Ra.N. ....D...Z3..X.fq/!.V..:.....E.K. X509v3 Subject Alternative Name: DNS:webdomainserv.com, DNS:cpanel.webdomainserv.com, DNS:cpcalendars.webdomainserv.com, DNS:cpcontacts.webdomainserv.com, DNS:domainbly.com, DNS:domainnotifyengine.com, DNS:domainpaymentoptions.com, DNS:domainpaymentsolutions.com, DNS:domainsrvcsexpiry.com, DNS:electronicdomains.com, DNS:mail.domainbly.com, DNS:mail.domainnotifyengine.com, DNS:mail.domainpaymentoptions.com, DNS:mail.domainpaymentsolutions.com, DNS:mail.domainsrvcsexpiry.com, DNS:mail.electronicdomains.com, DNS:mail.saveonyourdomain.com, DNS:mail.webdomainserv.com, DNS:mail.webnoticesys.com, DNS:saveonyourdomain.com, DNS:webdisk.webdomainserv.com, DNS:webmail.webdomainserv.com, DNS:webnoticesys.com, DNS:www.domainbly.com, DNS:www.domainnotifyengine.com, DNS:www.domainpaymentoptions.com, DNS:www.domainpaymentsolutions.com, DNS:www.domainsrvcsexpiry.com, DNS:www.electronicdomains.com, DNS:www.saveonyourdomain.com, DNS:www.webdomainserv.com, DNS:www.webnoticesys.com Signature Algorithm: sha256WithRSAEncryption 83:26:11:61:e8:09:68:a3:12:37:3d:3b:1c:34:77:ba:5a:48: b6:83:fe:de:e6:a5:0e:53:41:1d:d2:b8:e7:a4:1e:de:27:2b: b9:d2:7f:c2:5b:0a:e7:ca:a1:49:38:b1:f2:06:5b:57:7b:7f: 44:49:78:f2:73:9e:69:f2:9b:4c:b0:87:ff:b4:dd:6c:86:cb: 3a:ac:ec:dd:b0:f5:27:ef:2b:8a:8a:75:56:e3:1c:70:b3:ac: 75:25:1b:52:45:df:a6:53:c2:7d:ee:47:46:0f:2b:0a:fd:84: 04:d8:c6:20:1e:f5:a7:3d:7d:c2:26:b3:67:03:d2:d0:6c:65: 5b:b6:af:66:4b:8e:1f:56:c3:e1:54:41:e8:9c:fa:a4:71:ea: a5:ee:ec:1c:5f:49:32:f8:97:d1:d6:a6:f3:68:f2:41:ff:92: 61:5c:6b:05:2a:e4:fa:a9:42:cc:2d:9f:c9:a7:99:1c:93:d4: c2:c2:9c:81:52:d4:58:d9:4f:a2:39:16:36:94:59:7c:f7:d1: 6a:10:30:f4:1c:14:80:67:69:de:de:39:9c:30:49:a9:03:d5: af:69:08:11:e5:69:d0:4d:af:38:45:3b:9e:3e:87:9b:93:94: 39:29:15:f8:f1:78:e1:1a:d4:ce:00:58:1a:da:cd:c2:da:24: 33:72:dd:a8
I wonder if their CPanel vendor knows what they’re using their software for, which of course is managing the hosting configurations for a potential scam.
I’m pretty sure though when it comes down to it, Google Analytics wouldn’t exactly be keen on being associated with this site. As of now though, as long as that Google Analytics ID is valid (the status of which I am unaware and make no claim) they are.
More Contact Form Submissions
In case you might be thinking that that form submission from my site was a one off fluke thing, here the evidence I can provide you that says otherwise. I receive quite a bit of form submission spam, which I will also publish elsewhere, but here is the SAME potential scam mechanism contacting me multiple times (practically daily):
Name: Raul Casner
Email: [my email]
Message: DOMAIN SERVICES EXPIRATION NOTICE FOR [my domain]
Domain Notice Expiry ON: Feb 21, 2021
We have actually not obtained a settlement from you.
We’ve tried to contact you yet were not able to contact you.
Check Out: https://cutt.ly/tlfHWq9
For information and also to post a discretionary payment for your domain website solutions.
Time: February 21, 2021 at 8:45 PM
IP Address: 184.108.40.206
Contact Form URL: [my website]
Sent by an unverified visitor to your site.
If you go to the website URL shortener address you’ll see this warning:
That shortened link can be problematic. It does not comply with our Terms of Service and/or his redirect (source) has been reported as a suspicious link that may lead to dangerous/suspicious content.Cuttly.com
This may be due to the URL:was reported by any black-list service
– was reported as a suspicious link
– has more than one redirect
– has been shortened more than once
– has been broken (404, etc.)
– was reported as potentially malicious / spam etc.
– has a content that we do not accept (porn, violence etc.)
– does not comply with our Terms of Service
And of course, the listed URL? https://domainnotifyengine.com/ of course.
For the record, I have never been in any kind of business relationship with this entity and never will. I do not have settlements against me, I have never agreed to any settlements, I know of no settlements. They are clearly implying I owe them a settlement, when in reality, I just haven’t purchased their “service.”
Here’s yet another contact form submission… but this time they’ve changed the domain name! I’ve listed it above as well.
Name: Tarah Cano Email: [my email] Website: https://bit.ly/2ZV3MjP Message: DOMAIN SERVICES EXPIRATION NOTICE FOR [my domain] Domain Notice Expiry ON: Feb 23, 2021 We have not gotten a settlement from you. We have actually attempted to call you yet were not able to contact you. Browse Through: https://bit.ly/3sqobJL For information and also to post a discretionary payment for your domain website service. ... Time: February 23, 2021 at 2:11 PM IP Address: 220.127.116.11 Contact Form URL: [my url] Sent by an unverified visitor to your site.
And Another One…
Name: Sebastian Brinker Email: [my e-mail] Website: https://bit.ly/2PadoF5 Message: DOMAIN SERVICES EXPIRATION NOTICE FOR [my domain] Domain Notice Expiry ON: Feb 24, 2021 We have not gotten a settlement from you. We've attempted to call you however were unable to contact you. Browse Through: https://bit.ly/3aQzgO9 For details as well as to make a discretionary payment for your domain website solutions. ... Time: February 24, 2021 at 4:31 PM IP Address: 18.104.22.168 Contact Form URL: [my url] Sent by an unverified visitor to your site.
And Another One…
Name: Johnie Niall Email: [my e-mail] Website: https://bit.ly/3aOy0uW Message: DOMAIN SERVICES EXPIRATION NOTICE FOR [my domain] Domain Notice Expiry ON: Feb 25, 2021 We have not obtained a settlement from you. We've tried to email you however were not able to contact you. Visit: https://bit.ly/2ZRKMm9 For info as well as to process a discretionary payment for your domain website service. ... Time: February 25, 2021 at 1:38 PM IP Address: 22.214.171.124 Contact Form URL: [my url] Sent by an unverified visitor to your site.
And so on and so on and so on and so on…
I have published any assorted logos, trademarks, and company names for educational and commentary purposes only and not with intent to sell, impersonate, mislead, nor commit libel. There are no advertisements nor advertising services on this page/site that incur me any income personally whatsoever. It is also important that the reader understands that the information presented here has been aggregated from various public sources that are publicly available to anyone and that it is published solely for the purpose of reference, and not for any malicious purposes or intent. I advise the reader that any kind of harassment towards individuals and companies can be considered a crime. My intent in publishing this information is to provide relevant and valuable resources for victims of this potential scam and to raise awareness about these issues, and the individuals/companies who allow it to continue.