It now appears as if this campaign doesn’t specifically target easyDNS customers or domains, it just mentions that the transaction is from easyDNS, even if the recipient is not an easyDNS customer.
We have received reports of
easyDNS customers people receiving the following phishing email pretending to originate from Royal Bank:
Subject: ID2901: Unauthorized Charge Date: 25 Feb 2014 06:59:29 -0600 From: Royal Bank of Canada <email@example.com> To: [redacted] RBC Royal Bank Dear client , We recorded a payment request from ''www.easyDNS.com'' to enable the charge of $15.95/month on your account. Because the order was made from an European internet address, we put an Exception Payment on transaction id #PO008331 motivated by our Geographical Tracking System. *THE PAYMENT IS PENDING FOR THE MOMENT.* If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "Domain Registrar - www.easyDNS.com". Remember: * If you didn't make this payment and would like to decline the $5.95 billing to your card, please click here <hxxp://ceep.bit.edu.cn/rbcroyalbank/cgi-bin/rbaccess/secure-redirect.html> and complete the process to cancel the payment. Thank you, Accounts security team. Royal Bank of Canada Website, © 1995-2014
If you click on the “click here” link you will be taken to the following URL:
which then redirects to
Which then brings up a fairly well reproduced Royal Bank online banking page.
It is interesting to note that you will only see the Royal Bank page if you click through via the first link, if you go there directly in link #2 you will not see it, they are probably keying on the HTTP_REFERER, possibly to thwart abuse desks investigating complaints (i.e “We looked and it’s gone, it must have been taken down”)
We’re not expecting to be able to do much about the first link as it’s based at some school in China, but the second one is registered via Godaddy and we’re escalating this to their abuse desk now.
Our guess is they are harvesting domain whois records for Canadian registrars and sending emails to the contacts listed. Another reason to turn on whois privacy for your domains.