It appears that OnlineNIC, a discount bulk domain registrar that caters to domain squatters, has been attacked and their Web servers are unavailable. We had to deal with them about a year ago to transfer a domain name away from a squatter in Korea and found their customer support extremely lacking. On top of that, even after successfully transferring the domain name away from them, they seem to think that we’re still a customer so we keep receiving promotional and maintenance emails from them.
I received the following maintenance email from them this morning informing me that their servers are under attack. It is unclear whether the attack is simply a denial of service attack or if their Web servers were actually compromised. Regardless, the request that OnlineNIC has made in the following email is absolutely outrageous. After informing me that their Web servers are under attack (I didn’t trust them before and I sure don’t trust them now that I know they may have been compromised), they want me to change my proxies to one of theirs.
To quote many RISKS posters that came before me, the RISKS here are obvious…
If this request is legitimate due to a denial of service attack then I would assume that they are filtering out all traffic to their Web servers and only allowing traffic to their Web server from their proxies. In theory, I’m sure this idea made sense to someone somewhere in the OnlineNIC chain of command. Regardless, setting my proxy to one of theirs would send all my Web traffic through it…not just traffic to OnlineNIC. I really don’t think I trust OnlineNIC with logs and caching of every Web site I visit.
Since I’m a paranoid freak, I’m assuming that OnlineNIC’s Web servers were completely compromised (my theory, no way to confirm), their customer base was leaked, the attacker sent this email to all customers and the below proxies are hostile and designed specifically to log all Web traffic for OnlineNIC’s customers. I only come to this conclusion because the headers of this email are very sparse and seem forged (Received from: YOURNAME localhost.localdomain), there are typos in the email and the email asks me for my username/password.
Oh well…even if the request was legitimate, how many naive users who actually switch their proxies are going to remember to switch them back after OnlineNIC comes back online? If the proxies are no longer required, how long with OnlineNIC keep those proxies online for the “convenience” of their customers? And, are these proxies wide open for anyone to use for semi-anonymous surfing? If the request is legitimate, OnlineNIC is opening themselves up to abuse by making these proxies available.
Begin forwarded message:
We are sorry to inform you that our WEB server has been attacked by somebody. Our technicicans are taking great effort in getting it solved now. Please rest assured that the problem will be solved soon.
To visit Onlinenic, would you please try it at https://www.onlinenic.com, if it still fails, please try to use the proxy server: 126.96.36.199:80 in the following way:
Go to ‘Tools’ in IE, choose ‘Internet’ , it will lead you to an interface, then choose ‘Connect’, click ‘LAN setup’, then you may set up the proxy 188.8.131.52 with the port 80.
If this proxy server doesn’t work, you may try the following ones:
Plus, Some of the emails sent to [email protected] may have lost. If you haven’t got any reply from us, please write to [email protected] Please rest assured that we will never ingore any email reaching us.
If you have domains which are supposed to be registered urgently, please kindly offer us your id, password and the detailed whois information of your domains, we will try to help you register them here.
Please rest assured that you may feel free to change your account password after the domains have been registered sucessfully here for you.
Your kind understanding and cooperation will be highly appreciated.
Should you have further questions, please feel free to contact us.
OnlineNIC Customer Care
Email: [email protected]