Feedback scammers attempting to extort millions from 5,000 major companies

Only you can fix this, ICANN!

Feedback scammers attempting to extort $3M from 5,000 major companies

Scammers are leveraging the promise of customer feedback as part of a scheme to extort US $3 million from 5,000 major companies.

This newest ruse boils down to ICANN's decision to create the .feedback top-level domain (TLD). Sure, companies can use the TLD to set up a website where they can invite users to comment on the services they provide. But that's assuming they're the first to register a .feedback domain for their brand.

To illustrate, take a look at the following image:

Screen shot 2017 06 30 at 11.16.29 am

Screen shot of "google.feedback"

The above graphic is a screenshot of google.feedback. While the domain bears Google's name, the Mountain View-based tech giant had nothing to do with setting up the website. It's the work solely of scammers.

These individuals have registered .feedback domains for 5,000 major companies. Visitors to those websites can submit feedback that the victim companies can't automatically view. Indeed, many businesses probably don't know the sites even exist.

But in the event they do discover the .feedback domains, that doesn't mean the companies don't have a say in the matter. Tom Limoncelli of Everything Sysadmin clarifies that point:

"If they do discover it, they are given a choice: Pay $20/month to receive the feedback, or pay $600/year to take the web site down. Of course, there is a free option: Just let the site remain and suffer as people send their feedback and feel ignored."

Assuming every company pays, the scammers would walk away with $3 million. That's not bad considering it probably cost them at most $60,000 to register the domains at $10-$12 a piece.

But let me be clear: none of the companies should pay to have the sites taken down. Instead they should file separate complaints with the Internet Corporation for Assigned Names and Numbers (ICANN). If it receives a sufficient number of reports indicating abuse, ICANN might respond by disabling .feedback as a TLD.

That would probably be for the best.

Affected companies should also look to control the narrative by creating their own feedback channels hosted on their websites. Such a move wouldn't prevent some users from looking up their misused .feedback domains. But it would communicate the companies' willingness to receive and respond to users' feedback.

Over time, these channels could ultimately overshadow the .feedback sites even if ICANN decides not to disable the TLD.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

2 Responses

  1. Pagjsp

    July 5, 2017 at 1:18 pm #

    Graham – Would you advise companies to pre-register their "MyCompany.Feedback" domain name as a defensive measure? Or, should we wait and see what ICANN decides to do?

  2. furriephillips

    July 5, 2017 at 2:56 pm #

    I wouldn't bank on ICANN actually doing anything, They've had their cut…

    Though this looks more promising than they have been in a long time http://www.circleid.com/posts/icann_spam_offenders_knujon_report/

Leave a Reply