NameSilo Abuse Reporting

On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites:

  • guildofguardianes[.]com
  • guildofguardians[.]net
  • guildofguardian[.]net
  • guildofguardians[.]cc
It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars.

As an independent researcher, my success with getting sites taken down varies.

In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report.

I can only imagine the volume of phishing reports this registrar gets, and there's some poor soul on the other end of this form having to look at the screen shots and compare the scam site to the actual site and make some decision as to whether it's a scam or not.

Then there's the problem of incentive.  What incentive does a registrar have to takedown every scam site that is reported to them.  As with many things in cyber security, it's a cost sink rather then a revenue generator.  First you have to pay someone to build the reporting mechanism.  Next you have to hire someone to perform review of submitted phishing claims.  Finally you have to say goodbye to some revenue from the scammer.  Wouldn't it be better to just go through the motions?  Provide a form that routes all submissions to /dev/null?  Respond with a generic "Sorry, there isn't enough evidence of wrong doing to take action in this case" type message?  I mean, if you are a registrar that is known to cater to scammers, and if scammers are generating a lot of return on crypto scams, the incentive to shut them down just isn't there.

If I hit a dead end with the registrar I'll take a stab at contacting the hosting company.

There's a a ray of hope though.  While MetaMask is meant to be a neutral wallet, in other words the wallet doesn't want to be liable for protecting clients and steering them clear from scammers, it may be introducing a plugin like feature so users can opt into warnings about interactions with potentially malicious sites.  The debate here is around censoring vs protecting users.  Should we be censoring transactions at all?  If I know that a wallet address or a website belongs to a known scammer, but you as a user want to interact with that entity, who am I to stop you?  However, if you ask me to protect you from malicious actors, then maybe there's an option to enable Aspin Darkfire's crypto block list via a Metamask plugin.

Taylor Monahan. the Founder & CEO of MyCrypto (MetaMask), refers to the potential feature briefly during this Bankless interview:


Hopefully this becomes a thing, and you'll be able to enable some kind of feature that will help notify you when you're about to interact with a scam wallet or website.  If that happens I'll definitely be populating a list of scam addresses to benefit the Guild of Guardians community.

Time to go back to playing whack-a-mole.  Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.








Comments

Post a Comment

Popular posts from this blog

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more