If you have ever owned a domain name, the chances are good that at some point you have received a snail mail letter which appears to be a bill for a domain or website-related services. These misleading missives try to trick people into paying for useless services they never ordered, don’t need, and probably will never receive. Below, Krebs takes a look at the most recent details of this scam, DomainNetworks, and some clues about who may be behind it.
The DomainNetworks mailer may reference a domain that is or was at one point registered to your name and address. Although the letter includes the words “marketing services” in the upper right corner, the rest of the missive is deceptively designed to look like a bill for services already rendered.[1]
DomainNetworks claims that listing your domain with their promotion services will result in increased traffic to your site. This is a dubious claim for a company that appears to be a complete fabrication, as we’ll see in a moment. Fortunately the proprietors of this enterprise were not so difficult to track down.
The website Domainnetworks[.]com says it is a business with a post office box in Hendersonville, NC, and another address in Santa Fe, NM. There are a few random, non-technology businesses tied to the phone number listed for the Hendersonville address, and the New Mexico address was used by several no-name web hosting companies.
However, there is little connected to these addresses and phone numbers that get us any closer to finding out who’s running Domainnetworks[.]com. And neither entity appears to be an active, official company in their supposed state of residence, at least according to each state’s Secretary of State database.
The Better Business Bureau listing for DomainNetworks gives it an “F” rating, and includes more than 100 reviews by people angry at receiving one of these scams via snail mail. The BBB says DomainNetworks previously operated under a different name: US Domain Authority LLC.
Figure 1. DomainNetworks has an “F” reputation with the Better Business Bureau.
Copies of snail mail scam letters from US Domain Authority posted online show that this entity used the domain usdomainauthority[.]com, registered in May 2022. The usdomainauthority mailer also featured a Henderson, NC address, albeit at a different post office box.
Usdomainauthority[.]com is no longer online, and the site seems to have blocked its pages from being indexed by the Wayback Machine at archive.org. But searching on a long snippet of text from DomainNetworks[.]com about refund requests shows that this text was found on just one other active website, according to publicwww.com, a service that indexes the HTML code of existing websites and makes it searchable.
Figure 2. A deceptive snail mail solicitation from DomainNetwork’s previous iteration — US Domain Authority. Image: Joerussori.com
That other website is a domain registered in January 2023 called thedomainsvault[.]com, and its registration details are likewise hidden behind privacy services. Thedomainsvault’s “Frequently Asked Questions” page is very similar to the one on the DomainNetworks website; both begin with the question of why the company is sending a mailer that looks like a bill for domain services.
Thedomainsvault[.]com includes no useful information about the entity or people who operate it; clicking the “Contact-us” link on the site brings up a page with placeholder Lorem Ipsum text, a contact form, and a phone number of 123456789.
Searching passive DNS records at DomainTools.com for thedomainsvault[.]com shows that at some point whoever owns the domain instructed incoming email to be sent to ubsagency@gmail.com.
The first result that currently pops up when searching for “ubsagency” in Google is ubsagency[.]com, which says it belongs to a Las Vegas-based Search Engine Optimization (SEO) and digital marketing concern generically named both United Business Service and United Business Services. UBSagency’s website is hosted at the same Ann Arbor, MI based hosting firm (A2 Hosting Inc) as thedomainsvault[.]com.
UBSagency’s LinkedIn page says the company has offices in Las Vegas, Half Moon Bay, CA, and Renton, WA. But once again, none of the addresses listed for these offices reveal any obvious clues about who runs UBSagency. And once again, none of these entities appear to exist as official businesses in their claimed state of residence.
Searching on ubsagency@gmail.com in Constella Intelligence shows the address was used sometime before February 2019 to create an account under the name “Sammy\Sam_Alon” at the interior decorating site Houzz.com. In January 2019, Houzz acknowledged that a data breach exposed account information on an undisclosed number of customers, including user IDs, one-way encrypted passwords, IP addresses, city and ZIP codes, as well as Facebook information.
Sammy\Sam_Alon registered at Houzz using an Internet address in Huntsville, AL (68.35.149.206). Constella says this address was associated with the email tropicglobal@gmail.com, which also is tied to several other “Sammy” accounts at different stores online.
Constella also says a highly unique password re-used by tropicglobal@gmail.com across numerous sites was used in connection with just a few other email accounts, including shenhavgroup@gmail.com, and distributorinvoice@mail.com.
The shenhavgroup@gmail.com address was used to register a Twitter account for a Sam Orit Alon in 2013, whose account says they are affiliated with the Shenhav Group. According to DomainTools, shenhavgroup@gmail.com was responsible for registering roughly two dozen domains, including the now-defunct unitedbusinessservice[.]com.
Constella further finds that the address distributorinvoice@mail.com was used to register an account at whmcs.com, a web hosting platform that suffered a breach of its user database several years back. The name on the WHMCS account was Shmuel Orit Alon, from Kidron, Israel.
UBSagency also has a Facebook page, or maybe “had” is the operative word because someone appears to have defaced it. Loading the Facebook page for UBSagency shows several of the images have been overlaid or replaced with a message from someone who is really disappointed with Sam Alon.
“Sam Alon is a LIAR, THIEF, COWARD AND HAS A VERY SMALL D*CK,” reads one of the messages:
Figure 3. The current Facebook profile page for UBSagency includes a logo that is similar to the DomainNetworks logo.
The logo in the UBSagency profile photo includes a graphic of what appears to be a magnifying glass with a line that zig-zags through bullet points inside and outside the circle, a unique pattern that is remarkably similar to the logo for DomainNetworks:
Figure 4. The logos for DomainNetworks (left) and UBSagency.
Constella also found that the same Huntsville IP address used by Sam Alon at Houzz was associated with yet another Houzz account, this one for someone named “Eliran.”
The UBSagency Facebook page features several messages from an Eliran “Dani” Benz, who is referred to by commenters as an employee or partner with UBSagency. The last check-in on Benz’s profile is from a beach at Rishon Letziyon in Israel earlier this year. Neither Mr. Alon or Mr. Benz responded to multiple requests for comment.
It may be difficult to believe that anyone would pay an invoice for a domain name or SEO service they never ordered. However, there is plenty of evidence that these phony bills often get processed by administrative personnel at organizations that end up paying the requested amount because they assume it was owed for some services already provided.
In 2018, KrebsOnSecurity published How Internet Savvy are Your Leaders?, which examined public records to show that dozens of cities, towns, school districts and even political campaigns across the US got fooled into paying these scam domain invoices from a similar scam company called WebListings Inc.
In 2020, KrebsOnSecurity featured a deep dive into who was likely behind the WebListings scam, which had been sending out these snail mail scam letters for over a decade. That investigation revealed the scam’s connection to a multi-level marketing operation run out of the UK, and to two brothers living in Scotland.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://krebsonsecurity.com/2023/07/whos-behind-the-domainnetworks-snail-mail-scam/#more-64076
Comments