Feature image reading "we all work for Namecheap"

We All Work For Namecheap

Kirstan Norman Blog

So you want to start your first phishing site. First of all, you need to purchase a domain. Something that will trick unsuspecting internet users into clicking on it and submitting their credentials. Then you have to secure a good-value hosting package. Nothing too flashy, maybe a nice little shared server, hopefully for less than a fiver a month. However, your main priority is finding a host that isn’t concerned by your less-than-honorable intentions. So, what’s your best option?

Namecheap, of course.

We won’t be the first to write an article about Namecheap’s lack of passion for investigating unsavory sites, and we won’t be the last. It’s no secret that Namecheap is the platform of choice for internet criminals, and by diverting responsibility and lacking the urgency to act, they’re hurting the internet.

ICANN, But I Won’t

Namecheap offers both domain registration and hosting services. When it comes to taking down and preventing dangerous sites, it’s no surprise that the company hosting the site has more power than the registrar.

This doesn’t mean that the registrar doesn’t have a duty of care – they absolutely do, as laid out in ICANN’s Registrar Accreditation Agreement, where it states:

3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar’s website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.

This seems a little out of sync with Namecheap’s own policy that is outlined on their own site:

Some types of abuse may not be verified from our side if we only act as a registrar and the abusive content resides on third-party servers. Due to this, we will not take restrictive action in order to avoid false-positive cases. This policy particularly affects copyright/DMCA, email abuse/spam, fraud, malware/hacking activity, etc.

To expedite the resolution, we highly recommended escalating websites that are registered with Namecheap only to their respective hosting provider supporting your report with sufficient evidence. You might also decide to get in touch with the domain name holder directly by using the Whois details that are assigned to that domain name. If the Whois details are hidden by our Domain Privacy protection service, feel free to send your email to the protected email address. It will then be forwarded to the real email address of the domain holder.

To summarise – they don’t generally investigate and nor will they ever take ‘restrictive action’ if they are the registrar but not the host. They ‘highly recommend’ that you don’t tell Namecheap if a website registered by them is carrying out illegal activity – instead you should report it ‘only to their respective hosting provider’.

Better still, they also suggest contacting the domain name holder (in cases of abuse, this is basically the criminal who has created a site for illegal activity) directly – not generally the sort of person you want to be entering into a conversation with.

However, this is only if the criminal’s details aren’t protected by Namecheap’s WhoisGuard, which of course, comes free as standard on all plans.

So the bottom line is that you can register whatever domain name you want, and use it for whatever nefarious purposes you want, and Namecheap own policy reassures that they won’t stop you. They likely won’t investigate, they actively encourage people not to even bother reporting it to them, and even if a domain registered through them is being used to steal tens of thousand of pounds from people, they will never take action to stop this.

And they wonder why they have a reputation for being a phisher’s best friend.

They Rely On Us

But surely, when it comes to malicious sites being hosted on their platforms, they have to take action. Right?

No reputable hosting provider would feel comfortable knowing that there are dangerous sites being hosted on their servers. Not only is this bad for business and a threat to the general public, they’re also putting their genuine customers hosting on the same servers at risk.

If an individual is running a malicious website from your server, you can’t guarantee that hacking into neighbouring sites, spreading malware and hijacking their domains isn’t also on their agenda. Namecheap have a duty to protect their customers from people like this.

Unfortunately, it seems to be a case of doing the minimum because they have to, rather than doing everything they can because they care.

We actually got into a small Twitter bust up with them about this.

@PhishStats is a Twitter account that regularly reports on websites that are confirmed to be used for phishing.

Screenshot of phishstats' Twitter page.
Wherever possible, they identify and alert the host in the hope that they will take action and protect internet users from these kinds of sites.

Today, they happened to alert Namecheap to a URL hosted on their platform which is blatantly a phishing site. They regularly report hundreds of sites each day via Twitter, and bear in mind they aren’t paid to do this, they do this purely to help hosting companies combat phishing.

The response from Namecheap was poor to say the least. Instead of “great, thanks for your help, we’ll look into this!”PhishStats were told to submit a ticket.

A Twitter account that runs solely for the purpose of uncovering thousands upon thousands of phishing sites, was told to submit an individual ticket for this one site that they’d alerted Namecheap to.

Of course, at this point PhishStats had moved onto the next set of sites they were investigating, so we took the liberty of responding:

Tweet from us reading "Out of curiosity why does a researcher who has given up their time already to detect crime on YOUR infrastructure have to then report it in this fashion? Why can’t you? Why demand extra free work and place barriers to doing the right thing. Do you not have a web browser?"
Turns out we didn’t even need to wait for a response – Namecheap had already answered this question in a tweet they sent out in 2018.

Tweet from Namcheap reading "We rely on you to bring abuse and fraudulent sites to our attention. Learn more about what is considered abuse, how to report it and actions we all can take to prevent scams:"
Turns out it’s everyone’s job but theirs to combat fraudulent websites.

However, they did indeed respond, but only to let us know that we need to find and provide all necessary data in order for their team to investigate properly.

Seemingly, the general public are better equipped to find out the full details than the company hosting the site. This feels like either a bad attempt at pushing the work onto other people so that they don’t have to do it themselves, or making the reporting process intentionally difficult so that no one ever has the time to submit a ticket.

If it was our site that had been spoofed, then of course, we would have no qualms submitting a ticket as we’d have a personal interest in getting the site taken down as quickly as possible. However when a phishing database reports one of many, many sites, they should not be laden with the responsibility of raising a ticket.

So You’ve Submitted a Ticket

It’s not right, it’s not fair, and Namecheap shouldn’t make you jump through hoops to report a site. But if you do jump through these hoops, surely it’s worth it?

Apparently not.

We’ve seen reports all across the internet from people who have submitted tickets when their sites have been cloned and then used to steal financial information from people, and Namecheap did nothing.

The above happened to this guy and whilst Namecheap were happy to confirm that the site was abuse, they didn’t have any desire to remove it. Only after taking Namecheap’s worrisome advice of contacting the fraudster directly did it get removed. Not by Namecheap, but by the fraudster, as they were threatened with legal action.

Surely Namcheap have a duty of care? What is the point of having an investigation which confirms a site is fraudulent if they aren’t then going to take steps to remove it? Or are they too scared to remove these sites because they don’t want to lose the income?

We are yet to see one report of someone being happy with how Namecheap have handled a case like this – all we have come across is numerous horror stories where they fail to take any kind of responsibility, and numerous posts from people who have reported Namecheap to ICANN.

We reached out to Namecheap to ask why they don’t proactively work to tackle phishing sites on their hosting platform and why at the very least, they can’t work effectively with people who do. We’re awaiting a response.