Shady Practices (Antera/DomaSchooner Phishing)

I’ve recently gone through the process of moving one of my domains from one domain registrant to another. For a couple reasons, but cost and whois privacy are part of it. I’ve switched hosting providers a number of times, and that’s not an issue, but getting different domain registrants on the same page to ensure a downtime-free transfer isn’t a clear process to me, so during this time I was particularly susceptible to notifications about the transfer.

It was then that I noticed an item in my spam account titled “Domain Expiration SEO”. Now I didn’t notice the SEO in that title at first, and was immediately concerned about the terms “Domain Expiration”. The fact that it was in my spam folder at least made me immediately cautious, but the fact that they used my full name and postal address in the “invoice” confused me.

The email had a large title saying “Final Notice, your account is pending cancellation”, th email came from “info@antera.org”, a domain with no discernable website, and links on the page directed to “domaschooner.win”. What I don’t like is that the entire premise is that you’re about to let something that you had expire. In the meantime nothing could be further from the truth.

It seems they somehow identify domains that are being transferred, grab the whois data and then generate emails, in my opinion, hoping to catch people not paying attention into paying $86 for supposed SEO software.

If you pay close attention to the email, they do note that they “…do not register or renew domain names…” and their email disclaimer states “…This is not a bill or an invoice. This is a SEO purchase offer. You are under no obligation to pay the amount stated unless you accept this purchase offer…”. So while they do a good job of telling the truth, the immediate implication of the email implies something worse. So while probably not illegal, very shady.

One thought on “Shady Practices (Antera/DomaSchooner Phishing)

  1. Thank you for posting your experience on your blog. Hopefully others will google and see it before they click on the link, as most people don’t bother reading the fine print.

    I had googled because I was curious to see how many others might have received this particular spoofed email.

    I received same email but the link address was to techfrigate.win instead. That domain name was registered on 12Jul2017 (exact same registration date as domaschooner.win). The scammer obviously did a bulk acquisition of many domain names that day, ready for use in other scams.

    It is clearly a phishing email that is not from Antera but using their name. Antera Software has their own full name website as .com, so the abbreviated .org website is just spoofing. Domain names using the abbreviated “Antera” have been in WIPO arbitration proceedings in the past, so you know it’s likely to be used by phishing emails in the header.

    Here is more info from GoDaddy regarding these types of phishing emails: https://www.godaddy.com/community/Managing-Domains/Email-from-Domain-SEO-Service-Registration/td-p/3143

Leave a Reply

Your email address will not be published. Required fields are marked *