Is Network Solutions Crazy?
Inviting criminals to attack your customers is a Bad Idea
When I received this email a couple days ago, I was so sure it was phishing spam that I almost hit the delete key reflexively:
If you wanted to teach your kids (or your employees) what to watch out for in a “suspicious email,” this one could easily be the textbook example. It has most of the traits I have come to expect from phishing emails:
- over-the-top urgency;
- super-bad consequences for inaction;
- errors in grammar, punctuation, and capitalization;
- a demand that the reader click a link in the email;
- the lack of a secure way to respond to the request separately, by logging in to my account; and,
- no indication (name, account number, etc.) that the sender knows who I am.
Even though I was 99% sure that this was fake, domain names are serious business. If my company’s web site and email really were at risk, I felt I had a responsibility to double check. I did so via a quick Google search:
Apparently, enough people have experienced this email to move it to the top of the suggested searches. To my dismay, the top search result is a blog post from Network Solutions claiming that emails like the one I’ve received are, in fact, valid requests from them.
My first suspicion was that they had been hacked. After all, no reputable company would do this—right? However, it seems that Network Solutions actually is sending this monstrosity of an email. The second result in my search was an extremely helpful post from another customer in the same predicament, with a long history and many gory details. It is worth a read.
I took to Twitter, hoping that the company had changed their policy. Unfortunately, my exchange with @netsolcares seems to confirm that they still expect me to click the link:
Reputable companies have been trying to educate the public for decades about what’s safe to do online, and what isn’t. Clicking this type of link in an unsolicited email is not safe. Why is Network Solutions trying to undo all of that work? Even they know it isn’t safe! I really can’t imagine, but I hope they will eventually tell us.
Even worse, though, is the fact that Network Solutions has invited criminals around the world to attack their customers (including me). Implicit in their their blog post is the idea that I should trust this email. But how do they know they actually sent the email I’m asking about? There’s no way they can know for sure. Even so, they have made a blanket assurance (and threat) to their customers. Allow me to paraphrase:
All email that seems to be from Network Solutions is valid. Please click the link(s), just like the email requests. Otherwise, yes, we will indeed turn off your DNS.
Do they think we are total idiots? Anyone can now copy the text of this particular email, make a small change to the URL, and spam the world to lure people to a malicious site. How small a change?
The practice of using fake but similar-looking names is a well known phishing tactic. It was well known 19 years ago, when I worked for AOL—I registered the screen name “RawIings” in order to prevent people from impersonating me, appearing to be Rawlings. (This tactic did work, at least once. I was fortunate not to be the one impersonated, nor the one fooled.)
Even careful people can sometimes be fooled. Take this link, for example: HTTP://GOBBLEDEGOOK.NETWORKSOLUTlONS.COM/?ASDFETCETC
Did you notice the lower-case L in place of the capital I? With Medium’s serif fonts, the substitution is pretty obvious if you are watching for it. Here’s what this URL looks like pasted into Gmail:
Network Solutions does own that domain, by the way. Someone there clearly knows about this problem, but there are so many potentially confusing names that registering them all just isn’t feasible. Do you prefer netvorksolutions.com, networksollutions.com, netw0rksolutions.com, or networkso1utions.com?
I can’t remember the last time I was this angry at a vendor. Network Solutions clearly does not value the safety, security, and livelihood of their customers.
If they had apologized back in January and immediately secured their confirmation process, perhaps I could have believed that they were simply incompetent. I suppose I still hope they will send me a new email with a confirmation code, which I can then paste after logging in to my account. In the meantime they persist, obstinately compromising the security of their customers.
Unforgivable.
