Namecheap vulnerability they refuse to fix: no 2FA on support portal login(crimew.gay)
crimew.gay
Namecheap vulnerability they refuse to fix: no 2FA on support portal login
https://crimew.gay/notice/AMxFUTYtsMNtzbDzQu
98 comments
Do you have some more supporting evidence for this, without me having to waltz into a blackhat forum? I'm not trying to be the "citation needed" guy, but as someone who regularly reports internet abuse to blacklists (and is sick of all the attacks that "neutral" places like Cloudflare send to my sites), I'd like to know more.
I've seen your previous 2020 HN submission on this about Namecheap hosting the domains used in SMS scams: https://news.ycombinator.com/item?id=24231307
I've seen your previous 2020 HN submission on this about Namecheap hosting the domains used in SMS scams: https://news.ycombinator.com/item?id=24231307
> 2020: UK National Cyber Security Centre: Figure 1 shows that NameCheap became the most popular host of UK government-themed phishing during 2020. By December 2020 we found that it hosted in excess of 60% of phishing in this category.
https://shkspr.mobi/blog/2021/05/why-do-scammers-love-namech...
https://www.ncsc.gov.uk/files/Active-Cyber-Defence-ACD-The-F...
> 2017: As of today around 38% of the domains reported to us since we began recording on 8/23/17 are sponsored by NameCheap INC. These domains are allowed to continue to scam consumers long after they are reported. An example of this is “ecojetexpress.us” which has been reported repeatedly by both petscams.com and victims who have lost money. When victims of this scam filed an abuse report NameCheap did not “take reasonable and prompt steps to investigate”. Instead they forwarded the abuse report with the victims information to the criminal. 5 months later, ecojetexpress.us was still online scamming new victims.
https://petscams.com/news/namecheap-hurting-internet/
> Facebook sues Namecheap to unmask hackers who registered malicious domains. The social networking giant claims that Namecheap has refused to cooperate in an investigation into a series of malicious domains that have been registered through its service and which impersonated the Facebook brand.
> Some of the sample domains included the likes of instagrambusinesshelp.com, facebo0k-login.com, and whatsappdownload.site.
> Dubois said lookalike domains like these -- which abuse the Facebook brand -- are often used for phishing, fraud, and scams.
https://www.zdnet.com/article/facebook-sues-namecheap-to-unm...
https://shkspr.mobi/blog/2021/05/why-do-scammers-love-namech...
https://www.ncsc.gov.uk/files/Active-Cyber-Defence-ACD-The-F...
> 2017: As of today around 38% of the domains reported to us since we began recording on 8/23/17 are sponsored by NameCheap INC. These domains are allowed to continue to scam consumers long after they are reported. An example of this is “ecojetexpress.us” which has been reported repeatedly by both petscams.com and victims who have lost money. When victims of this scam filed an abuse report NameCheap did not “take reasonable and prompt steps to investigate”. Instead they forwarded the abuse report with the victims information to the criminal. 5 months later, ecojetexpress.us was still online scamming new victims.
https://petscams.com/news/namecheap-hurting-internet/
> Facebook sues Namecheap to unmask hackers who registered malicious domains. The social networking giant claims that Namecheap has refused to cooperate in an investigation into a series of malicious domains that have been registered through its service and which impersonated the Facebook brand.
> Some of the sample domains included the likes of instagrambusinesshelp.com, facebo0k-login.com, and whatsappdownload.site.
> Dubois said lookalike domains like these -- which abuse the Facebook brand -- are often used for phishing, fraud, and scams.
https://www.zdnet.com/article/facebook-sues-namecheap-to-unm...
Wow, thank you very much for this. I honestly wasn't aware of any of it.
And double-Wow on that first PDF published by GCHQ. (Pages 8 and 9 are specifically their data on Namecheap as the #1 phishing threat, for anyone else wanting to read it). That's astonishingly bad performance from Namecheap. The data in that PDF is very useful with my own anti-botnet research. I bet the GCHQ data will be persuasive if I do bring this up with politicians considering removing the Safe Harbour provisions for hosts.
And double-Wow on that first PDF published by GCHQ. (Pages 8 and 9 are specifically their data on Namecheap as the #1 phishing threat, for anyone else wanting to read it). That's astonishingly bad performance from Namecheap. The data in that PDF is very useful with my own anti-botnet research. I bet the GCHQ data will be persuasive if I do bring this up with politicians considering removing the Safe Harbour provisions for hosts.
Then again you can create heuristics that block suspicious domains registered at NameCheap, silver lining or something.
I really wish the effort put into curtailing piracy went into curtailing spam and phishing instead. Would be actually beneficial to society.
I really wish the effort put into curtailing piracy went into curtailing spam and phishing instead. Would be actually beneficial to society.
> couldn't care less
They are usually praised for how fast they take down phishing domains though
They are usually praised for how fast they take down phishing domains though
They'll take down a single domain and pretend to not know how to take down the other 300 registered on the same user's account.
The argument that NameCheap (and its supporters) provide is that this is a good thing that makes them stay because NameCheap shouldn't be policing domains or some other free speech nonsense ignoring that this is pure facilitation of crime. Ignoring that this is blatantly violating their own T&Cs and the ICANN guidelines.
The argument that NameCheap (and its supporters) provide is that this is a good thing that makes them stay because NameCheap shouldn't be policing domains or some other free speech nonsense ignoring that this is pure facilitation of crime. Ignoring that this is blatantly violating their own T&Cs and the ICANN guidelines.
So they actually do care, huh.
No, the argument is it's either this "free speech nonsense" or gestapo filtration like the Apple's/Google's app review process, where the big company is the judge and the jury, and I prefer the former.
No, the argument is it's either this "free speech nonsense" or gestapo filtration like the Apple's/Google's app review process, where the big company is the judge and the jury, and I prefer the former.
Ah yes the nazi hammer.
Not my experience. I tried their abuse email address, their abuse report form and I even made an account to contact support, but did not even receive a reply. Over 30 websites are still up. But to be fair, the websites are about selling certain pills and not about phishing.
Not in my experience either. I received phishing (physical) mail [1] pointing me to a domain that was registered with namecheap. I reported it to them in March, I followed up a few months later, and I still see the website operating today, with no response from namecheap.
The domain is even listed on the USPTO site as a scam operation [2], yet no action has been taken yet.
[1] Looks like this: https://www.uspto.gov/sites/default/files/documents/WTP%20Tr...
[2] https://www.uspto.gov/trademarks/protect/caution-misleading-...
The domain is even listed on the USPTO site as a scam operation [2], yet no action has been taken yet.
[1] Looks like this: https://www.uspto.gov/sites/default/files/documents/WTP%20Tr...
[2] https://www.uspto.gov/trademarks/protect/caution-misleading-...
[deleted]
Not OP of this post, just came across it. I'm a heavy namecheap user, and will continue to use them, but this did make me a little concerned. From the post:
> so, setting up 2fa on namecheap prevents anyone from just logging into your account if your credentials get leaked or stolen. great, they can't just manage your domains. HOWEVER, the namecheap support portal (at http://support.namecheap.com) uses the same credentials for login BUT it never asks for 2fa. if you get leaked credentials you can just sign in to the support portal. because of how badly designed it is you can even change the support email for the account with no confirmation and no info being sent out to the old email.
> how is that a big deal?
> well, you can just open domain transfer tickets from the support portal and hijack domains anyways, you can probably even pretend to not understand how anything works and ask them to change dns for you, etc...
> so, setting up 2fa on namecheap prevents anyone from just logging into your account if your credentials get leaked or stolen. great, they can't just manage your domains. HOWEVER, the namecheap support portal (at http://support.namecheap.com) uses the same credentials for login BUT it never asks for 2fa. if you get leaked credentials you can just sign in to the support portal. because of how badly designed it is you can even change the support email for the account with no confirmation and no info being sent out to the old email.
> how is that a big deal?
> well, you can just open domain transfer tickets from the support portal and hijack domains anyways, you can probably even pretend to not understand how anything works and ask them to change dns for you, etc...
I only used support once many many years ago and was asked for a one time support code from the main account. So I never worried about the lack of 2factor. But now I worry…
Namecheap's support pages seem to be a completely different system to their main site. I've sometimes been unable to log into the support page even though I can get into the main site fine, and contacting support about it got nowhere. Maybe the support is outsourced?
In my experience, the support people ask for a PIN which you can only see by logging in to the main site with 2FA, so while this problem is not great, I don't think it's as bad as this article suggests.
In my experience, the support people ask for a PIN which you can only see by logging in to the main site with 2FA, so while this problem is not great, I don't think it's as bad as this article suggests.
At my company, our support portal isn’t run by the software engineering team, but by a different department. The integration is limited and doesn’t support 2FA. Changing this is very much not a priority, because we don’t want to be responsible and the point of contact for a dozen more services.
Why is NameCheap getting thrown under the bus across the board?
I've used them for 10+ years without issue. In fact, it's been stellar.
Sure, the interface is a little outdated. But does anyone honestly spend any amount of time there, other than pointing the nameservers to Cloudflare? After that, I rarely ever even log in.
I've used them for 10+ years without issue. In fact, it's been stellar.
Sure, the interface is a little outdated. But does anyone honestly spend any amount of time there, other than pointing the nameservers to Cloudflare? After that, I rarely ever even log in.
I moved away from Namecheap because they threaten to deactivate one of my domains within 24 hours after receiving a fabricated abuse complaint from a reputation management company. I saw from my logs that Namecheap did not even visit the page in question. I couldn't trust Namecheap after that and moved to Porkbun. I can't say with any certainty Porkbun would handle that situation any better. But I like the fact that if they try to pull some Google-esque automated ban, I can drive to their HQ.
Why not just buy the domains directly from cloudflare then?
To avoid the "all eggs in one basket" issue with companies that have arbitrary rules and little to no support, on purpose. Same reason I don't use Stripe or Shopify or SendGrid.
I’ve had excellent experience with support from Cloudflare, Stripe, and I don’t recall ever having issues with SendGrid over the 3+ years I used them.
Cloudflare's domain management has sadly also had some questionable actions/decisions.
0: https://news.ycombinator.com/item?id=31573854
1: https://community.cloudflare.com/t/domain-not-working-after-...
0: https://news.ycombinator.com/item?id=31573854
1: https://community.cloudflare.com/t/domain-not-working-after-...
I have over 20 domains with cloudflare. I have been transferring all my domains to cloudflare one by one over the years and now I am worried about getting randomly flagged like this.
Does anyone know if cloudflare has provided any justification?
Are we at HN's mercy to publically shame them to get them to fix this if it's happens to us?
Does anyone know if cloudflare has provided any justification?
Are we at HN's mercy to publically shame them to get them to fix this if it's happens to us?
There's a limited number of TLDs available on CloudFlare.
[deleted]
>> Why is NameCheap getting thrown under the bus across the board?
from https://en.wikipedia.org/wiki/Namecheap
'In February 2022, Namecheap announced that they would terminate services to Russian accounts due to the Russian invasion of Ukraine, citing "war crimes and human rights violations". Existing users were given a one-week grace period to move their domains. The company also announced that it would be offering free anonymous domain registration and web hosting to all protest and anti-war websites in Russia or Belarus. Namecheap at the same time said it had over 1,000 employees located in Ukraine, comprising most of its support staff, mostly in Kharkiv (which was a major location of fighting).'
from https://en.wikipedia.org/wiki/Namecheap
'In February 2022, Namecheap announced that they would terminate services to Russian accounts due to the Russian invasion of Ukraine, citing "war crimes and human rights violations". Existing users were given a one-week grace period to move their domains. The company also announced that it would be offering free anonymous domain registration and web hosting to all protest and anti-war websites in Russia or Belarus. Namecheap at the same time said it had over 1,000 employees located in Ukraine, comprising most of its support staff, mostly in Kharkiv (which was a major location of fighting).'
Yes, I'm aware of the war going on, and that it affects politics and economics, and therefore, valuable lives. But the complaint originated with the lack of 2FA, and then went straight under the bus for completely unrelated items.
2FA is a certainly a useful layer to add, but also not the be-all-and-end-all of account security.
There isn't a list of 1) secure trustworthy companies because of 2FA, and 2) everyone else is untrustworthy and dangerous. Wells Fargo doesn't even require 2FA.
2FA is a certainly a useful layer to add, but also not the be-all-and-end-all of account security.
There isn't a list of 1) secure trustworthy companies because of 2FA, and 2) everyone else is untrustworthy and dangerous. Wells Fargo doesn't even require 2FA.
Are you using Wells Fargo as an example of a trustworthy company? They're one of the scummiest large companies I know of.
https://en.m.wikipedia.org/wiki/Wells_Fargo_account_fraud_sc...
https://en.m.wikipedia.org/wiki/Wells_Fargo_account_fraud_sc...
My Chase account does not require 2FA for my car payment login. Thats a more reputable example.
From your comment above I assumed that you were saying that Namecheap was being criticized in other recent threads.
In which way does it cause them to be thrown under the bus in Western countries?
Don't western sanctions effectively FORCE namecheap to do this?
If the lives of 1 000 employees are threatened by a third party I think it's quite reasonable for a company not to continue offer its services to monetary supporters of this third party. Seems like a good business decision regardless of any sanctions.
I once had a domain at Namecheap show "Ownership change pending approval" to another username with a cancel link beside it and I recognized the username as someone who made offers before out of band. Never got an email or saw any kind of notification, and I've been in the game 25 years and know those extremely long domain transfer emails and read them carefully. Started transferring domains away after that.
What alternative host would you recommend?
I can heartily recommend https://inwx.com - they have exceptionally good support.
Porkbun and Cloudflare are the best and cheap
I’m quite happy with Glauca [1], they’re not quite as cheap but their DNS stuff is pretty good and they are friendly and helpful. Only downside is their website being a bit slow sometimes.
[1] https://glauca.digital
[1] https://glauca.digital
fdcba(1)
When switching away from DreamHost, I researched different domain registrars. I chose to try Namecheap and Dynadot, so I sent half of my domains to Namecheap, and the other half to Dynadot.
After the transfer lock peroid, I moved my domains from Namecheap to Dynadot. The prices were pretty much the same, but the interface was better, and Dynadot also passes on "name tasting" to the user (users can request a refund if they change their mind after buying a domain name).
I've also sinced used Dynadot's customer service one time, and it was good.
My only gripe with Dynadot is at the login screen: I set up 2FA, and they call it a "Google code", when you can use any other 2FA manager besides Google.
After the transfer lock peroid, I moved my domains from Namecheap to Dynadot. The prices were pretty much the same, but the interface was better, and Dynadot also passes on "name tasting" to the user (users can request a refund if they change their mind after buying a domain name).
I've also sinced used Dynadot's customer service one time, and it was good.
My only gripe with Dynadot is at the login screen: I set up 2FA, and they call it a "Google code", when you can use any other 2FA manager besides Google.
> When switching away from DreamHost
Out of curiosity, was there any particular reason you switched away from Dreamhost?
Out of curiosity, was there any particular reason you switched away from Dreamhost?
Their domain name prices are higher, and I feel like their might have been something else, but I don't remember. I still have shared hosting with them because I haven't bothered to shop around on that yet (I have more domain names than sites I host).
Thanks for the response. I have been a Dreamhost customer for about 20 years and have never had a significant problem with them. I don't find their domain name prices to be an issue, but I might be less price sensitive about that than others.
That's a pretty common problem. Nintendo also does this.
Their email service - Private Email - (which is otherwise pretty decent) also has a similar issue where they support 2FA and application passwords for the web interface, but don't enforce those rules via the IMAP/SMTP/POP/etc APIs - https://twitter.com/symbioquine/status/1362907237048479745
I’m really glad I migrated off Namecheap. Was a long time customer but when they had that massive dnssec outage and their support had no idea what it was doing, that was the last straw for me. I moved everything over to google (I know I know) and haven’t had a single second of downtime. Would love ideas for better alternatives, preferably privacy oriented.
I’ve been using gandi.net for years. They seem to care about playing by the rules and supporting privacy if their supported projects is anything to go by: https://www.gandi.net/en-US/gandi-supports
+1 for gandi.net's reputation. 10y straght of good service
> dnssec outage
DNSSEC signing happens at the nameservers run by the registry (verisign for .com, for example). Unless it was an issue with their API servers not properly calling the upstream APIs, I don't think namecheap is to blame here.
I personally think namecheap is dangerously close to being the next Godaddy, but I wouldn't hold DNSSEC issues against Namecheap any other registrar.
DNSSEC signing happens at the nameservers run by the registry (verisign for .com, for example). Unless it was an issue with their API servers not properly calling the upstream APIs, I don't think namecheap is to blame here.
I personally think namecheap is dangerously close to being the next Godaddy, but I wouldn't hold DNSSEC issues against Namecheap any other registrar.
It’s been a while but I recall it was a Namecheap issue.
https://ianix.com/pub/dnssec-outages/20190221-namecheap/
https://ianix.com/pub/dnssec-outages/20190221-namecheap/
While this incident is certainly concerning a bigger question is which registrars can properly ward off attempts at social-engineering and other account access fraud and not sweep it under the rug. Even seemingly well intentioned companies utilize plain-text email for customer communication which is not exactly reassuring either.
MarkMonitor used to be a thing. Trusted by big companies but even the act of attempting to get information about their services has been met with difficulty. Regardless they have been acquired by an investment firm and there has been some concerns of quality-of-service because of that.
MarkMonitor used to be a thing. Trusted by big companies but even the act of attempting to get information about their services has been met with difficulty. Regardless they have been acquired by an investment firm and there has been some concerns of quality-of-service because of that.
I really don't understand why people are still using this amateur site. Please don't give money to these idiots when they have better alternatives.
What are some of your favorite alternatives?
Porkbun has always been pretty solid. They support 2FA with TOTP and HOTP, the support is no bullshit email support that's reasonably fast, and the prices are quite low too.
Not affiliated, just a happy customer paying about $500 a year for a bunch of domains at Porkbun.
Not affiliated, just a happy customer paying about $500 a year for a bunch of domains at Porkbun.
Thanks!
I was able to remove 2FA on one account without them verifying I'm the owner properly.
So what is a good registrar that works with lego to do dns acme?
Your paying for a more premium service but DNSimple take security and service fairly seriously.
www.dnsimple.com
Including recently. “Secure your account with WebAuthn & FIDO2 security keys.”
You do need a subscription though: “A DNSimple subscription is required to register, transfer, or renew domain names. Domain registration, transfer, and renewal fees are not included in your subscription.“
That said I’m still currently a namecheap supporter, their backing for an open internet over the years has built my broader confidence in them, but I agree they need to be investing in pinging improvement especially when it comes to security practices.
www.dnsimple.com
Including recently. “Secure your account with WebAuthn & FIDO2 security keys.”
You do need a subscription though: “A DNSimple subscription is required to register, transfer, or renew domain names. Domain registration, transfer, and renewal fees are not included in your subscription.“
That said I’m still currently a namecheap supporter, their backing for an open internet over the years has built my broader confidence in them, but I agree they need to be investing in pinging improvement especially when it comes to security practices.
fwiw, namecheap also supports FIDO2.
Next to Godaddy, Namecheap is one to avoid ! Ive actually had my dns settings lost ! And their response 'sorry.... blah blah'
[deleted]
If the CTO or CEO or whatever C-level comes on here to do damage control every now and then tries to disagree (probably citing how big their $3/hour Eastern European legal team is) keep in mind it's all PR junk and the proof is in the pudding. It's been years -- no action, no change. Just more scams.