China Based Hacker Cloaking Popular Sites Exclusively With .XYZ Domains

Written by Brad Hayes:

Last week we reported on how Baseball-Reference.com was the victim of a website cloaking scam that involved the much reported on .XYZ domain extension. The way the scam works, is that the individual responsible for this scam, simply registered Baseball-Reference.xyz and then cloaked the site, and presumably acquired traffic meant for the actual website.

Once the victim ends up on Baseball-Reference.xyz, they will end up clicking on something, and that will trigger a Malware warning pop-up asking you to call a toll free number to get rid of the supposed virus that has now infected your computer. In reality it looks like this isn’t necessarily malware, but instead simply a pop-up script that’s difficult to stop even if you close down your browser and reopen it. This is a scam that’s designed for individuals who are novice computer users.

After reporting on this, it looks like Baseball-Reference.xyz is now offline, and the site that was also used in the scam, which triggered the pop-ups in the first place is down as well.

Interestingly there was a lone single comment left on our first story about this, that took issue with our complaint that too often some of these new domain extensions are being used for scams, and not for legitimate purposes. We have said in the past that we believe that if registrars and registries don’t do more to stop this kind of behavior, it will hurt consumer trust and eventual adoption of the new GTLD domains. The individual who left the comment felt it was biased for us to report on this .XYZ story, and not on other scams involving other new GTLD domains and or .Com domains.

First of all, we report on scammy behavior involving all domain extensions, please see the following articles found here and here, rest assured that we’ve exposed many other scams in the internet space. 

Secondly, per this individuals main gripe that we’re unjustly attacking the .XYZ extension and judging it unfairly, well maybe they deserve more criticism than most would think. Because we have some serious concerns after looking even more closely at the person behind this most recent cloaking scam, and how easily it seems they’ve created a scammy business off of 24 .XYZ domains.

It seems that the individual who was running the scam with Baseball-Reference.xyz, is also doing the same thing with a number of other sites, and  every single one is using a .XYZ domain.

Here’s the entire list of sites below:

.XYZ Domains

TVRage.com, a very popular website, is getting the .XYZ Cloaking Treatment as of today 8/27/15.

Screen Shot 2015-08-27 at 10.58.07 AM

Here’s the actual TVRage.com website below:

Screen Shot 2015-08-27 at 10.58.48 AM

Other Sites Getting The .XYZ Domain Cloaking Treatment:

Screen Shot 2015-08-27 at 11.41.40 AM

LyricsBox.com seen above, compared to LyricsBox.XYZ listed below:

Screen Shot 2015-08-27 at 11.41.57 AM

StockFreeImages.com Below:

Screen Shot 2015-08-27 at 11.04.29 AM

Compared To The .XYZ Clone Below: 

Screen Shot 2015-08-27 at 11.04.02 AM

AllForDIVX is also getting .XYZ cloaked as well:

Screen Shot 2015-08-27 at 11.00.55 AM

LostFilm.XYZ – Cloaking Lostfilm.TV:

Screen Shot 2015-08-27 at 11.01.54 AM

We Actually Called The Toll Free Number Connected To The Scam:

Screen Shot 2015-08-27 at 11.05.36 AM

We had to find out what would happen once we called, right? So it turns out that the individuals behind the scam are registering mostly Image, Torrent, Lyric and Media related domains as a means to explain how Malware got onto the persons computer in the first place. When you speak with the phone support rep, which is based out of India, they ask you if your computer is under warranty or not. If it is not, then they charge anywhere from $50 to $150 in order to “remove the malware”.

If your computer is under warranty, they tell you to turn your computer off for 30 minutes and then restart it and after that point the pop-ups should no longer be running.

Websites that overload browsers with pop-up after pop-up can often be defeated by simply disconnecting from the internet connection (example shutting off your Wifi) and then closing the website at that point. Because there’s no internet connection the website can’t instruct the browser to open another window with the same message over and over again.

We looked up the whois on the domain listed with the toll free number we called to speak with “Troy” in India. It is registered to a Sahil Kathuria of Faridabad, India.

Screen Shot 2015-08-27 at 12.26.14 PM

It’s hard to say who is actually behind this, the alleged scammer based out of China who registered all of the .XYZ domains in the first place, or Sahil in India who owns the domain associated with the phone number of the tech company who will help stop the pop-ups, for a fee. It’s entirely possible that Sahil made up the name and registrant info of the all of the .XYZ domains in the first place.

Honestly we may never know, and to be candid investigating further into that side of the story, with people based outside of the USA, isn’t going to be a good use of time. Our primary concern was simply alerting consumers to this scam. 

What might be a better use of our time, is to ask the .XYZ Registry, the registrars allowing these type of registrations to happen, and ICANN, specifically what they’re going to do about it. While some of these .XYZ domains are generic in nature, there’s certainly no reason why anyone should have been able to register YouTube-MP3.XYZ or some of the others. 

We’ve said it numerous times now, and we will continue to say it, if the domain industry does not start taking better steps to prevent this type of NEW GTLD fraud from continuing to happen,  more and more consumers will get burned, and as a result mass user adoption will never happen.

Anyone is welcome to comment on this from any of those organizations, and or they can email us directly here at DNSR to comment officially.

UPDATE: We received an email from the .XYZ registry letting us know that they suspended the 23 remaining domains associated with this fraud. Within 90 minutes of our story posting, the sites had been suspended.