Phishing have been a major security concern to the Internet community, particularly to registries and registrars. Phishing domains are NOT useful at all and harmful to business and trust for any Top-Level Domains. This week some registrars themselves were fighting against phishing attacks (link). Yesterday, Network Solutions (NSI), one of the largest domain registrars in the industry, reported that they were also encountering phishing attacks and some were originated from a few .asia domains. Below is a screen-shot of the phishing site (click to enlarge)
The phishing domains reported by NSI were com21.asia, com42.asia, and com55.asia. According to the WHOIS record, the names are registered by someone in Russia and the registrar is from China. Obviously the phisher would like to get registrant ID and Pwd in order to access DNS record setting or even can issue domain transfer-away request as a genuine user. Upon receiving alert from NSI, DotAsia immediately issued an emergency security notice to the registrant and the registrar meanwhile suspended (domain was put on "hold" status) the domains from any access. By responding quickly at the registry level, the damage hopefully can be stopped somehow.
The phisher played smart too. According to an industry expert:
They're (the phishers) scraping the actual login page and adding a "base" reference so their attack site can take the code they scraped from the NSI site and use it as-is on their site. The nasty thing is that if you enter data, it actually posts to the real NSI site - looks like its using SSL too! What they're also doing at the same time is adding a clever JavaScript command to build a request for a source URL from the phishing site itself that executes "on submit" (onsubmit="return chk()). That URL contains the user and password as parameters. There doesn't appear to actually be a script to accept that input, but...what they're doing is just using the web server's log function to capture the needed data as part of the URL request. Pretty slick and less overhead! Running that through port-redirecting bots to their content server also solves the problem of having to off-load those files / logs to a back-end server - it's done automatically, and you have one nice, fat, happy content server log file to easily parse for user/pass combos to use to log into the registrar website.
The other ongoing concern is that if the phisher moved the site around to another IPs or domains, in the industry term called Fast flux Hosting, it's then even harder for just one entity to respond to it. Therefore cross-registry and cross-ISP mechanism at the global level like APWG are definitely useful.
As a user you may want to make sure your registrar offers a "domain lock" feature, meaning besides regular ID and PWD for the account, another set of access code is required in order to make change on DNS record or domain transfer request.