Scammers are leveraging the promise of customer feedback as part of a scheme to extort US $3 million from 5,000 major companies.
This newest ruse boils down to ICANN’s decision to create the
.feedback top-level domain (TLD). Sure, companies can use the TLD to set up a website where they can invite users to comment on the services they provide. But that’s assuming they’re the first to register a
.feedback domain for their brand.
To illustrate, take a look at the following image:
The above graphic is a screenshot of
google.feedback. While the domain bears Google’s name, the Mountain View-based tech giant had nothing to do with setting up the website. It’s the work solely of scammers.
These individuals have registered
.feedback domains for 5,000 major companies. Visitors to those websites can submit feedback that the victim companies can’t automatically view. Indeed, many businesses probably don’t know the sites even exist.
But in the event they do discover the
.feedback domains, that doesn’t mean the companies don’t have a say in the matter. Tom Limoncelli of Everything Sysadmin clarifies that point:
“If they do discover it, they are given a choice: Pay $20/month to receive the feedback, or pay $600/year to take the web site down. Of course, there is a free option: Just let the site remain and suffer as people send their feedback and feel ignored.”
Assuming every company pays, the scammers would walk away with $3 million. That’s not bad considering it probably cost them at most $60,000 to register the domains at $10-$12 a piece.
But let me be clear: none of the companies should pay to have the sites taken down. Instead they should file separate complaints with the Internet Corporation for Assigned Names and Numbers (ICANN). If it receives a sufficient number of reports indicating abuse, ICANN might respond by disabling
.feedback as a TLD.
That would probably be for the best.
Affected companies should also look to control the narrative by creating their own feedback channels hosted on their websites. Such a move wouldn’t prevent some users from looking up their misused
.feedback domains. But it would communicate the companies’ willingness to receive and respond to users’ feedback.
Over time, these channels could ultimately overshadow the
.feedback sites even if ICANN decides not to disable the TLD.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Feedback scammers attempting to extort millions from 5,000 major companies”
Graham – Would you advise companies to pre-register their "MyCompany.Feedback" domain name as a defensive measure? Or, should we wait and see what ICANN decides to do?
I wouldn't bank on ICANN actually doing anything, They've had their cut…
Though this looks more promising than they have been in a long time http://www.circleid.com/posts/icann_spam_offenders_knujon_report/