Watch out for scareware emails from "1-grid" about losing your Domain

hongkongpom

hongkongpom

Active Member
Joined
Jul 3, 2014
Messages
54
Reaction score
15
For the second time I have received an email saying that they are 1-grid and that I have not renewed my Domain. I need to do it immediately or I will lose my Domain. I would love to know how they get this information. Is it leaked by 1-grid employees?
Have forwarded the email to 1-grid support.
 
@hongkongpom

Please see thread below which provides possible insight

Active Phishing campaign targeting multiple Hosting Providers.

Hello all, Posting here for our clients and clients for other providers. We are aware of an active phishing campaign being sent out to [email protected] recipients warning of suspension of services. The links within the emails point to fake PayFast payment page which appears to have been...
mybroadband.co.za mybroadband.co.za

We're seeing one of many active campaigns being sent by other hosts to our clients.

I see that there is a notice posted on their network status page about similar - perhaps let them know of these additional emails

Server Status - 1-grid

1-grid.com 1-grid.com
 
hongkongpom said:
For the second time I have received an email saying that they are 1-grid and that I have not renewed my Domain. I need to do it immediately or I will lose my Domain. I would love to know how they get this information. Is it leaked by 1-grid employees?
Have forwarded the email to 1-grid support.
Click to expand...
Hi,

We want to address recent reports that some of our clients have received phishing emails, particularly about their domain renewals.

Rest assured, no data from our systems has been leaked or compromised. These phishing attempts are the result of scammers misusing publicly accessible domain ownership information.

While these fraudulent emails appear to come from legitimate sources, they are scams designed to steal sensitive information or payments.

What to Look For:

Phishing emails typically mimic the format and branding of legitimate domain registrars and include malicious links that redirect to fake payment pages. The modus operandi is to urge recipients to pay and renew their domains immediately to avoid suspension or expiration.

How to Identify a Phishing Email:
  1. Check if the sender’s domain matches our official domain. If not, it’s likely a phishing attempt.
  2. Be cautious of emails that create urgency or fear (e.g., “Your domain will be suspended today!”).
  3. Hover over links without clicking to inspect the URL. Official domain renewal links always come from our verified domain.
  4. Avoid clicking on links or downloading attachments from suspicious emails.
  5. Verify renewal requests by logging into your account through our official website (www.1grid.co.za) or our customer zone (1-grid.com/client).
If you are ever unsure, please contact our support team for clarification. We’re happy to help.

We take the security of your domains and information very seriously. While these phishing attempts are external and unrelated to our systems, we continuously monitor and implement measures to help protect our clients from such threats.

Stay alert. Stay safe online.

Kind regards,
The 1-grid Team
 
Last edited:
I find it concerning that Registry.net.za’s WHOIS lookup for domain names does not display registrant email addresses, as this information is redacted under the Protection of Personal Information (POPI) Act. However, 1Grid has stated that individuals are using "publicly accessible domain ownership information" to contact registrants.

Could you clarify where such "publicly accessible domain ownership information" can be accessed? Specifically, where can one locate the registrant's email address for any domain when this information is explicitly redacted under the POPI Act?

Referring to "legitimate sources" as the source seems to oversimplify the matter and raises questions about whether data may have been exposed through unauthorised means. Based on my understanding, obtaining registrant email addresses for .co.za domains would only be possible through improper channels, such as data brokers selling stolen information or unauthorized access to databases.

If the registry itself no longer discloses this information, how could the general public legitimately obtain registrant email addresses? I would appreciate clarification on how this aligns with data protection laws.

Additionally, this issue appears more significant than isolated cases of random emails. I have personally received communications regarding domains I own on email addresses that were only ever used as registrant information for these domains. These domains were registered after the POPI Act came into effect, ruling out the possibility of pre-POPI registry archives being the source.

This matter raises serious concerns about data security, and further insight into how these communications are being facilitated would be greatly appreciated.
 
Last edited:
Jade @ Absolute Hosting said:
@hongkongpom

Please see thread below which provides possible insight

Active Phishing campaign targeting multiple Hosting Providers.

Hello all, Posting here for our clients and clients for other providers. We are aware of an active phishing campaign being sent out to [email protected] recipients warning of suspension of services. The links within the emails point to fake PayFast payment page which appears to have been...
mybroadband.co.za mybroadband.co.za

We're seeing one of many active campaigns being sent by other hosts to our clients.

I see that there is a notice posted on their network status page about similar - perhaps let them know of these additional emails

Click to expand...
DoringDraad said:
I find it concerning that Registry.net.za’s WHOIS lookup for domain names does not display registrant email addresses, as this information is redacted under the Protection of Personal Information (POPI) Act. However, 1Grid has stated that individuals are using "publicallly accessible domain ownership information" to contact registrants.

Could you clarify where such "publicallly accessible domain ownership information" can be accessed? Specifically, where can one locate the registrant's email address for any domain when this information is explicitly redacted under the POPI Act?

Referring to "legitimate sources" as the source seems to oversimplify the matter and raises questions about whether data may have been exposed through unauthorised means. Based on my understanding, obtaining registrant email addresses for .co.za domains would only be possible through improper channels, such as data brokers selling stolen information or unauthorized access to databases.

If the registry itself no longer discloses this information, how could the general public legitimately obtain registrant email addresses? I would appreciate clarification on how this aligns with data protection laws.

Additionally, this issue appears more significant than isolated cases of random emails. I have personally received communications regarding domains I own on email addresses that were only ever used as registrant information for these domains. These domains were registered after the POPI Act came into effect, ruling out the possibility of pre-POPI registry archives being the source.

This matter raises serious concerns about data security, and further insight into how these communications are being facilitated would be greatly appreciated.
Click to expand...
While the registrant's email addresses are redacted under the POPI Act and are not accessible via Registry.net.za’s WHOIS lookup, other information, such as the registration status of a domain, remains publicly available. When we refer to “public information,” this includes information registrants voluntarily provide on their websites, such as contact forms or administrative contact emails. This means that scammers can identify domains that are actively registered and use automated tools or "guessing" techniques to craft phishing attempts.

Here’s how this often works:
1. Guessing Email Addresses
Phishers often guess standard email addresses associated with domains, such as [email protected] or [email protected]. These are widely used for domain registration or administrative purposes.

2. Catch-All Accounts
If a domain has a catch-all email configuration, where any email sent to any address on the domain is delivered, the chances of scammers reaching the registrant increase.

3. Social Engineering and Similar Techniques
Phishers sometimes pair domain registration status with other information publicly available about a business or individual to enhance the credibility of their messages.

It’s important to emphasise that no data has been exposed by our systems. The phishing emails reported are not a result of data leakage but rather of common tactics employed by cybercriminals using publicly accessible or easily guessed information.
 
Last edited:
Thank you for your detailed response to my concerns regarding the recent phishing attempts. However, I believe there is a conflict between your initial and subsequent statements that requires clarification.

In your first response, you stated:

“No data from our systems has been leaked or compromised. These phishing attempts are the result of scammers misusing publicly accessible domain ownership information.”
Click to expand...
In your follow-up, you emphasized:

“The phishing emails reported are not a result of data leakage but rather of common tactics employed by cybercriminals using publicly accessible or easily guessed information.”
Click to expand...
Here’s where the inconsistency arises:

  • None of the registrant email addresses associated with my domains are tied to the same domains I've been mailed about. (they arent @ the same domain they contacted me regarding)
  • Despite this, the phishing emails I’ve received specifically target the correct registrant email address for each corresponding domain. This pattern cannot be explained by guesswork, automated tools, or generic phishing techniques.
Additionally:

  • None of my registrant addresses use common aliases like admin@ or info@, which are often guessed by scammers.
  • Some phishing emails were sent to ProtonMail accounts, which are highly secure with second passwords and 2fa tokens only I have access to, making unauthorized access extremely unlikely. (unless you are claiming they hacked every single mailbox they contact - highly unlikely)
The only logical conclusion is that the scammers have access to a record of which email address is associated with each domain. This strongly suggests that the registrant email information has been exposed in some form, even if inadvertently.

While I appreciate your assurance that your systems have not been compromised, the precise targeting of registrant email addresses contradicts the notion that this is purely due to publicly accessible or guessed information.

I look forward to your thoughts on this matter, as it’s crucial to understand how these emails are being so accurately directed.
 
DoringDraad said:
Thank you for your detailed response to my concerns regarding the recent phishing attempts. However, I believe there is a conflict between your initial and subsequent statements that requires clarification.

In your first response, you stated:


In your follow-up, you emphasized:


Here’s where the inconsistency arises:

  • None of the registrant email addresses associated with my domains are tied to the same domains I've been mailed about. (they arent @ the same domain they contacted me regarding)
  • Despite this, the phishing emails I’ve received specifically target the correct registrant email address for each corresponding domain. This pattern cannot be explained by guesswork, automated tools, or generic phishing techniques.
Additionally:

  • None of my registrant addresses use common aliases like admin@ or info@, which are often guessed by scammers.
  • Some phishing emails were sent to ProtonMail accounts, which are highly secure with second passwords and 2fa tokens only I have access to, making unauthorized access extremely unlikely. (unless you are claiming they hacked every single mailbox they contact - highly unlikely)
The only logical conclusion is that the scammers have access to a record of which email address is associated with each domain. This strongly suggests that the registrant email information has been exposed in some form, even if inadvertently.

While I appreciate your assurance that your systems have not been compromised, the precise targeting of registrant email addresses contradicts the notion that this is purely due to publicly accessible or guessed information.

I look forward to your thoughts on this matter, as it’s crucial to understand how these emails are being so accurately directed.
Click to expand...
Out of interest, was there any identifiable information contained within the phishing emails that you received, ie first name, address etc?

Of all the emails that we have analyzed, the emails start with Hi, and no name or Dear [email protected] and the only link between contents and the email is the domain that it is being sent to.

The domain's themselves vary, some are registered externally, some not, some use our name servers and others not.

We were able to track down a possible link where sites like hackertarget were obtaining lists of domains linked to authoritative DNS servers but this has since been removed, how ever the data that was already obtained prior to removal may still be getting used to send out emails.

Sites like etc.co.za may be a source of data as they list similar data on them

Websites Hosted in ns2.host-h.net Nameserver - etc.co.za -- Website Stats and Data

etc.co.za etc.co.za

We have seen similar emails from multiple hosting providers so this is not isolated to @1-grid_Hosting

Update, it appears that its same scammers behind the fake courier company pending parcel scams

50.28.66.160 | Mail Server | IP Address Inspector | Project Honey Pot

The Project Honey Pot system has detected behavior from the IP address 50.28.66.160 that is consistent with that of a Mail Server
www.projecthoneypot.org www.projecthoneypot.org
 
Last edited:
hongkongpom said:
For the second time I have received an email saying that they are 1-grid and that I have not renewed my Domain. I need to do it immediately or I will lose my Domain. I would love to know how they get this information. Is it leaked by 1-grid employees?
Have forwarded the email to 1-grid support.
Click to expand...
You can ignore those.

If you get one that says that your webcam was hacked and that someone has videos of you fapping, then rather pay the bitcoin as requested.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter