Table of contents
First Email
On 16th January 2001, I received the following email via The Clear Evidence Contact Form:
From: Davis Wang <[email protected]>
Sent: Saturday, January 16, 2021 9:07 AM
To: The Clear Evidence
Subject: theclearevidence
Dear Manager,
(Please forward this to your CEO, because this is urgent. Thanks!)
We are a Network Service Company which is the domain name registration center in Shanghai, China. On January 11, 2021, we received an application from Shanghong Holdings Ltd requested “theclearevidence” as their internet keyword and China (CN) domain names( theclearevidence.cn/ theclearevidence.com.cn/ theclearevidence.net.cn/ theclearevidence.org.cn).After checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, we send email to you and confirm whether your company have relations with this Chinese company or not?
Kind regards
Davis
—————————–
Mr.Davis Wang | Services & Operating Manager
TLDsCHINA | Headquarters | http://www [.] tldschina [.] com
8008, Tianan Building, No. 1399 Jinqiao Road, Shanghai 200120, China
T: 0086-134-8281-9147 | Tel: 0086-21-6191-8696 | Fax: 0086-21-6191-8697
———————————————————————————————————-
This email contains privileged and confidential information intended for the addressee only. If you are not the intended recipient, please destroy this email and inform the sender immediately. We appreciate you respecting the confidentiality of this information by not disclosing or using the information in this email.
—-
This message has been scanned for viruses and dangerous content, and is believed to be clean.
https://www.avg.com
Initial Cyber Security Analysis
I was obviously suspicious of this email thus I checked the following:
Domain Name Request
The name “theclearevidence” is not something a chinese company or business would need.
SSL Certificate
The URL of this chinese domain registrar (http://tldschina.com/) did not have an SSL certificate.
Domain Requestor
I searched for “Shanghong Holdings Ltd” but couldn’t find it on google but it’s a Chinese company thus maybe it’s listed on Baidu or some other Chinese search engine.
Email Sender
I searched for Davis Wang on LinkedIn, there were many search results but I couldn’t find him.
Email Content
The email content looked fine but I was not aware of the term “registration of interent keyword”.
My Response to the First Email
After doing this brief security analysis, I replied the email:
From: The Clear Evidence
Date: 2021-01-22 21:53
To: ‘Davis Wang’
Subject: RE: theclearevidence
Hi Davis
Thanks for your msg. We do not have any relations with the mentioned company in China.
The Clear Evidence
Second Email
On 25th January 2001, I received the following email:
From: Karla Ouyang <[email protected]>
Sent: Monday, January 25, 2021 3:45 PM
To: The Clear Evidence
Subject: theclearevidence
To whom it concerns,
We will register the China domain names “theclearevidence.cn”
“theclearevidence.com.cn” “theclearevidence.net.cn” “theclearevidence.org.cn” and internet keyword “theclearevidence” and have submitted our application. We are waiting for Mr.Davis Wang approval and think these CN domains and internet keyword are very important for our business. Even though Mr.Davis Wang advises us to change another name, we will persist in this name.
Best Regards
Karla Ouyang
My Response to the Second Email
The email is from a Gmail address. I couldn’t find “Karla Ouyang” on LinkedIn. The English used in the email doesn’t seem to be from a local Chinese company and there was again an emphasis on the term “internet keyword”. I did not reply to this email.
Third Email
On 27th January 2001, I received the following email:
From: [email protected] <[email protected]>
Sent: Wednesday, January 27, 2021 10:18 AM
To: The Clear Evidence
Cc: theclearevidence.org
Subject: Re: RE: theclearevidence
##- Please feedback your further request, we are trying to close this case. Thanks.-##
Dear Manager,
We have already advised them to choose another name, but they insist on this name as China domain names ( theclearevidence.cn/ theclearevidence.com.cn/ theclearevidence.net.cn/ theclearevidence.org.cn) and internet keyword. In our opinion, maybe they do the similar business as your company then register it to promote his company.
As is known to all, domain name registration based on the international
principle is opened to company and individual. Any company or individual have the right to register any domain name and internet keyword which are unregistered. Your company haven’t registered this name as China domains and internet keyword, so anyone is able to obtain them by registration. But in order to avoid this conflict, the trademark or original name owner have priority to register China domain name and internet keyword during our review period. If your company is the original owner of this name and wants to register these China domain names ( theclearevidence.cn/ theclearevidence.com.cn/
theclearevidence.net.cn/ theclearevidence.org.cn) and internet keyword to prevent anybody from using them, we can send you an application form with price list to help your company register these China domains and internet keyword during our review period.
Kind regards
Davis
Detailed Cyber Security Analysis
Now the word “price” has been used, means money is involved, thus this requires a detailed cyber security analysis:
Emails Content Analysis
There are formating, grammatical and logical mistakes in the email, like:
- “domain names( theclearevidence.cn” – misplaced space
- “theclearevidence.org.cn).After checking” – space missing
- “Mr.Davis Wang” – No one refers to himself as “Mr.” in his email signature
- “http://www [.] tldschina [.] com” – Companies make it easy for the users (potential customers) to reach their website, they do not try to hide it from the search engines and email scanning software.
- “8008, Tianan Building, No. 1399 Jinqiao Road, Shanghai 200120, China” – Not available on Google Maps
- “This message has been scanned for viruses and dangerous content, and is believed to be clean. https://www.avg.com” – Big companies do not use the free version of AVG Antivirus to scan their emails.
- “To whom it concerns” – “may” is missing
- “we will persist in this name” – it should be “with” instead of “in”
- “promote his company” – it should be “their”
- Other grammatical mistakes…
Domain Name Registrar Website Analysis
- As stated previously, http://tldschina.com/ is missing SSL certificate.
- Outdated design of the website.
- Being a Chinese domain name registrar, the website should open by default in the chinese language, but it opens in the english language.
- Link to Chinese version of the website doesn’t work thus the people who developed this website and sent above emails are not chinese.
- The website is hosted in USA thus it cannot be a chinese company.
- There is no option to signup for an account.
- “Submit a ticket” and “Sign In” pages have the same form.
- “Shopping Cart” link keeps on loading.
- Some of the images used on the website have western people instead of Chinese people.
- The minimum time period for domain registration is 10 years, whereas normally it’s 1 month to 1 year.
- Very expensive email and hosting solutions thus no current market know-how.
- As per their website, their servers are based in Hong Kong, which also doesn’t seem likely if it’s a Chinese company.
- None of the social media links given on the website works.
- URL slugs are very unprofessional, seems to be developed by a student.
- The content of the website has been copied from other valid domain name registrars in China.
- Similar Websites:
Conclusion
This is a Phising Attack and its not from China.
Google Search
Search Term: “TLDsCHINA“
- Spam Scam Watch: Domain scam spammers continue
- Scam to register asian domain names
- Scam Alert: Beware Of Chinese Domain Emails | Bruceb Consulting
- Domain Name Registration Spam – Scam
- 104.149.156.114 | Psychz Networks | AbuseIPDB
Search Term: “8008, Tianan Building, No. 1399 Jinqiao Road, Shanghai 200120, China”
- Confirm: About freebsd Registration
- Domain registration scam in China | Joe Wein’s blog
- Parasites Domain blackmailing – an extreme shame for the Peoples Republic of China
- YGCHINA – China Top Level Domain Registrar
- Re: Confirm: About freebsd Registration
- [FreeBSD-users-jp 96652] freebsd
- No 1399 Jinqiao Road
- WHO?::?? WHO THISE? NOW? WHATS GING ON?
Search Term: “0086-21-6191-8696”
- Scam ?? | The Combine Forum
- “www.asianetwork.net” – it is a Fake CN and ASIA Domain Name Registration Website
- Spam e-mail? | Bugs | Pinside.com
- Confirm: About consumerblitz Registration | Consumer Blitz
- COLEMAN KESTIN & SMITH: China’s Internet Domain Services “Hijacks” US Company Names to Force them to sign with .CN
- freebsd-ports – Confirm: About freebsd Registration
- Betrug mit meinem guten Namen: Domain-Registrierung in China? – Henning Uhle
Search Term: “0086-21-6191-8697”
Search Term: “internet keyword”
- Is $140 a Reasonable Price for Buying an “Internet Keyword?” (Don’t Fall For This Scam!) | by Irina Tsumarava — Digital Consulting | Medium
- Internet keyword scam – WebCoast Web Development Sunshine Coast
- “Internet Keywords” – What is it and How do you get one? – Webmaster General forum at WebmasterWorld – By Pubcon
- They want to take my Internet Keyword | Annoying stuff I figured out (or am trying to)
- Did you get the Scam email? | BusinessBlogs Hub
- The Chinese ‘Internet Keyword Scam’ – OxGadgets
It seems this scam / fruad has been happening since 2006. It indicates that they must be earning good money.
Jibran says
Thank you for posting your analysis. We received similar email and decided to research TLDS and then came across your post. It confirms our suspicion that they are trying to defraud us.
Thank you
Nauman Khan says
Assalamualikum Jibran
Glad that it was helpful for you, thanks for your comment.
G says
This Mr.Allen Wang sent me a mail yesterday, then Karla sent me a mail today. Decided to google her email and found your website. I thought it was strange someone from a company would send me a email that sounded like a threat just because they wanted to register a name on the internet.
Anyway, thanks for the warning.
Nauman Khan says
Glad that it was helpful for you, thanks for your comment.
Tim says
I received the same thing yesterday (10 March 2021) and having Ecosia’d Karla came across your analysis, which is great.
Thanks so much for checking all that out and the info.
Is the best thing just to ignore the emails?
Cheers,
Tim
Nauman Khan says
Hi Tim
Glad that it was helpful for you, thanks for your comment.
You can also report these emails to your email service provider and the URL to their websites to your ISP. This will help in protecting more people, thanks.
Ahmad Saai says
Thank you for posting your analysis , I got same and ignore it ,
but the best to share that also
Regards
Ahmad
Nauman Khan says
Glad that it was helpful for you, thanks for your comment.
Juergen Siebert says
Thanks for sharing your research. That helped me a lot.
Nauman Khan says
Glad that it was helpful for you, thanks for your comment.
Ricky Y. says
This Mr. Wong also sent me a mail today:
Please forward this to your CEO, because this is urgent. Thanks!
We have a very powerful system that this kind of email is going not open only we see the sender and what the subject is.
What a stupid guy. hhahahahahahhahahahaha
But thank you for sharing.
Kind regards,
Ricky Y.
Founder/Chief Executive Officer
Nauman Khan says
Thanks for your comment.
Alexander Fred says
Hello,
I would like to thank you for this post. I received identical messages and Googled the individual “Karla Ouyang,” and this was one of the first results to pop up. This is not even a clever scam as they’re using identical, templated messages to scam businesses. Keep up the good work. We appreciate you doing these deep digs and articles.
Cheers!
Alexander Fred
Marketing and User Success Manager
Concert Archives (www.concertarchives.org)
Nauman Khan says
Glad that it was helpful for you, thanks for your comment.
Bill Varon says
Today I received the same message from Mr Young Wang. I started my research and came across your site, which provided me with all the information I needed. Thank you for your work and guidance.
Bill Varon
Nauman Khan says
Glad that it was helpful for you, thanks for your comment.
John says
We received the same email and suspected as much. Thanks for the post, it helped us quickly confirm our suspicion without spending a lot of time on it.
Nauman Khan says
Glad that it was helpful for you, thanks for your comment.
ChrisJ says
We received a nearly identical email today. Thank you for making this post, it verified my suspicion.
Nauman Khan says
Glad that it was helpful for you, thanks for your comment.
Smead says
Received same email from Clark Lee and Karla Ouyang today. It didn’t immediately strike me that this is a fraud, at least not until the third email. I myself living in China have never heard of “buying internet keywords”, but there do exist some domain name copyright disputes so I was easily tricked into their trap. I’m really concerned if they might have registered some sort of trademark and could sue me for infringement, landing me with a hefty compensation fee, as many cases I’ve seen in China, which makes me extremely cautious. But on the bright side, I searched for Karla Ouyang and came here. Your thorough analysis helped me realize that it was totally a scam, and I shouldn’t have paid much attention to it. I must thank you for this insightful post.
Alex says
I’ve received these same email from them. Agreed to receive the application form (with pricing). I’m 100% sure this is scam, but very curious how this plays out 🙂 Will try to not forget and update you.
Geoff says
I have also received a similar email. See the attached image. be aware that if you get a similar email it is a scam.
Iain Stirling says
And I had a similar one from Anthony Liu today.
Rgds,
Iain
Katajiro says
We received the same types of emails in the past and today. Thank you for your post. Now I’m 100% sure that the emails are a scam.