DomainNetworks runs a snail-mail scam that dresses up as a bill for domain-related services to chill people into paying for non-existent offerings. The investigation traces a web of front entities, domain registrations, and aliases (including Sammy Sam Alon and UBSagency) used to obfuscate the operation. #DomainNetworks #USDomainAuthority #TheDomainsVault #UBSagency #SammySam_Alon #ShmuelOritAlon #EliranBenz #Houzz #WebListingsInc
Keypoints
- The DomainNetworks mailer impersonates a bill for “marketing services” but is a deceptive tactic to obtain payment for services never ordered.
- Domainnetworks.com lists addresses in Hendersonville, NC and Santa Fe, NM, but state records show little evidence of an active, legitimate business.
- Better Business Bureau gives DomainNetworks an F rating and ties its history to a prior entity: US Domain Authority LLC.
- Related domains (usdomainauthority.com, thedomainsvault.com) show privacy protection and limited verifiable information, with cross-links to UBSagency and other entities.
- Investigation traces connections between UBSagency, Sam Alon, and other personas, including Gmail-based accounts used across multiple sites and a notable Houzz data breach.
- Historical context links to WebListings Inc and a pattern of long-running snail-mail scams involving fake domain invoices and MLM-like networks.
MITRE Techniques
- [T1036] Masquerading – The spoofed snail-mail bill is designed to appear legitimate. ‘these snail mail letters look like a bill for domain services’
- [T1583] Acquire Infrastructure – Domain registrations and hosting (DomainNetworks, Domainnetworks.com, usdomainauthority.com, thedomainsvault.com) are used to project credibility. ‘Domainnetworks[.]com says it is a business with a post office box in Hendersonville, N.C., and another address in Santa Fe, N.M.’
- [T1078] Valid Accounts – Use of shared credentials across multiple sites and exploitation of breaches (Houzz data breach exposing user IDs, passwords, and other details). ‘Houzz acknowledged that a data breach exposed account information, including user IDs, one-way encrypted passwords, IP addresses, city and ZIP codes, as well as Facebook information.’
Indicators of Compromise
- [Domain] Domain names – domainnetworks.com, usdomainauthority.com, thedomainsvault.com, unitedbusinessservice.com
- [IP Address] 68.35.149.206 – Huntsville, Alabama origin associated with Houzz-related accounts
- [Email] [email protected], [email protected], [email protected], [email protected]
- [Account/Username] SammySam_Alon, Shmuel Orit Alon, Eliran Benz – personas linked to multiple registrations and social profiles