A Renovarix-branded domain renewal scam uses fake expiry warnings, public WHOIS details, and countdown timers to pressure victims into entering personal and payment information. The fraudulent flow sends users through multiple sites, including redirectors and checkout pages, while posing as a legitimate renewal service. #Renovarix #MalwarebytesBrowserGuard
Keypoints
- The scam starts with a fake domain renewal email that warns the recipient their domain is about to expire.
- Renewarix-branded pages display the victim’s domain name, registrar, and expiry date to appear legitimate.
- The site uses fabricated urgency, including countdown timers, low-price offers, and warning pop-ups.
- Clicking “Renew Now” does not renew anything; it redirects users through multiple websites instead.
- The scam collects personal information first and then requests payment details on a “Secure Checkout” page.
- The fraudulent pages reuse a recycled scam kit, evidenced by leftover references to “HappyPrizes.”
- The article advises users to verify renewal only through their real registrar and to ignore urgent links in emails.
MITRE Techniques
- [T1566 ] Phishing – Uses fake domain renewal emails and professional-looking pages to lure victims into clicking the renewal link (‘Renew now, it says, or your website and email could stop working.’).
- [T1583.001 ] Acquire Infrastructure: Domains – Uses multiple registered domains and redirectors to host the scam flow (‘renovarix[.]org’, ‘xe54ghj[.]com’, ‘paysuccessful[.]site’).
- [T1204.001 ] User Execution: Malicious Link – Relies on the victim clicking the email link to start the scam process (‘Clicking Renew Now doesn’t renew your domain. Instead, it sends you through a chain of websites…’).
- [T1036 ] Masquerading – Pretends to be a legitimate renewal service with official-looking branding, lookup messages, and registry-style pages (‘The site, branded Renovarix, doesn’t renew domains.’).
- [T1621 ] Multi-Stage Channels – Funnels the victim through several pages before reaching payment request (‘a chain of websites that first collect your name… then eventually ask for payment details’).
- [T1119 ] Automated Collection – Automatically collects and fills in personal details from the clicked link (‘it can automatically populate your details from the link you clicked’).
Indicators of Compromise
- [Domain] Fake renewal and landing pages – renovarix[.]org, paysuccessful[.]site
- [Domain] Redirect infrastructure used in the scam flow – xe54ghj[.]com, molipy8trk[.]com
- [Domain] Final offer page – topprogressstores[.]online