According to F6, the attack is being carried out on clients of one of the popular Russian registrars. Attackers use Whois services to obtain information about domains whose registration expires in the near future.
In open sources, scammers find contacts to communicate with domain name administrators, and on behalf of the real registrar send a letter about the need to pay for services to extend the registration of the domain name. The letter contains a QR code for quick payment of services in the amount of 2190 rubles through a popular payment system. However, the payment does not go to the registrar, but as a transfer to a mobile phone number.
For the new wave of attacks, in the period from March to July 2025, scammers registered at least 6 domains in the .ru, .online and .org zones, which contain the registrar's brand in various combinations with the words "payments", "domainpay", "paydomain" and "payonlinehost". At the same time, attackers mask their resources: the payment link is only available on a specific page, and when you try to go to the main page of the phishing resource, you are redirected to the official website of the registrar. F6 emphasized:
Potentially, hundreds of thousands of website owners may be among the recipients of such phishing emails. According to statistics, in the .ru zone alone, an average of more than 15 thousand domains are renewed daily.