Phishing-like emails from MediaTemple

I registered a new domain name at MediaTemple.net a week ago, and shortly afterwards, received a suspicious-looking email from sales@secureserver.net that looked like this:

Screen Shot 2014-05-21 at 5.07.05 PM

I immediately assumed it was a phishing attempt (and not a great one, since they didn’t even have MediaTemple branding, colors, logos) and spammed it. I even hovered over the “Verify” link, and it led to a securepaynet.net address — haha, yeah right.

I began to worry that someone was scanning new domain registrations and emailing all new domain owners, and that MediaTemple customers were being targeted. Since it’s a grid system, I don’t want other customers on a resource-shared system to be compromised by a botnet or something, and to take my own servers down. So I reported it to the 24hr support chat, and was assured:

Benjamin Pettersen (Tue, 5/6/2014 03:35:38 pm) – Our Abuse team will look into this report ASAP, thank you for letting us know.

I also emailed legal@mediatemple.net on Benjamin’s recommendation, forwarding the excerpted email and asking them to look into it. I received back this alarming note:

Abuse Team <abuse@mediatemple.net>
May 7

to Jeffrey 
The link is valid and not a phishing email. 

Michael M
Abuse Engineer | (mt) Media Temple
Office: 877.578.4000 | Mobile: 310.936.2418
www.mediatemple.com 
@mediatemple

Whoa! I called to confirm, and was told by Eric that indeed, such emails are sent “by ICANN” and have been sent because of a partnership with ICANN to meet new regulations they put in place as of January 1st. GoDaddy and other domain registrars have to do something similar.

Now, MediaTemple has a Knowledge Base article about this, which displays the email and says:

If your domain was registered on or after February 17, 2014, you will see the following message, sent from “sales@secureserver.net.”

However, no warning or notice from MediaTemple is sent before the email arrives, so it’s up to the customer to dig this article out — not to mention that the link in the email goes to the even more suspicious securepaynet.net. By the way — if you go to securepaynet.net, you see this:

Screen Shot 2014-05-21 at 5.19.37 PM

Nice, MediaTemple. https://www.securepay.com does not inspire much more confidence that I’m not being scammed.

I’m a longtime MT customer and have always been super happy with and dedicated to their services. But if they’re making it a policy of encouraging customers to click on mysterious links with no prior proof that they’re actually from MT, then they’re encouraging people to be victims of phishing attacks.

Worse yet, that they have dismissed my concerns three times and assured me that this way of doing things was “vetted by their legal team” and their security team — well, that’s really concerning. I’m not only concerned as a MT customer, but was just trying to be a good samaritan and report a possible oversight.

A solution would be pretty straightforward. An email — or a notice at the moment you register a domain — clearly explaining that you’ll be receiving the verification email from a 3rd party address, which will link to a securepay.net address, would be confidence inspiring. A real solution would be making the email come directly from an @mediatemple.net address.

This shouldn’t be a big deal to fix. Please, MediaTemple! Get serious about it!