Published on June 25, 2026
Fake Domain Renewal Emails Used to Harvest Personal and Payment Information
Severity
Medium
Detail
Researchers have identified a phishing scam targeting website owners through fraudulent domain renewal notifications. The campaign uses emails claiming that a recipient’s domain name is about to expire and warns that failure to renew could result in website and email service disruption.
The emails direct recipients to a website branded as Renovarix, which presents itself as a domain renewal service. The site displays information about the target’s domain and creates a sense of urgency to convince victims to proceed through a fake renewal process. Instead of renewing domains, the operation is designed to collect personal information and payment details.
How?
The scam begins with an email that claims a domain name is approaching its expiration date and requires immediate renewal. While some messages are basic in appearance, others use professional branding, reference numbers, and business addresses to appear legitimate. In several observed cases, the emails were sent from ordinary Gmail accounts despite claiming to represent a professional company.
When a recipient clicks the embedded link, they are redirected to a website that performs what appears to be a live domain lookup. The page displays information such as the domain name, registrar, and expiration date while presenting messages indicating that registry records are being retrieved. Although some information may originate from publicly available WHOIS or RDAP records, other displayed details such as a “Registry ID,” are generated locally within the victim’s browser to create the appearance of legitimacy.
The website then applies multiple pressure tactics. Victims are shown warnings that their domain will expire within a few days regardless of the actual expiration date. Additional countdown timers advertise limited-time renewal pricing and pop-up messages warn users that their domain is at risk if they leave the page.
Selecting the renewal option does not initiate a legitimate domain renewal process. Instead, victims are redirected through affiliate marketing links to pages requesting personal information, including names, addresses, telephone numbers, and email addresses. Additional pages subsequently request payment information. Some versions of the scam display fake renewal confirmations and fabricated transaction details despite no actual renewal taking place.
Impact
The primary objective of the campaign is the collection of personal information and payment card details. Victims who submit their information may be exposed to future fraudulent activity, including follow-up scams conducted through email or telephone contact.
Individuals who provide payment card information may be at risk of unauthorized transactions. The article notes that scammers may conduct small test transactions before attempting larger fraudulent charges.
Recommendation
Organizations and website owners should avoid clicking links contained in unsolicited domain renewal emails. Domain renewal status should always be verified directly through the registrar’s official website by using trusted bookmarks or manually entering the registrar’s address.
Recipients should verify the sender of any renewal notice and treat emails originating from free email services or unknown providers as suspicious. Urgent warnings, countdown timers and limited-time offers should be viewed as indicators of potential fraud rather than reasons to act immediately.
Individuals who have submitted personal information should remain alert for follow-up scams and avoid trusting unsolicited communications referencing their domain registration or renewal activity. Those who have entered payment card details should enable transaction alerts, closely monitor account activity, and contact their bank or card issuer immediately to discuss protective measures, including possible card replacement.
Conclusion
This phishing campaign demonstrates how threat actors exploit concerns about domain expiration to collect personal and financial information. By combining publicly available domain registration data with convincing branding, fabricated urgency, and fake renewal processes, the scammers create a credible-looking experience designed to deceive website owners into disclosing sensitive information. Organizations and individuals should verify all renewal requests directly with their registrar and remain cautious of unsolicited renewal notices.
Indicator of Compromise (IOC)
- renovarix[.]org — fake domain renewal page
- xe54ghj[.]com — redirector
- paysuccessful[.]site — personal-data capture page
- molipy8trk[.]com — redirector
- topprogressstores[.]online — final offer landing
Source