Namecheap harbours phishing websites

The hosting you choose is important. It is the foundation of your website and you need it to be fast, reliable, cost-effective and capable of dealing with issues quickly. Hosting companies that allow copyright infringement or do nothing when phishing sites are reported not only fail their duties under jurisdictional law but they also hurt the reputation of the websites they host via contagion and, are most likely, cutting even more corners in other ways, you don’t see.

So here’s a case study from a client whose site was copied in its entirety and hosted at Namecheap under a similar URL. First here is the definition of Phishing: 


Phishing Definition 

A website that is copied in its entirety, including content and design is intended to confuse visitors into thinking they have landed on the legitimate website. The intention is to inject malicious code, ask for personal information or grab login details.  

Next, we have, Namecheap’s Terms of Service (TOS), where Accepted Use Policy clearly states that those who have a website undertake: 

not to use Namecheap services to host any website, other content, links or advertisements of websites that: infringe any copyright, trademark, patent, trade secret, or other proprietary rights of any third party information; contain nudity, pornography or other content deemed adult related; profess hatred for particular social, ethnical, religious or other group; contain viruses, Trojan horses, worms, time bombs, corrupted files, or any other similar software or programs that may damage the operation of a computer or a person's property; contain warez; contain any kind of proxy server or other traffic relaying programs; promote money making schemes, multi-level marketing or similar activities; contain lottery, gambling, casino; contain torrent trackers, torrent Portals or similar software; violent or encouraging violence.


Source: Namecheap Terms of Service (TOS) 

So far so good. Most reputable web hosting companies will have this. Usually when a site has been copied in its entirety all that’s required is a quick email to the hosting company showing the site and also providing the URL of the original and the infringing site is quickly taken off line. 

Namecheap have a process: 


Namecheap Takedown Process

Source: Namecheap

They appear to be sticklers so that inspires confidence, right? I have a client who experienced just this use with them. I have anonymized the data because of an NDA agreement but the communications between myself and Namecheap on the subject do not benefit from the same privilege. So, here’s what happened: 

First Contact: I reached out to chat first on their website as this is something that might be really quick to resolve, especially since even a cursory look at the source code of the page of the website being hosted by Namecheap would have revealed that it had been copied from the [REDACTED] website:  

Namecheap Phishing Site Source Code

The first chat was pleasant enough: 

Namecheap Chat about Phishing Site

So on the basis of that first chat I went ahead and sent the same message as above to Legal and received the acknowledgement: 

Namecheap Acknowledgement Response

Now the reply to the Ticket I raised with legal came back a few hours later with the following message: 

Namecheap First Reply 

Notice that essentially it says, the website is not owned by them (I never said it was) and they pretty much cannot do anything on the IP infringement issue (their TOS mean nothing). I did not see that message however as it went into a spam folder from which it wasn’t fished out until the saga was over. 

So thinking that they were still processing everything I contacted them via chat again, nine hours later:


Namecheap Chat 2

The chats are pleasant enough. They are probably the worst paid and at the front line so taking it out on them is never the right thing to do. They were also the only ones who used their full name, not that it matters but it’s an additional oddity in a hosting company that is busy redefining “odd”.

Given that I basically had to threaten them with going public in order to get a response they now came back with this (and it was within the one hour limit promised): 

Namecheap Legal Message

Notice that now the same message that had originally produced a “we don’t own the website, nothing much we can do” response (which I had still not seen at that moment) now gives us, via Ksenia a “use our form and we will start the process” message – obviously the informality of my first message was insufficient to produce a response. As a legal representative of Namecheap Ksenia sent me to the part of their website where the format details resided via a link which produced this: 

Namecheap 404


So here’s what we have so far: 

  1. Namecheap chat did not know the process for a Takedown of an infringing website.
  2. Namecheap refused to do anything about it in the first instance.
  3. When challenged they responded with legalese and used a link to a form on their website that does not exist

I got past that and sent in a message that dotted all the “I”s and crossed all the “T”s of a DMCA takedown. When you are playing a stalling game as a company annoying those who you correspond with does not help their patience. After more than a day had passed since the original message sent to Namecheap I contacted chat yet again: 

Namecheat Chat 3

The promised response came within an hour (companies that respond only when threatened with public exposure should simply not be in business): 

Namecheap Legal Message 2


In the meantime the Namecheap twitter support was busy redefining Phishing: 

Namecheap Twitter Chat 1 namecheap Twitter Chat 2 

So, Phishing, really is not what we think it is and an entire website being copied is not enough evidence of a site Takedown. Namecheap are blazing new ground. 

Within three more hours the owner of the domain name that had copied my client’s website had removed it all and placed the content of another site (also scraped) on the exact same domain! 

The reason I could tell is that the same scraped message citing source and the fact that it had been copied was in the source code of the home page. My message to Namecheap on that, via Twitter and also to their legal representative via email produced no response or result. Must have been the lack of form-filing and DMCA procedure again. 

Namecheap, throughout this process proved that:

  1. They did not know what they were doing
  2. They had zero interest in safeguarding anyone’s IP rights
  3. They had to be threatened to respond
  4. They had to be cajoled into taking action
  5. They were interested only in my stopping harassing them rather than their solving a persistent problem

As a hosting company Namecheap operates under the Electronic Communications and Transactions Act, 2002, which clearly states in section 75 that: 

(1) A service provider that provides a service that consists of the storage of data provided by a recipient of the service, is not liable for damages arising from data stored at the request of the recipient of the service, as long as the service provider—­
(a) does not have actual knowledge that the data message or an activity relating to the data message is infringing the rights of a third party; or
(b) is not aware of facts or circumstances from which the infringing activity or the infringing nature of the data message is apparent; and
(c) upon receipt of a take-down notification referred to in section 77, acts expeditiously to remove or to disable access to the data.

Source: Electronic Communications and Transactions Act, 2002

Namecheap ought to go back to school. They violated all three edicts of the section and certainly did nothing themselves to “expeditiously to remove or to disable access to the data”.  

On its “About Us” page Namecheap certainly says the right things: 

The internet lives on computers and servers, but there's no net without people. People like you, people like us.

But Enron also stood for "Respect, Integrity, Communication and Excellence." When companies post on the websites things that should mean something and make them mean nothing they steal a little bit of our humanity and hollow out a little bit of ourselves.  

As a web hosting company use them at your peril. If you have to deal with them for a DMCA or IP infringement case, they will give you the runaround because they are simply not interested. Right now, their behavior makes them a phishing site haven, their website content also makes them hypocrites, at best.