A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

  UNDERSTANDING DOMAIN NAME RULES

 Topics below:   Domain Name Rules,   Domain Name Tricks,   Defense,   The Limits of Defense,   Real life domain name scams,   Final Exam

Fake websites are an extremely common scam. To identify the fakes, you need to understand these rules for domain names.

Some domain names are: google.com, columbia.edu, irs.gov and, for this website, DefensiveComputingChecklist.com. Many scam website names look legit to someone who does not know the rules. And, there are lots of rules and scams target people that don't know the rules.

  THE RULES   top

  DOMAIN NAME TRICKS   top

Bad guys abuse everything there is to abuse, when it comes to domain names.

  DEFENSE   top

The best defense comes from looking up who actually owns a domain.

Companies that register domains are called "Registrars" and they are required to make information about domains public. This database is referred to as "Whois" and, in the Whois system, the domain owner is referred to as the "Registrant." Some Registrars offering a Whois lookup are: Namecheap, Gandi, pair Domains, eNom and Tucows Domains. DomainTools also offers a Whois lookup.

If an honest company owns the domain, you should see the company name listed as the Registrant. Scammers will hide their name behind one of many different services that exist just for this purpose. That said, a domain owner may not want their contact information public. If you look up this domain (DefensiveComputingChecklist.com) for example, you will not find my home address. While people may want to hide, legitimate companies have no reason to do so. Note that this cloaking is not perfect, law enforcement can always knock on the door of a registrar to see who paid for a domain.

Someone I know needed the Whois system to see if they were being scammed. They use TD Bank whose website is tdbank.com. But they got a text message that claimed to be from the bank, telling them to go to td.com. Is td.com really TD Bank or is it a scam? Whois to the rescue :-)

Another thing to look for in the Whois report is the date that the domain was first registered. Scam domains tend to be new, legitimate domains tend to be old. A domain registered in the last few days, is pretty much guaranteed to be a scam. Other useful information provided by Whois, is a technical contact, an administrative contact, the name of the Registrar and, for techies, the authoritative DNS servers.

Another defense is a search engine. Searching for the company or software you want should turn up the real website rather than a scam site. That said, be careful of ads. Bad guys have often purchased ads, that show up before the search results, as a way to lure victims to their scam websites.

  THE LIMITS OF DEFENSE   top

Sometimes, bad things happen on good domains.

This August 2022 story by Brian Krebs, PayPal Phishing Scam Uses Invoices Sent Via PayPal tells about how a compromised or fraudulent PayPal Business account was used by bad guys to send emails and invoices that could not look any more realistic. The scam emails were actually being sent by Paypal. The scam invoices that the emails linked to were hosted on the real Paypal website. Yet, fraudulent. The scam part of the emails was the phone number to call to dispute the phony charge in the phony invoice. In one case, the only tip-off to the scam was when the bad guys tried to install remote control software on the victim's computer.

This August 2021 article (Phishing campaign uses UPS.com XSS vuln to distribute malware) by Lawrence Abrams of Bleeping Computer describes a phishing email that pretends to be from UPS, the package delivery company. The malicious link in the email message points to the real ups.com website. The link abuses a bug in the website to download a malicious Word document.

  REAL LIFE DOMAIN NAME SCAMS   top

November 2022: In this article How social media scammers buy time to steal your 2FA codes Paul Ducklin disects a scam targeting Facebook users. Part of the scam involves domain names in the format facebook-help-nnnnnn. The bad guys claimed that the digits nnnnnn were a unique identifier for the victim.

November 2022: A Brian Krebs article mentioned ushank.com which was created to scam U.S. Bank customers.

October 2022: Typosquat campaign mimics 27 brands to push Windows, Android malware by Bill Toulas of Bleeping Computer. Quoting: "A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands. The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional "s," making them easy for people to miss." Some examples: tocrproject.com pretended to be torproject.com. I have downloaded Notepad++ many times from notepad-plus-plus.org. Bad guys are trying to scam people using notepads-plus-plus.org. The Brave browser is at brave.com. Bad guys created braves-browsers.org.

In August 2022, I got this scam text message pretending to be from Citibank and using the scam domain citi-online-supported06a.com.

In August 2022, Cloudflare blogged about their experience with a scam domain name (The mechanics of a sophisticated phishing scam and how we stopped it). They use Okta's identity and access management services and the scam domain that employees received text messages to visit was cloudflare-okta.com which really looks legit. Cloudflare is very serious about shutting down scam domains. They monitor new domain registrations looking for those that contain their name, and they attempt to have them shut down ASAP. In this case, however, the domain had been registered less than 40 minutes before the scam text messages were sent.

In July 2022, we learned that bad guys are abusing IPFS, a somewhat rare file system where data is retrieved based on its content rather than its location. Since IPFS locations have, up till then, been considered safe, this gets around systems that look for bad domains. See Decentralized IPFS networks forming the 'hotbed of phishing' from The Register. Among the IPFS domains used in phishing emails were: cloudflare-ipfs.com, ipfs.infura-ipfs.io, googleweblight.com, ipfs.filebase.io, nftstorage.link and ipfs.fleek.co.

In May 2022, we learned this: U.S. DoD tricked into paying $23.5 million to phishing actor (from Bleeping Computer by Bill Toulas). Part of the scam involved domain names. Quoting: "... conspirators registered the domain dia-mil.com, which is very similar to the legitimate dla.mil, and used it to send phishing emails." The bad guys were pretending to be from the Defense Logistics Agency.

In December 2021, many outlets wrote about a TV newscaster in India that was scammed into quitting her job, providing tons of personal information and almost moving to Boston for a non-existing job at Harvard. This is from the New York Times: The Harvard Job Offer No One at Harvard Ever Heard Of. The bad guys used the domain HarvardCareer.com as part of the scam. This was a large scam, several journalists and media personalities in India were targeted. Despite being alerted to the scam, Harvard University did nothing. I write this months after the scam and Harvard still has not bothered to take ownership of HarvardCareer.com.

In November 2021, Brian Krebs wrote about scams focused on un-delivered packages that used the returns-fedex.com domain.

In October 2021, Brian Krebs wrote about a scam that used coinbase.com.password-reset.com to scam coinbase.com users.

Security firm Proofpoint registered some look-alike domain names to use in training their customers about common scams. Among the domains were facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org. Facebook learned about this and went after the registrar to get ownership of the domains transferred to Facebook. See Proofpoint drops lawsuit, transfers phishing domains to Facebook (August 2021)

In October 2020, I was searching for a specific Chromebook and one of the top search results was the website consumes.report. It is a scam (see screen shot), pretending to be Consumer Reports. Their real domain name is consumerreports.org.

This August 2020 article about phone based scams includes these actual scam domain names: bofaticket.com, helpdesk-att.com and vzw-employee.com. In discussing these particular scams, the author, Brian Krebs says: ...domains used for these pages often invoke the company's name, followed or preceded by hyphenated terms such as 'vpn,' 'ticket,' 'employee,' or 'portal.'

In April 2020 bad guys hacked into a Sophos firewall device and downloaded malware from sophosfirewallupdate.com which did not belong to Sophos.

In March 2020, Facebook sued domain registrar Namecheap for registering domains designed to trick people. Some cited examples: instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site. In Oct. 2019, Facebook sued another registrar, OnlineNIC for registering domains such as www-facebook-login.com and facebook-mails.com.

For years, Microsoft has been disgraceful in how they handle their subdomains and, as a result, bad guys have been hijacking some of them. The domains cited as being miserably managed are microsoft.com, skype.com, office.com, msn.com, windows.com and xbox.com. Microsoft has been told about this many times, yet the problems linger. This is easily addressed, Microsoft is simply incompetent. It is fairly easy for bad guys to steal the vulnerable subdomains. Victims visiting something.office.com, for example, can be easily tricked into entering passwords that go directly to the bad guys. Recent accounts in the news from March 2020 are here and here. Two subdomains that researchers hijacked to demonstrate the problem were mybrowser.microsoft.com and identityhelp.microsoft.com. A video shows that the bad guys even got an SSL certificate for the subdomain they hijacked. This also made news in February 2020.

In Feb. 2020, I saw this scam text message on a phone. The domain citiunlocknow.com does not belong to Citibank.

In Nov. 2019, we learned of a fake payment service platform (PSP). Many small websites, rather than take credit cards directly, transfer their customers to a secure website run by a large ecommerce company such as Mastercard. An Australian company had their website hacked and instead of customers being transfered to the legitimate mastercard.com.au, they were sent to the scam site payment-mastercard.com.

This October 2019 article, Fake Tor Browser steals Bitcoin from Dark Web users notes that the scam domains tor-browser.org and torproect.org were used to lure victims. The real Tor website is torproject.org.

A September 2019 article about stolen iPhones included this scam, directed at someone whose iPhone had been stolen: "Your missing iPhone has been found by the police nearby and handed over to the Apple related department ... Please click apple-ios-id-gps.us/us and login to the Apple ID management system."

A June 2019 scam combined two methods. Pretending to be from British retailer Argos (argos.co.uk), bad guys at gknu.com sent phishing emails trying to get victims to go to
www.argos.co.uk.theninja.gknu.com/
www.argos.co.uk/account-login/

Note: this looks more convincing when viewed as a single string, but I broke it up into two lines for page display reasons.

In April 2019, Brian Krebs wrote about a service called Land Lords that creates Airbnb scams. A key piece of these scams are domains that look like airbnb.com, but, are not. The scam domain in the article was airbnb.longterm-airbnb.co.uk. It looked exactly like the real Airbnb website and requested victims to sign. The fake site forwarded the legit Airbnb credentials to the real Airbnb, but only after recording them. Other domains used to scam Airbnb were: airbnb.longterm-airbnb.co.uk, airbnb.request-online.com and airbnb-invoice.com. For another defense against this scam see the topic below on verified website identities.

When, also in April 2019, Krebs wrote about Wipro being hacked by phishing/scam email messages, the phony domain name he cited was
securemail.wipro.com.internal-message.app
Who even knew that a legitimate domain name can end in dot app? The bad guys loved using their internal-message.app domain so much they also may have used
securemail.capgemini.com.internal-message.app to scam employees of CapGemini.

The squidblacklist.org site maintains lists of bad domains. Their DNS Malicious Zone file has thousands of malicious domains, some of which are clearly designed to fool people. Just looking for Microsoft related domains turns up: accountsmicrosoft.com, microsoft.com-windows-cleaner-pc.live, drives-microsoft.com, livemicrosoftsupports.com, loginmicrosoftsonline.com, login.microsoftonline.com.atomysales.com, microsoft-0ffice365.com, microsoft365drive.com and microsoftcustomercares.com.

Arguably the biggest domain name screw-up ever, was by Equifax in 2017. I say this not because they were hacked, but because of their reaction. The Equifax domain is equifax.com. To post their response to the hacking incident, they created a new website: equifaxsecurity2017.com. They should have named their response website something like security2017.equifax.com or equifax.com/security2017. A techie exposed Equifax for the fools they are by registering a scam website securityequifax2017.com. In the ultimate irony, the official Equifax twitter account, sent people to the scam site. You can't make this stuff up. And, now that you have read this far, you know more about domain names than the techies at Equifax.

FINAL EXAM   top

Think you've got it? You can test yourself at the OpenDNS Phishing Quiz. It shows you 14 website screen shots, each asking for information, and you have to judge if they are real or a scam/phishing.

 This page: 10 views per day (over 1,006 days)   Total views: 10,050   Created: February 26, 2020
This Page
Last Updated

November 22, 2022
Total Site
Page Views

 467,564
Site Page
Views Today

  330
Previous
Website View

4.1 minutes ago
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2022