Scammers registering date-based domain names
Yesterday, January 2nd, my wife received a billing alert from her phone provider.
Luckily, she's not with EE - because it's a pretty convincing text. That domain name is specifically designed to include the day's date.
If you're stood up on a crowded train, with your phone screen cracked, would you notice that a . is where a / should be? A quick look at the URl shows a trusted domain at the start - followed by today's date.
It starts with https:// - that means it's secure, right? Is .info even recognisable as Top Level Domain?
Scammers know these domains get blocked pretty quickly - so there's no point registering a generic name like billing-pdf.biz only to have it burned within a day. By the time I'd fired up a VM to inspect it, major browsers were already blocking the site as suspicious.
Is there any way to stop this? No, not really. Domain names are cheap - you can buy a new .info for a couple of quid. The https:// certificate was freely provided by Let's Encrypt. The site was probably hosted somewhere cheap, and whose support staff are asleep when abuse reports come in from the UK.
And that's the price we pay for anyone being able to buy their own domain and run their own secure site.
Money and technical expertise used to be strong barriers to prevent people from registering scam domains. But those days are long gone. There are no technical gatekeepers to keep us safe. We have to rely on our own wits.
Best of: What I blogged about in 2020
| Reply to original comment on twitter.com
| Reply to original comment on twitter.com
| Reply to original comment on twitter.com
Sergey Salnikov says:
| Reply to original comment on twitter.com
David McBride says:
Markus Laker says:
Andrew McGlashan says:
Browsers are removing https now or soon and sites will be expected to be secure by default, but again, that doesn’t stop the bad guys due to how cheap domain names are and how simple it is to get legit certs for it from LE.
gerard says:
they want to make the web a more secure place right ?
Is that conform to their goal ?
It's not as if they are purely neutral, they are already blacklisting the political enemies of USA.
So why are they aiding and abetting criminals ? If ICANN too is aiding and
abetting criminals by throwing around 2 cents registries that have absolutely no
diligence, ICANN stated goal has never been to make the web a better place.
A very simple policy for Let'sEncrypt could be to base domain acceptance on % of domains used for spam (something that is already tabulated by entities external to them). If it's over 10%, one strike. If it happens TWO times in a row, two strikes. Three strikes and you are out!
And yes, .info domain is in this shame list. Spam and scam are going together.
https://www.spamhaus.org/statistics/tlds/
Let's Encrypt should work really and effectively for a better Internet.
Jeremy says:
The identification part is really very secondary as this article pointed out. Many people seems to mistake the only use for SSL for identification which is very weird.
And any other SSL provider also issues certs automatically, no human involved.
If the scammers can afford $10 on a domain for a day, they can afford $7 for a ssl certificate, too.
SSL is not the main issue here. If I make a website like http://billing.paypal.com.updatenow.co
What do you think people will fall into trape? It’s not SSL enabled but still convincing.
Robert Stonehouse says:
https://uk.co.ee/
https://info.billing-update-jan02.uk.co.ee/
but obviously that is not going to happen
I wonder if something could be auto-detected and flagged in the address bar UI.
Say if the prefix for a domain matches in the top-1000 sites for a TLD (given that the sites people are most likely to want to spoof are popular). This could be done in the same way that the unsafe sites lists is sent to chrome browsers so that it is all browser side.
uk.co.ee-billing-update-jan-02- I suspect that would food the same number of people. Especially as a small screen device is liable only to show the first 15 characters.| Reply to original comment on www.digitalinformationworld.com
Scammer's Internet Domain Uses the Date to Mask Phishing Attack said on :
| Reply to original comment on
Looked legitimate at first glance especially if you're expecting a package from abroad.
@blog It's really much much simpler than that, in this particular case at least. *Any* message which asks you to "update your info" is a scam - there's no need to worry about the detail.
@edent says:
The problem is, that ignores all the hundreds of messages which are genuine. It's all very well smugly saying that you know a secret way to never getting fooled, but the real world isn't like that.
@blog I have never ever received a genuine message asking me to "update my info". Has anyone?
@edent says:
Yes. When I change credit cards, or close bank accounts, or things like that. Just because things don't happen to you, doesn't mean they don't happen. Evidently lots of people do get messages like this or spammers wouldn't bother trying to replicate them.
But, regardless, your suggestion that people simply just be as clever as you isn't really a long-term solution.
@TimWardCam @blog Yes. I have.