Scammers registering date-based domain names

by @edent | # # # | 19 comments | Read ~27,468 times.

Yesterday, January 2nd, my wife received a billing alert from her phone provider.
An SMS saying there's a problem with your phone bill.

Luckily, she's not with EE - because it's a pretty convincing text. That domain name is specifically designed to include the day's date.

If you're stood up on a crowded train, with your phone screen cracked, would you notice that a . is where a / should be? A quick look at the URl shows a trusted domain at the start - followed by today's date.

It starts with https:// - that means it's secure, right? Is .info even recognisable as Top Level Domain?

Scammers know these domains get blocked pretty quickly - so there's no point registering a generic name like billing-pdf.biz only to have it burned within a day. By the time I'd fired up a VM to inspect it, major browsers were already blocking the site as suspicious.

Is there any way to stop this? No, not really. Domain names are cheap - you can buy a new .info for a couple of quid. The https:// certificate was freely provided by Let's Encrypt. The site was probably hosted somewhere cheap, and whose support staff are asleep when abuse reports come in from the UK.

And that's the price we pay for anyone being able to buy their own domain and run their own secure site.

Money and technical expertise used to be strong barriers to prevent people from registering scam domains. But those days are long gone. There are no technical gatekeepers to keep us safe. We have to rely on our own wits.

19 thoughts on “Scammers registering date-based domain names

  1. I had something really similar regarding an O2 bill yesterday. Not date based but still decent until I properly read the domain name


  2. Thank goodness for URLs and a pox on all tools that hide them



  3. Also what's with the trend for hiding the scheme? That's pretty key information IMO



    1. Sergey Salnikov says:

      Hiding the scheme would reduce the common prefix of this URL and legitimate ones. That would probably make scam detection a bit easier, but I wouldn't count on a big difference.

  4. David McBride says:

    Automated monitoring of CT logs for such patterns is likely to be productive, if you can get the bad domains flagged as hostile quickly enough.

  5. Markus Laker says:

    Hi, Terence. Did you mean to hand out your wife’s mobile phone number? Suggest clipping that photo.

    1. @edent says:

      The displayed phone number is the sender's number.

      1. Possibly spoofed using some innocent soul's real number?

        1. @edent says:

          More likely to be a PAYG SIM - based on previous experience.

  6. Andrew McGlashan says:

    Too many “experts” on the TV and radio shows are simply telling people to look for the lock; which, as you point out and us in the game know, it is easy and cheap for bad guys to “get the lock”….

    Browsers are removing https now or soon and sites will be expected to be secure by default, but again, that doesn’t stop the bad guys due to how cheap domain names are and how simple it is to get legit certs for it from LE.

  7. gerard says:

    Maybe it's time to call out Let'sEncrypt ?
    they want to make the web a more secure place right ?
    Is that conform to their goal ?
    It's not as if they are purely neutral, they are already blacklisting the political enemies of USA.
    So why are they aiding and abetting criminals ? If ICANN too is aiding and
    abetting criminals by throwing around 2 cents registries that have absolutely no
    diligence, ICANN stated goal has never been to make the web a better place.
    A very simple policy for Let'sEncrypt could be to base domain acceptance on % of domains used for spam (something that is already tabulated by entities external to them). If it's over 10%, one strike. If it happens TWO times in a row, two strikes. Three strikes and you are out!
    And yes, .info domain is in this shame list. Spam and scam are going together.
    https://www.spamhaus.org/statistics/tlds/
    Let's Encrypt should work really and effectively for a better Internet.

    1. Jeremy says:

      The main purpose of SSL was always for encryption which doesn't send your data in the clear over the internet. And letsencrypt is a superhero by making this service available to everyone for free. So what do you want to call them out for?

      The identification part is really very secondary as this article pointed out. Many people seems to mistake the only use for SSL for identification which is very weird.

  8. Znuff says:

    Let's Encrypt has nothing to do with it. cPanel also offers free, automated DV certs.

    And any other SSL provider also issues certs automatically, no human involved.

    If the scammers can afford $10 on a domain for a day, they can afford $7 for a ssl certificate, too.

    1. Mahedi says:

      That’s right, Znuff!
      SSL is not the main issue here. If I make a website like http://billing.paypal.com.updatenow.co
      What do you think people will fall into trape? It’s not SSL enabled but still convincing.

  9. Robert Stonehouse says:

    If domain names were presented in major to minor order when read left--to-right this would become a very obvious difference:

    https://uk.co.ee/
    https://info.billing-update-jan02.uk.co.ee/

    but obviously that is not going to happen

    I wonder if something could be auto-detected and flagged in the address bar UI.
    Say if the prefix for a domain matches in the top-1000 sites for a TLD (given that the sites people are most likely to want to spoof are popular). This could be done in the same way that the unsafe sites lists is sent to chrome browsers so that it is all browser side.

    1. @edent says:

      Even if we could create a new naming scheme, I don't think it would work. I could register uk.co.ee-billing-update-jan-02 - I suspect that would food the same number of people. Especially as a small screen device is liable only to show the first 15 characters.

Mentions

  • A phishing attack masked behind a date in the domain – Are we even safe anymore? / Digital Information World
  • ProXap ProXap
  • Bipolar Express

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.