Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Domain Resale Market Is Phisher Heaven

Posted by CmdrTaco on Wed Nov 01, 2006 10:33 AM
from the big-shock-here dept.
Security The Internet
Krishna Dagli writes "Finish security firm F-Secure has discovered that alongside the sale of such innocuous domains as filmlist.com comes the resale of domains that obviously belong to banks or other financial institutions. Sedo.com, for example, is reselling domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. 'Why would anybody want to buy these domains unless they are the bank themselves — or a phishing scammer?,' F-Secure asks."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Domain Resale Market Is Phisher Heaven 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Not going to happen (Score:3, Interesting)

    by plover (150551) * on Wednesday November 01 2006, @10:36AM (#16673353) Homepage Journal
    Does anyone really think a domain registrar has any incentive to stop phishers? "Oh, sure, you want us to cut our potential sales just because a typo-squatter might be phishing?" I wonder how much of their revenue comes from selling the actual names vs how much comes from the spelling error names?

    Anyway, I wouldn't count on the registrars changing their business model just because there are stupid people out there.

    • Even if a domain registrar were to change their business model to prevent this, it would only take one unscrupulous registrar to sell the domain names. ICANN could force policy on the registrars and yank the license of anybody caught selling near-miss domain names, but the blanket policy they'd have to introduce would both miss a lot of phishing-oriented names and keep people from getting some valid names.

      A more market-oriented approach would be to have the individual registrars establish policies. Then ha
  • Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.

    Also, are these domain names coming up for sale because the banks don't want them any more or because their subscription lapsed? I would have thought they'd automatically renew.
    • Replying to myself, sorry.

      Obviously it's impossible to register every typo-variation of your real domain name, so that kinda answers my original question.

      However, I remember back in 1999 or so I visited vodaphone.com, which brought up a nice friendly page explaining how thousands of their customers misspelled "vodafone", so they decided to register that domain name to correct the confusion, which I thought was rather nice.

    • Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.
      That's the wrong question, but you're close. Banks have a responsibility to authenticate themselves to users before users are allowed to make transactions. Right now that authentication is supposed to be done by the user looking at the website and recognizing the name. This is, and will always be a terrible form of authentication.

      I've said it before, but banks should be

    • Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.

      I wouldn't agree. In the UK I'm sure there's been instances of crooks taking over an empty shop, fitting it out like a real bank and conning people into depositing money there. There was certainly a case where a gang used a stolen ATM to grab card numbers and PINs. Where does the responsibility lie? With the consumer, or the bank?

      To extend the tiresome analogy: if I to

  • Click Farms (Score:4, Insightful)

    by prothid (302906) <slashdot&unfit,org> on Wednesday November 01 2006, @10:43AM (#16673465) Homepage
    People that want these domains run click farms. They make their money by showing ads based on the site the person meant to visit, from Google or whomever. It doesn't make sense for a phisher to pay big money for these domains when they can phish just as well with ksajdfxdvos.com.
  • I don't understand why there's not a domain like `.tm` (for example) where you'd need a trademark or some other legal device before you could register it. Some sort of search could be performed before the domains were approved and allowed to be used. If such a system were monitored properly - publicly aired before approval so people could stop any abuses that got past the legal bit - then wouldn't it go some way - if not perhaps the whole way - towards stopping that sort of phishing?
        • You'd still have the Budwiser problem, in that there are two Budwisers beers, one out of Czech Republic and one out of St. Louis, MO. They both can legally use the name Budwiser (in certian markets) since originally thier markets did not overlap at all. Who would legally get the domain name?

          And what about common names like Yellow? Would it go to Yellow Cab? Yellow Pages? Yellow Roadway? All of them at some point used Yellow as their "name".

          Trademarks can be used in multiple places for multiple reasons
  • According to a Netcraft report [netcraft.com], 3,659 "look-alike" domains (names designed to confuse the recipient into believing they belonged to the bank) were used in phishing attacks in 2005. A lot of these used visual tricks (substituting the number 1 for the letter l, for example) to present a plausible URL. Anti-phishing services are getting better at blocking these sites, but they continue to feature in a large number of scams.
  • A banking tld would solve the problem. All owners would have to be official banks or similar financial organisations. The registrars would charge a little bit extra and check that the applicants really are banks.

     
      • Only if the banks continue to maintain their existing .com domains rather than allowing them to lapse after 3-5 years.

  • Cybersquatters... (Score:3, Interesting)

    by GreyPoopon (411036) <`gpoopon' `at' `gmail.com'> on Wednesday November 01 2006, @10:53AM (#16673605)
    Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?
    One other possibility. Cybersquatting...the online equivalent of extortion. Anyway, the practice of registering these "typo" domains shouldn't be illegal. But they should be an automatic trigger for a detailed investigation by the justice department. It's like criminals hanging a sign on their front door announcing their intentions to commit a crime. The DoJ should be loving it....

  • If these sites do wind up phishing sites, at least sedo.com will know who owns them. So what you do is to contact the Internet Crime Complaint Center. [ic3.gov] Give them the address of the phishing site - and be sure to let them know that sedo.com sold them the domain, so they'll have the customer contact info.

  • Sedo.com says
    "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales."

    Sounds like the approach many companies take when they find wrongdoing.

    Like when I called the SBC datacenter in Texas and asked them if this was their IP address, and if they were hosting the website for Paypal.com. "yes, it is" and "no", the guy said. "well, you are now" I replied. He wanted to know what I expected him to do about it.
    • I think a better question is, what have they done now these particular domains have been pointed out to them?

      There's a difference between "we don't proactively do XXX" and "we don't do XXX after we find out about it".

      The other examples you give are the latter.

  • FTFA (Score:3)

    by deblau (68023) <slashdot.25.flickboy@spamgourmet.com> on Wednesday November 01 2006, @10:58AM (#16673689) Journal
    "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales."
    Yeah, let's see how impossible it is when Paypal, Visa, Chase, Citibank, and BofA sue you for trademark infringement and unfair competition, with hundreds of other companies waiting in the wings.
  • Maybe they are tired of the shitty service banks today give you and want to put up a website explaining it?

    Just because *you* can't think of a good reason doesn't mean there isn't one. That one took me about three seconds. Try harder.

    Acy
  • It could be as 'innocent' as popup ads for those that mistype a URL.

    It doesnt automaticaly have to be something with illegal intent.
  • So let's say that a squatter has a domain that I REALLY want (for a customer, etc) for a legitimate use. Should I bite the bullet and feed the troll? Or find an alternative?

    I guess personally I wonder if domain names matter so much anymore. It seems that the days of just going to "CompanyName.com" are over. Instead you google it, click through on an ad, type in from an email or business card, etc. So why not use "CompanyName2.com" or something.

    It doesn't look pretty, unfortunately. To me, "CompanyName
    • If it's a registered company you want it for, file a domain dispute with ICANN and get it taken off them - I've seen this done multiple times and it's a *lot* cheaper than paying the squatter (who usually just caves in and gives it up.. they have thousands of these things and aren't prepared to fight).
  • Another reason you might buy these sites is that you hate the company.

    If you are trying to put criticism about citi-bank, then you buy www.citi-bank.com and put up your sob story about how citi-bank forclosed on your mortgage, and auctioned it off for 1/2 what it was worth and gave you nothing back, despite the fact that you offered to buy the home from them at 3/4 of it's current value.

    • What's interesting is that most banks and major corporations will now spend the money to register the "sucks" version of their domain in all major TLDs, but don't take the same step with domains that would be useful for phishing. Domains are cheap enough ($3 to $9 a year, depending upon your registrar) that it wouldn't take a lot of bucks to register these variations and point them at their .com. The problem is that the phishers and typosquatters thought of this before the banks did. These folks who are sel

      • Re: (Score:2, Interesting)

        by jargon82 (996613)
        Forwarding misspelled domains to your .com is a HORRIBLE idea. Here's why:
        Lets say you are citibank, you own citibank.com, and your forward citybank.com. Your "setting the expectation" that a forward will happen, in the customers mind. When they go to city-bank.com, and it looks the same, to them, as citybank or citibank (but it's actually phisher owned), they're sunk.

        What NEEDS to happen instead, if registering alternate spellings or typos is part of a security strategy, you need to inform the custo
  • With ssl, shouldn't this kind of thing be a non-issue? If a cyber squatted site doesn't have a legitimate certificate, I won't be able to log in to the https server without being presented with a window telling me who published the cert. I wouldn't log in to a bank http server; I would only use https. I would never continue to log in if the cert was self published in Nigeria or something like that. Am I missing something? It doesn't seam like the url has any purpose in terms of authentication at all.

    • Re: (Score:3, Insightful)

      by geoffspear (692508)
      I don't think the phishers care if they don't get to steal your identity, as long as the 99% of web users who don't know what SSL is can still be fooled. So yes, you're missing something.
      • Plus it's fairly easy to get a certificate if you own the domain in question.

        Case in point: 2 years ago I needed a new certificate.. went to a cert. dealer, filled in the name/address of my company and used the company email address. I got the certificate in under 2 hours.

        No proof was required, just the existence of the domain and presumably they checked the whois. My address is unrelated to the company (which is just a virtual office with the trading address at the accountants) and I paid with my own cr
  • What if a competing bank wants to buy up all its competitors' banks domain names look-a-likes? When you mistype the name, you get a site that gives you a low APR credit card or low cost stock trading options or free checking from a site that's obviously not your bank; is an ad.
  • First, put more effort into explaining the threat to Joe Sixpack and Jane Champagne. Banks have already started to do this themselves but it would be nice to see more "public service"-type announcements. Right now there are just too many people who don't understand the dangers, which makes it possible for Internet scams to succeed at a fairly high rate. Your average user apparently doesn't understand even the basics of how this stuff happens, so we need to work to explain how the Internets get through the s
  • domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. "Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?", F-Secure asks."

    I and all the other proud citizens of Ameriuca resent this craven implication.

  • Bank of Ameriuca (Score:3, Funny)

    by zecg (521666) on Wednesday November 01 2006, @12:57PM (#16675699)
    Don't knock it, I've been a loyal customer of the Bank of Ameriuca for three days. They've given me life insurance dirt cheap, some very fine investment tips (a hot new web 2.0 company guaranteed to soar like an eagle in a week!) and offered free hosting for some homemade porn I've made. Also, I seem to have scored an elephant desktop friend which knows about free screensavers. It was about time banks realized that they have to offer more diverse services for our money.
  • I dont know how clueless these people are but mis-spellings and mis-typings get you page hits and adds viewed. Thats why the pages of those sites are usually filled with adds.
    • The Bank of Ameriuca is one of the most highly respected banks in the Untied States of Ameriuca. You should trust all your money with them .. but wait just a few seconds for my sedo.com session to refresh ... there you go. Happy Banking!
    • Bank Of Americuca is a sperm bank. Deposits are always welcome.
    • Uhhh ... OK. So while we're at it, let's get rid of copyright law, patent law, and restrictions on identity theft. Based on your logic, I should legally be able to dress up like George Bush, talk like George Bush, and try to pursuade others to do my bidding ... as long as I tell them my name is George C. Bush. Or, I should be able open a company called Wallmart with their same colors, logos, products, bad jingle music, etc., right?

      • Uhhh ... OK. So while we're at it, let's get rid of copyright law, patent law, and restrictions on identity theft. Based on your logic, I should legally be able to dress up like George Bush, talk like George Bush, and try to pursuade others to do my bidding ... as long as I tell them my name is George C. Bush. Or, I should be able open a company called Wallmart with their same colors, logos, products, bad jingle music, etc., right?

        Um, you can Dress like GWB, Talk like GWB, and try to persuade people to do

      • Re: (Score:3, Insightful)

        by orasio (188021)
        Uhhh ... OK. So while we're at it, let's get rid of copyright law, patent law, and restrictions on identity theft.

        Copyright law, ok.
        Patent law, ok.

        Restrictions on identity theft, no.
        Identity can lose its intrinsec value when copied. That's not cool.

        The issue with domain ownership is that regulating domains could be bad for the internet itself, because it would impose more regulation, and we all know tat regulation is bad for the net, even if deregulation has its drawbacks.
    • Well, let no one say your /. name is fraudulent.

    • Re: (Score:3, Informative)

      by onion2k (203094)
      I'm not sure I agree. There are 4 reasons someone other than Bank of America might purchase bankofameriuca.com:

      1. They're phishing.
      2. They're typo-squatting in the hope of selling it to Bank of America.
      3. They're link farming/click farming hoping for lots of typo hits.
      4. Their name happens to be Banko F. Ameriuca. ;)

      In all cases there's no legal compulsion for Sedo to keep the domain out of any one person's hands. It's got nothing much to do with them. However, there is an ethical obligation on the part of
      • Aside from the, hmm, 2 people in the country who think there is a "u" in America, it would appear that that particular domain isn't being used for fat-fingered folks (u is nowhere near either c or a on the keyboard -- you have to go out of your way to hit it), so it is probably being used for phishing. The hope is that someone is less than cautious in reading it and doesn't recognize the inserted letter. Lets say someone decides to match up the first six letters of the domain exactly and then inserts one
      • 5. Parody site.
        6. A website outlining grievances.
    • I hope you're being satirical, although I do see potential for registrars to abuse their power, and limit close-names that are wanted for satirical purposes for instance like whitehouse.org
    • KUDOs, not only one of your best bad analogys but a first post to boot and pertains to the topic, I'm AWE STRUCK

    • Re: (Score:2, Insightful)

      by chroot_james (833654)
      Cost effective? Domains cost like $10 a pop... I think if domain names prove to be a source of identity theft, companies will happily buy domain lookalikes rather than pay people to investigate fraud or suffer the loses...
    • Now not clicking links in my emails is adding to water pollution? Eeek! Off to go click all of those links!
    • if people stop clicking on links in their emails!

      But it SAID that I needed to update my Windows Firewall in order to access my account again. They told me I can go to their website, login, go to the FAQ section, and follow the directions in section 4.3

      Or I can just click this link for convenience.
    • twista says:
      Good old advertising. People visit the domain mistakenly, whether through Google ads, mistyping, or whatnot, and see ads. These ads are targeted towards financial topics. People click them, owner makes money. No real scam, just advertising dollars coming in.


      Yep, it works like this:

      1.) Register bankofspamerica.com
      2.) Get hits from fat-fingered clueless n00bs.
      3.) Profit!

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.