Slashdot Mirror
Domain Resale Market Is Phisher Heaven
Krishna Dagli writes "Finish security firm F-Secure has discovered that alongside the sale of such innocuous domains as filmlist.com comes the resale of domains that obviously belong to banks or other financial institutions. Sedo.com, for example, is reselling domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. 'Why would anybody want to buy these domains unless they are the bank themselves — or a phishing scammer?,' F-Secure asks."
Anyway, I wouldn't count on the registrars changing their business model just because there are stupid people out there.
John
get their stories on www.419eater.com
i live on an alternate planet
Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.
Also, are these domain names coming up for sale because the banks don't want them any more or because their subscription lapsed? I would have thought they'd automatically renew.
Argh.
...or an advertising company waiting for somebody to mis-type a URL and then get buried under a mountain of advertisements?
oo
I'll have to go check out bankofameriuca.com? Is Bank Of Americuca a good bank?
It's too early in the morning for any bad spelling jokes.
Don't you hate glorious self-promotion? Visit my Blog
Fishing can single-handedly become a thing of the past if people stop clicking on links in their emails!
Oh, I don't know, maybe social commentary, satire, to voice a complaint. Who cares?
Just punish the ones actually using the sites to scam.
People that want these domains run click farms. They make their money by showing ads based on the site the person meant to visit, from Google or whomever. It doesn't make sense for a phisher to pay big money for these domains when they can phish just as well with ksajdfxdvos.com.
Uhhh ... OK. So while we're at it, let's get rid of copyright law, patent law, and restrictions on identity theft. Based on your logic, I should legally be able to dress up like George Bush, talk like George Bush, and try to pursuade others to do my bidding ... as long as I tell them my name is George C. Bush. Or, I should be able open a company called Wallmart with their same colors, logos, products, bad jingle music, etc., right?
Crack - Free with every butt and set of boobs
I don't understand why there's not a domain like `.tm` (for example) where you'd need a trademark or some other legal device before you could register it. Some sort of search could be performed before the domains were approved and allowed to be used. If such a system were monitored properly - publicly aired before approval so people could stop any abuses that got past the legal bit - then wouldn't it go some way - if not perhaps the whole way - towards stopping that sort of phishing?
With a post like that, I'm starting to think you're a phisher yourself ;)
Some sites register a lot of variations, google for one. The amount of times I've typed Gogle or gooogl and hundreds of other variations. The problem is, it's not very cost effective and there's obviously going to be too many variations. I mean, what if you accidentally type a variation which the company hasn't actually registered itself? One that a phisher has registered. If they make the site appear convincing you can't possibly tell which variations are fine and which aren't! People just need to pay more attention to what they're typing.
There's no place like 127.0.0.1
Well, let no one say your /. name is fraudulent.
Apology to Ubuntu forum.
Where are the bad analogies? I specifically seek your posts to bring me some joy in an otherwise mind numbing weekday.
You're right! I never thought of it that way. I suppose that it would be wrong of you to, you know, dress up like George Bush, talk like George Bush, or (heaven forbid) try to persuade others. Gosh, we need to regulate that sort of thing so that people aren't duped into believing that YOU are George Bush!
According to a Netcraft report, 3,659 "look-alike" domains (names designed to confuse the recipient into believing they belonged to the bank) were used in phishing attacks in 2005. A lot of these used visual tricks (substituting the number 1 for the letter l, for example) to present a plausible URL. Anti-phishing services are getting better at blocking these sites, but they continue to feature in a large number of scams.
RichM
Data Center Knowledge
A banking tld would solve the problem. All owners would have to be official banks or similar financial organisations. The registrars would charge a little bit extra and check that the applicants really are banks.
Deleted
Registrars are not going to look and say "Hey, that name looks fishy..." they are going to say "okay, and your credit card number is...." People need to pay attention to what they are clicking on, especially in email. Granted I've mistyped a name here and there (common we are all human, right?) but if people stopped clicking on the misspellings, the scammers would just have to go find another way to get their "messages" out...
"Is all that we see or seem But a dream within a dream?" -Poe
Why was this modded "Troll"? The intro claimed that the domains "obviously belong to banks"; how is this obvious? To whom is it obvious? Not the banks, it would appear.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
If these sites do wind up phishing sites, at least sedo.com will know who owns them. So what you do is to contact the Internet Crime Complaint Center. Give them the address of the phishing site - and be sure to let them know that sedo.com sold them the domain, so they'll have the customer contact info.
Weaselmancer
rediculous.
Sedo.com says
"We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales."
Sounds like the approach many companies take when they find wrongdoing.
Like when I called the SBC datacenter in Texas and asked them if this was their IP address, and if they were hosting the website for Paypal.com. "yes, it is" and "no", the guy said. "well, you are now" I replied. He wanted to know what I expected him to do about it.
Or when an internet company is found to be hosting a spammer sending 45 million spam messages about VlhAGRA or VleAGRA, and when told ask "what do you want us to do about it?".
You are either part of the solution or part of the problem.
Those kinds of lax companies who are not good net neighbors and take little or no responsibility for acting in an ethical manner get listed in SPEWS. Then they whine and complain about THAT.
I for one don't want their internet connection to have routing to ME.
SEDO needs to get some integrity.
.
What do you care the reasons behind my wanting www.bankofameriva.com are? Just because your small mind can't think of anything more creative than "phishing scams", it doesn't mean that the world should be warped to fit your small-mindedness.
People who want to regulate the sale of "near miss" domain names are no better than fundamental christians or muslims who want to impose their version of Sharia law on the entire world.
Come on, man, I *know* you can troll better than that. I've seen you do better on here. You have to tone it down or it's too obvious and it defeats the purpose.
Get rid of the flames and replace it with a couple of paragraphs about the slippery slope of the erosion of personal freedoms and a person's 1st Amendment right to speech. Couple that with a little slightly anarchist rhetoric regarding the distributed nature and inherent inability to regulate the internet, and you'll have yourself a masterful troll. If you want some bonus points, link it with attacks on our freedoms from the oppressive capatalist banking infrastructure. Cross reference with info about banks recording our personal information for a straw man and the win.
If you want to push the envelope of detectability, do a little "First they came for the phishers, but I wasn't a phisher..." thing.
You can do it. I know you can!
I'm not sure I agree. There are 4 reasons someone other than Bank of America might purchase bankofameriuca.com:
;)
1. They're phishing.
2. They're typo-squatting in the hope of selling it to Bank of America.
3. They're link farming/click farming hoping for lots of typo hits.
4. Their name happens to be Banko F. Ameriuca.
In all cases there's no legal compulsion for Sedo to keep the domain out of any one person's hands. It's got nothing much to do with them. However, there is an ethical obligation on the part of Bank of America. They should be looking after their customers and making it difficult for phishers to try and sting them. Bank of America should have bought up all likely typos of their primary domain. If I had an account with them I would consider moving it. If they're willing to risk people losing out to phishing attacks to save the few dollars a domain costs to keep then they must be doing pretty damn badly, or they must not care much about my custom.
http://twitter.com/onion2k
This post expresses my opinion, not that of my employer. And yes, IAAL.
Go ahead, do it.
First off half the population will ignore you even if were were GWB.
of the rest anybody with half a brain will ignore you; and anybody who doesn't deserves what they get.
Um, you can Dress like GWB, Talk like GWB, and try to persuade people to do your bidding (as though you were George W Bush), as long as you don't tell them you are GWB. If you are George Bush (any variation thereof), then you can do everything but say you are the president of the US. Even there there is a huge series of loopholes - parody, hyperbole, etc. Which would allow you to be legally covered if anyone complained.
Now the Wallmart issue is different since that falls under trademark.
Maybe they are tired of the shitty service banks today give you and want to put up a website explaining it?
Just because *you* can't think of a good reason doesn't mean there isn't one. That one took me about three seconds. Try harder.
Acy
-- Too lazy to get a lower UID.
I think a better question is, what have they done now these particular domains have been pointed out to them?
There's a difference between "we don't proactively do XXX" and "we don't do XXX after we find out about it".
The other examples you give are the latter.
Instead of focusing on the registrar, one could target registries and appeal for some action. But like the grandparent said, it's all about the Benjamins. VeriSign (.com/.net operator) loves the PPC and domain after market. It means they get their $6 times hundreds of millions.
Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.
That's the wrong question, but you're close. Banks have a responsibility to authenticate themselves to users before users are allowed to make transactions. Right now that authentication is supposed to be done by the user looking at the website and recognizing the name. This is, and will always be a terrible form of authentication.
I've said it before, but banks should be using some kind of physical authentication device that contains crytographic keys that the device won't release until it confirms it's communicating with the bank. The password would only unlock the device so it can authenticate the user, and the bank.
Of course banks won't do this until there's an incentive to do so, and right now there isn't. Make banks responsible for losses from phishing attacks, and they'll implement something like this before the legislation becomes active.
AccountKiller
It could be as 'innocent' as popup ads for those that mistype a URL.
It doesnt automaticaly have to be something with illegal intent.
---- Booth was a patriot ----
So let's say that a squatter has a domain that I REALLY want (for a customer, etc) for a legitimate use. Should I bite the bullet and feed the troll? Or find an alternative?
I guess personally I wonder if domain names matter so much anymore. It seems that the days of just going to "CompanyName.com" are over. Instead you google it, click through on an ad, type in from an email or business card, etc. So why not use "CompanyName2.com" or something.
It doesn't look pretty, unfortunately. To me, "CompanyName.biz" makes the company look like someone shady.
"You cannot find out which view is the right one by science in the ordinary sense." - C.S. Lewis on Intelligent Design
Aside from the, hmm, 2 people in the country who think there is a "u" in America, it would appear that that particular domain isn't being used for fat-fingered folks (u is nowhere near either c or a on the keyboard -- you have to go out of your way to hit it), so it is probably being used for phishing. The hope is that someone is less than cautious in reading it and doesn't recognize the inserted letter. Lets say someone decides to match up the first six letters of the domain exactly and then inserts one letter at an arbitrary point elsewhere. To combat this, bank of america would have to buy over *twenty tril1ion* domains which are equally as likely as bankofamericua.com (26 letters to insert, 8 positions to insert them at, 26^8 = lots). And that would only defend against *one* particular style of typo-squatting. If you combine the "insert a random letter" trick with "replace the I in America with a 1", then that is another twenty trillion domains to you have to buy.
P.S. Slashdotters who think you are immune because you are always a careful reader -- how many of you caught the phisher-style substitution I made in this post? Your brain is hard-wired to ignore the sort of slight differences that your computer is wired to treat as very serious.
Help poke pirates in the eyepatch, arr.
If you are trying to put criticism about citi-bank, then you buy www.citi-bank.com and put up your sob story about how citi-bank forclosed on your mortgage, and auctioned it off for 1/2 what it was worth and gave you nothing back, despite the fact that you offered to buy the home from them at 3/4 of it's current value.
excitingthingstodo.blogspot.com
I hope you're being satirical, although I do see potential for registrars to abuse their power, and limit close-names that are wanted for satirical purposes for instance like whitehouse.org
Oh You POS
What's interesting is that most banks and major corporations will now spend the money to register the "sucks" version of their domain in all major TLDs, but don't take the same step with domains that would be useful for phishing. Domains are cheap enough ($3 to $9 a year, depending upon your registrar) that it wouldn't take a lot of bucks to register these variations and point them at their .com. The problem is that the phishers and typosquatters thought of this before the banks did. These folks who are selling the names on Sedo aren't selling for $9, and that changes the economics of a defense based on pre-emptive domain registration.
RichM
Data Center Knowledge
With ssl, shouldn't this kind of thing be a non-issue? If a cyber squatted site doesn't have a legitimate certificate, I won't be able to log in to the https server without being presented with a window telling me who published the cert. I wouldn't log in to a bank http server; I would only use https. I would never continue to log in if the cert was self published in Nigeria or something like that. Am I missing something? It doesn't seam like the url has any purpose in terms of authentication at all. Evil frauds can buy microsoft.com*, citibank.com and even google.com for all I care.
;-)
*some would say evil frauds already own microsoft.com
------ Take away the right to say fuck and you take away the right to say fuck the government.
Now that was funny.
"Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?", F-Secure asks."
Because domain sitters might want to earn from naive customers reaching these sites and clicking on contexual ads?
--
I refuse to answer that question on the grounds that I don't know the answer.
Good thing I'm using IE7.
I saw Will Ferrell do this on SNL. Nobody arrested him!
I don't know what kind of crazy keyboard you're using, but on mine, the "i" and the "u" are right next to each other.
http://www.mwbrooks.com/dvorak/layout.html
Why would anybody want to buy these domains unless they are the bank themselves - or a phishing scammer?", F-Secure asks.
Good old advertising. People visit the domain mistakenly, whether through Google ads, mistyping, or whatnot, and see ads. These ads are targeted towards financial topics. People click them, owner makes money. No real scam, just advertising dollars coming in.
(Of course, phishing is another possibility, but it's not the only one.)
That can't possibly be right, all Netcraft does is to confirm when something is dying.
What if a competing bank wants to buy up all its competitors' banks domain names look-a-likes? When you mistype the name, you get a site that gives you a low APR credit card or low cost stock trading options or free checking from a site that's obviously not your bank; is an ad.
Sedo told TechWeb that it had a process for pulling domain names but because of the sheer volume of domains on sale through its site it relied on trademark holders to notify it of potential problems. "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales." ®
He then proceeded to kill a grizzled bear with his bare hands...
or what comes beween r and s.
plus cos was 30 bucks
damn ebay
It's spelled Finnish.
c++;
Anyone notice the /. subject refers to Phishing Heaven whereas the original theregister article uses the word Haven?
I might need to buy that BoA domain. I'm closing my accounts with BoA because--well it's too long of a story to get into but it involves them signing me up for credit cards I have not confirmed or even received and when I complained about it I got an email back threatening to report me to security for referring to their website as a webshite. So yes, I am interested in that typo domain, not for phishing or link farming, but as the first wave of my legitimate war on BoA. I think I'll probably for something more like bankofamerica-NoStandards though.
First, put more effort into explaining the threat to Joe Sixpack and Jane Champagne. Banks have already started to do this themselves but it would be nice to see more "public service"-type announcements. Right now there are just too many people who don't understand the dangers, which makes it possible for Internet scams to succeed at a fairly high rate. Your average user apparently doesn't understand even the basics of how this stuff happens, so we need to work to explain how the Internets get through the series of pipes that contains them.
And sure, go after phishers legally. Hunt 'em down and send them off to prison with a hefty fine that confiscates all their ill-gotten gains. Publicize these prosecutions and make sure that the word gets out that law enforcement is actively working to catch these guys. Currently, phishing is a low-risk, high profit undertaking. Change the risk to benefit ratio and you'll make (some) progress. Banks have deep pockets, so I'd expect to see them start doing this type of investigation, similar to how the insurance industry does fraud investigations in cooperation with the police.
The economic side is to charge more for domains and eliminate the "grace period" when you can get a full refund of the registration fee. Right now, with domains costing $10, you've got phishers, domain "tasting", and a lot of other unsavory stuff going on. This is especially true since registrars allow you to change your mind after a couple of days. If you upped the price and made the grace period 6 hours, it would be less cost-effective to have "bankofamericana" for a day or two. It would also cut down on the ad farms, since (again) it's less cost effective to use an expensive domain for that.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Mine doesn't have a null key either.
Uhhh ... OK. So while we're at it, let's get rid of copyright law, patent law, and restrictions on identity theft.
Copyright law, ok.
Patent law, ok.
Restrictions on identity theft, no.
Identity can lose its intrinsec value when copied. That's not cool.
The issue with domain ownership is that regulating domains could be bad for the internet itself, because it would impose more regulation, and we all know tat regulation is bad for the net, even if deregulation has its drawbacks.
It's just like everything else out there...
I recall when I was young and one of the gum ball machines was broken at the local convenience store... what did I do? I found a weakness and after 10 minutes of exploitation, was 100 gum balls richer!
Invent a service and you'll have exploits. Yin and yang.
Of course people will Phish with domains that are remotely similar to the bank names... then again, people are phisihing with crap domains that mean nothing, IE: smash my keyboard randomly and register it.
So really, in the end, who cares about this subject? It's irrelavent.
domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. "Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?", F-Secure asks."
I and all the other proud citizens of Ameriuca resent this craven implication.
It Is the Nature of Information to Transgress Artificial Boundaries
5. Parody site.
6. A website outlining grievances.
Don't knock it, I've been a loyal customer of the Bank of Ameriuca for three days. They've given me life insurance dirt cheap, some very fine investment tips (a hot new web 2.0 company guaranteed to soar like an eagle in a week!) and offered free hosting for some homemade porn I've made. Also, I seem to have scored an elephant desktop friend which knows about free screensavers. It was about time banks realized that they have to offer more diverse services for our money.
Parent should not be rated troll, he does bring up a good point, There are legitamate reasons for buying these domain names, for example If you are a company Bank of AmeRiva or perhaps you are making a website to critique the business practices of Bank of America
...from all the light given-off by the flaming trolls in this thread.
They sure stirred-up the hornet's nest with this one.
So, the question seems to be: Where does the accountability lie in fraudulent domains?
There's the school of origination; the domain-registrar is wrong for selling it.
You might as well arrest the gun-shop owners for allowing shootings to happen.
Then the camp that believes the TLD is most telling. (e.g., dot-com vs. dot-biz)
Gimme a break, the TLD breakout was back in 2000; companies have been using dot-biz for more than five years, some are even very well-established. Try again.
Some say the institutions being mocked are the culpable party.
You have to admit, allowing yourself to be imitated so convincingly could be construed as neglect.
Others still would point the finger at the ISP that allows phishers/crackers to operate in the first place.
Yeah, but if you're in the car-rental business, how can you tell if your customer intends to run someone over? Would you *not* accept their money if you did? Could you prove it in court if the barred customer tries to sue you?
The idea that the presence of SSL indicates a reliable source.
Best idea of the bunch, however there's still a risk in "mixed content" pages. The newest IE release either restricts the appearance of these types of pages, or just doesn't show them at all. (Firefox, too) Webdomos, take this to heart; if it isn't coming through SSL, it won't be on the page.
I, for one, prefer a common-sense approach...
eBusiness Owners/Administrators: Protect your identity! Get a consultant and invest in the most-likely alternates for your own domain, and KEEP them. (auto-renewal) It will pay off in the long run. Why take the risk?
Domain Registrars: Verify your customers and their business model. Taking an easy payment is one thing, but when you're found out as the enabler of a scam that swindles thousands from your potential customers, what's it really worth?
'Net Service Providers: Log activity and keep those logs! Detailed records and reliable backups are the difference between being a reputable dealer or a "usual suspect". Though you may be able to buy good press, you can't buy-off bad press.
Consumers/Citizens/All of us: Fer crissake, pay attention! [SLAP!] You don't get the luxury of "undo" from a virus or trojan. Simply connecting to the Internet presents a risk, and it will never be completely secure.
Consider this paradigm. Every "click" is a choice. Choose wisely.
This post © Copyrite Duggeek, all rights reversed.
KUDOs, not only one of your best bad analogys but a first post to boot and pertains to the topic, I'm AWE STRUCK
Apocalypse Cancelled, Sorry, No Ticket Refunds
Perhaps we should regulate against George Bush being George Bush? Seems that would be a more effective solution, to a lot of things.
I dont know how clueless these people are but mis-spellings and mis-typings get you page hits and adds viewed. Thats why the pages of those sites are usually filled with adds.
As said, their verification system is very poor. They once accepted MyWay.com for sale. http://convergence.in/blog/2006/10/11/sedo-lists-m ywaycom-for-sale-on-its-website/
You're certainly living up to your username; I think that's the worst analogy I've seen you come up with so far.
It's official. Most of you are morons.
You get $0-5 for an application, and $10-$60 for an approved client.
...
Even though many banks and programs (almost all of them) prohibit using trademark domains and even keywords (on bidding services like Google ads), many people get domains like that and promote through type-ins
so it is not just phishers, but fishy advertisers that want those domains....
ps: yes I used to promote credit cards, and student loans, No I never used domains like that and never spammed.
So, while Norton and McAfee have little else to do than bitch about the kernel lock-down in Vista, the makers of that delightful little AV program F-Prot are out actually, you know, looking into security issues?
Rich!