Slashdot Mirror

← Back to Stories (view on slashdot.org)

Domain Resale Market Is Phisher Heaven

Posted by ryuzaki0 on from the big-shock-here dept.

Krishna Dagli writes "Finish security firm F-Secure has discovered that alongside the sale of such innocuous domains as filmlist.com comes the resale of domains that obviously belong to banks or other financial institutions. Sedo.com, for example, is reselling domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. 'Why would anybody want to buy these domains unless they are the bank themselves — or a phishing scammer?,' F-Secure asks."

4 of 120 comments (clear)

  1. Not going to happen by plover · · Score: 2, Interesting
    Does anyone really think a domain registrar has any incentive to stop phishers? "Oh, sure, you want us to cut our potential sales just because a typo-squatter might be phishing?" I wonder how much of their revenue comes from selling the actual names vs how much comes from the spelling error names?

    Anyway, I wouldn't count on the registrars changing their business model just because there are stupid people out there.

    --
    John
  2. Obvious Problem by Threni · · Score: 2, Interesting

    I don't understand why there's not a domain like `.tm` (for example) where you'd need a trademark or some other legal device before you could register it. Some sort of search could be performed before the domains were approved and allowed to be used. If such a system were monitored properly - publicly aired before approval so people could stop any abuses that got past the legal bit - then wouldn't it go some way - if not perhaps the whole way - towards stopping that sort of phishing?

  3. Cybersquatters... by GreyPoopon · · Score: 2, Interesting
    Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?
    One other possibility. Cybersquatting...the online equivalent of extortion. Anyway, the practice of registering these "typo" domains shouldn't be illegal. But they should be an automatic trigger for a detailed investigation by the justice department. It's like criminals hanging a sign on their front door announcing their intentions to commit a crime. The DoJ should be loving it....
    --

    GreyPoopon
    --
    Why is it I can write insightful comments but can't come up with a clever signature?

  4. Re:The economics of pre-emptive domain grabs by jargon82 · · Score: 2, Interesting

    Forwarding misspelled domains to your .com is a HORRIBLE idea. Here's why:
    Lets say you are citibank, you own citibank.com, and your forward citybank.com. Your "setting the expectation" that a forward will happen, in the customers mind. When they go to city-bank.com, and it looks the same, to them, as citybank or citibank (but it's actually phisher owned), they're sunk.

    What NEEDS to happen instead, if registering alternate spellings or typos is part of a security strategy, you need to inform the customer on that page with an informative message. "You appear to be looking for citibank.com. To prevent fishing, citibank has registered this and several other names. Please type 'citibank.com' into your browser address bar to continue."

    Why no click through link? Whats to keep the fisher from making a fake "bad domain name page" linking to their site? Then they've got you hook, line, and sinker...