Slashdot Mirror

← Back to Stories (view on slashdot.org)

Domain Resale Market Is Phisher Heaven

Posted by ryuzaki0 on from the big-shock-here dept.

Krishna Dagli writes "Finish security firm F-Secure has discovered that alongside the sale of such innocuous domains as filmlist.com comes the resale of domains that obviously belong to banks or other financial institutions. Sedo.com, for example, is reselling domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. 'Why would anybody want to buy these domains unless they are the bank themselves — or a phishing scammer?,' F-Secure asks."

14 of 120 comments (clear)

  1. Not going to happen by plover · · Score: 2, Interesting
    Does anyone really think a domain registrar has any incentive to stop phishers? "Oh, sure, you want us to cut our potential sales just because a typo-squatter might be phishing?" I wonder how much of their revenue comes from selling the actual names vs how much comes from the spelling error names?

    Anyway, I wouldn't count on the registrars changing their business model just because there are stupid people out there.

    --
    John
  2. Click Farms by prothid · · Score: 4, Insightful

    People that want these domains run click farms. They make their money by showing ads based on the site the person meant to visit, from Google or whomever. It doesn't make sense for a phisher to pay big money for these domains when they can phish just as well with ksajdfxdvos.com.

  3. Obvious Problem by Threni · · Score: 2, Interesting

    I don't understand why there's not a domain like `.tm` (for example) where you'd need a trademark or some other legal device before you could register it. Some sort of search could be performed before the domains were approved and allowed to be used. If such a system were monitored properly - publicly aired before approval so people could stop any abuses that got past the legal bit - then wouldn't it go some way - if not perhaps the whole way - towards stopping that sort of phishing?

    1. Re:Obvious Problem by Threni · · Score: 2, Informative

      > You'd still have the Budwiser problem, in that there are two Budwisers beers, one out of Czech Republic and one out of St. Louis,
      > MO. They both can legally use the name Budwiser (in certian markets) since originally thier markets did not overlap at all. Who
      > would legally get the domain name?

      They'd both be legal in their own countries. If I'm in the Czech Republic I could still use the guaranteed safe-from-phishing Budwiser.us.tm, in addition to the local Budwiser.cz.tm. It's not about `there can be only one` - just that as long as you could trust the people doing the certification in a given country, you could trust all the .tm domains there.

      >And what about common names like Yellow? Would it go to Yellow Cab? Yellow Pages? Yellow Roadway? All of them at some point used
      >Yellow as their "name".

      I'm not suggesting a mapping of `yellow` to one domain. Yellow cab could get "yellowcab.uk.tm", Yellow pages could get "yellowpages.uk.tm" etc, assuming they owned those trademarks.

      >Trademarks can be used in multiple places for multiple reasons. The sorting out over multiple jursidictions would be a nightmare. It
      >already is just for the trademarks.

      As I've said, it'd be per jurisdiction.

  4. Cybersquatters... by GreyPoopon · · Score: 2, Interesting
    Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?
    One other possibility. Cybersquatting...the online equivalent of extortion. Anyway, the practice of registering these "typo" domains shouldn't be illegal. But they should be an automatic trigger for a detailed investigation by the justice department. It's like criminals hanging a sign on their front door announcing their intentions to commit a crime. The DoJ should be loving it....
    --

    GreyPoopon
    --
    Why is it I can write insightful comments but can't come up with a clever signature?

  5. Re:Who are you? The fucking thought police? by onion2k · · Score: 2, Informative

    I'm not sure I agree. There are 4 reasons someone other than Bank of America might purchase bankofameriuca.com:

    1. They're phishing.
    2. They're typo-squatting in the hope of selling it to Bank of America.
    3. They're link farming/click farming hoping for lots of typo hits.
    4. Their name happens to be Banko F. Ameriuca. ;)

    In all cases there's no legal compulsion for Sedo to keep the domain out of any one person's hands. It's got nothing much to do with them. However, there is an ethical obligation on the part of Bank of America. They should be looking after their customers and making it difficult for phishers to try and sting them. Bank of America should have bought up all likely typos of their primary domain. If I had an account with them I would consider moving it. If they're willing to risk people losing out to phishing attacks to save the few dollars a domain costs to keep then they must be doing pretty damn badly, or they must not care much about my custom.

    --
    http://twitter.com/onion2k
  6. FTFA by deblau · · Score: 2
    "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales."
    Yeah, let's see how impossible it is when Paypal, Visa, Chase, Citibank, and BofA sue you for trademark infringement and unfair competition, with hundreds of other companies waiting in the wings.
    --
    This post expresses my opinion, not that of my employer. And yes, IAAL.
  7. How many "likely" typos are there? by patio11 · · Score: 2, Insightful

    Aside from the, hmm, 2 people in the country who think there is a "u" in America, it would appear that that particular domain isn't being used for fat-fingered folks (u is nowhere near either c or a on the keyboard -- you have to go out of your way to hit it), so it is probably being used for phishing. The hope is that someone is less than cautious in reading it and doesn't recognize the inserted letter. Lets say someone decides to match up the first six letters of the domain exactly and then inserts one letter at an arbitrary point elsewhere. To combat this, bank of america would have to buy over *twenty tril1ion* domains which are equally as likely as bankofamericua.com (26 letters to insert, 8 positions to insert them at, 26^8 = lots). And that would only defend against *one* particular style of typo-squatting. If you combine the "insert a random letter" trick with "replace the I in America with a 1", then that is another twenty trillion domains to you have to buy.

    P.S. Slashdotters who think you are immune because you are always a careful reader -- how many of you caught the phisher-style substitution I made in this post? Your brain is hard-wired to ignore the sort of slight differences that your computer is wired to treat as very serious.

    --
    Help poke pirates in the eyepatch, arr.
  8. Re:maybe I'm stating the obvious but... by chroot_james · · Score: 2, Insightful

    Cost effective? Domains cost like $10 a pop... I think if domain names prove to be a source of identity theft, companies will happily buy domain lookalikes rather than pay people to investigate fraud or suffer the loses...

    --
    Reality is nothing but a collective hunch.
  9. "i" and "u" by XanC · · Score: 2, Insightful

    I don't know what kind of crazy keyboard you're using, but on mine, the "i" and the "u" are right next to each other.

    http://www.mwbrooks.com/dvorak/layout.html

  10. Re:wtf? by geoffspear · · Score: 2, Insightful

    I don't think the phishers care if they don't get to steal your identity, as long as the 99% of web users who don't know what SSL is can still be fooled. So yes, you're missing something.

    --
    Don't blame me; I'm never given mod points.
  11. Re:Who are you? The fucking thought police? by orasio · · Score: 2, Insightful

    Uhhh ... OK. So while we're at it, let's get rid of copyright law, patent law, and restrictions on identity theft.


    Copyright law, ok.
    Patent law, ok.

    Restrictions on identity theft, no.
    Identity can lose its intrinsec value when copied. That's not cool.

    The issue with domain ownership is that regulating domains could be bad for the internet itself, because it would impose more regulation, and we all know tat regulation is bad for the net, even if deregulation has its drawbacks.

  12. Bank of Ameriuca by zecg · · Score: 2, Funny

    Don't knock it, I've been a loyal customer of the Bank of Ameriuca for three days. They've given me life insurance dirt cheap, some very fine investment tips (a hot new web 2.0 company guaranteed to soar like an eagle in a week!) and offered free hosting for some homemade porn I've made. Also, I seem to have scored an elephant desktop friend which knows about free screensavers. It was about time banks realized that they have to offer more diverse services for our money.

    --
    .i lu doi ringos.star. xu do puku'aroroi dunli dopecaku leni virnu li'u
  13. Re:The economics of pre-emptive domain grabs by jargon82 · · Score: 2, Interesting

    Forwarding misspelled domains to your .com is a HORRIBLE idea. Here's why:
    Lets say you are citibank, you own citibank.com, and your forward citybank.com. Your "setting the expectation" that a forward will happen, in the customers mind. When they go to city-bank.com, and it looks the same, to them, as citybank or citibank (but it's actually phisher owned), they're sunk.

    What NEEDS to happen instead, if registering alternate spellings or typos is part of a security strategy, you need to inform the customer on that page with an informative message. "You appear to be looking for citibank.com. To prevent fishing, citibank has registered this and several other names. Please type 'citibank.com' into your browser address bar to continue."

    Why no click through link? Whats to keep the fisher from making a fake "bad domain name page" linking to their site? Then they've got you hook, line, and sinker...