UNDERSTANDING DOMAIN NAME RULES
Topics below: Domain Name Rules, Domain Name Tricks, Defense, The Limits of Defense, Real life domain name scams, Final Exam
What is a domain? Let's start with examples of domains: google.com, columbia.edu, redcross.org, mullvad.net and irs.gov. When a person or organization wants their own presence on the Internet, they need to purchase a domain. There are hundreds of companies, called registrars, that sell domains. The cost varies drastically but many are about $20/year (US). Personally, I own three domains: the one for this website, DefensiveComputingChecklist.com, my personal site, michaelhorowitz.com and RouterSecurity.org.
This page exists because fake websites are an extremely common scam. To identify the fakes, you need to understand the rules for domain names.
On a desktop operating system (Windows, macOS, Linux), the domain name appears in the address bar of a web browser surrounded by slashes (/). More specifically, the two slashes after either HTTP or HTTPS indicate the start of the domain name (yes, and any sub-domains, this is just an intro) and the next slash, indicates the end. For example, in the text below
https://michaelhorowitz.com/about.php
The domain name starts with the "m" in michaelhorowitz and ends with the "m" in com.
Browsers in mobile Operating Systems (iOS and Android) have so little space that they often cut parts out. For example, on iOS 17, Safari displays
only the domain name, omitting both the page name (about.php in the above) and the leading HTTP/HTTPS, colon and slashes. Firefox on iOS 17 displays the domain name and the page name (as much as will fit) but also omits the leading HTTP/HTTPS, colon and slashes.
Note: To see the full address in Safari on iOS, just click/press on the domain name (screen shot) in the address bar.
THE RULES top
Off topic: The security of each sub-domain is a free agent. That is, one subdomain may implement SSL/TLS security well and another subdomain may implement it quite poorly. You can test the security of a domain or a subdomain at the Qualys SSL Server Test. Old people in the US care about Social Security. While the website is
www.ssa.gov, the section where you login to your account is secure.ssa.gov. Years back, I blogged about how the "secure" sub-domain was not very secure. Now it is.
FYI: Microsoft is sloppy with their sub-domains which has led to some being stolen every now and then. On Jan. 12, 2021, Maik Morgenstern tweeted that he took ownership of covid19testing.microsoft.com thanks to Microsoft being incompetent.
apple.talk apple.org apple.gov
apple.fail apple.us apple.cn
apple.jobs apple.app apple.me
apple.site apple.edu apple.biz
apple.name apple.io apple.store
apple.tech apple.net apple.top
apple.movie apple.tv apple.theater
DOMAIN NAME TRICKS top
Bad guys abuse everything there is to abuse, when it comes to domain names.
EXAMPLE One malicious domain in the above article is www.xn--meripris-mx0doj.com which translates to www.ameriprise.com In November 2022, I tested current versions of four web browsers (in Windows) to see how they would display this. As you can see here, only Firefox offered a visual clue of the scam. Chrome, Edge and Brave assist the bad guys by displaying a spec of dust below the a and e. |
DEFENSE top
The best defense comes from looking up who actually owns a domain. I know of two ways to do this.
The fast, simple approach is Google. If you have heard of a company but don't know their domain name, then do a Google search for the company name. For example, if you Google "coinbase", you will see that the first search result is www.coinbase.com, the legitimate domain. Just be sure that you are looking at the search results and not ads, as there have been scam ads that send victims to coinbases.org, which is a malicious clone of coinbase.com.
The more technical approach to research a domain name is to look at information from the Registrar.
Companies that register domains are called "Registrars" and they are required to make information about domains public. This database is referred to as "Whois" and, in the Whois system, the domain owner is referred to as the "Registrant." Some Registrars offering a Whois lookup are: Namecheap, Gandi, pair Domains, eNom and Tucows Domains. DomainTools also offers a Whois lookup.
If an honest company owns the domain, you should see the company name listed as the Registrant. Scammers will hide their name behind one of many different services that exist just for this purpose. That said, a domain owner may not want their contact information public. If you look up this domain (DefensiveComputingChecklist.com) for example, you will not find my home address. While people may want to hide, legitimate companies have no reason to do so. Note that this cloaking is not perfect, law enforcement can always knock on the door of a registrar to see who paid for a domain.
Someone I know needed the Whois system to see if they were being scammed. They use TD Bank whose website is tdbank.com. But they got a text message that claimed to be from the bank, telling them to go to td.com. Is td.com really TD Bank or is it a scam? Whois to the rescue :-)
Another thing to look for in the Whois report is the date that the domain was first registered. Scam domains tend to be new, legitimate domains tend to be old. A domain registered in the last few days, is pretty much guaranteed to be a scam. Other useful information provided by Whois, is a technical contact, an administrative contact, the name of the Registrar and, for techies, the authoritative DNS servers.
Another defense is a search engine. Searching for the company or software you want should turn up the real website rather than a scam site. That said, be careful of ads. Bad guys have often purchased ads, that show up before the search results, as a way to lure victims to their scam websites.
Finally, some domains are more likely to be scams than others. Yes, this is judging a book by its cover. From this article: Why Phishers Love New TLDs Like .shop, .top and .xyz by Brian Krebs (December 3, 2024).
THE LIMITS OF DEFENSE top
Sometimes, bad things happen on good domains.
This August 2022 story by Brian Krebs, PayPal Phishing Scam Uses Invoices Sent Via PayPal tells about how a compromised or fraudulent PayPal Business account was used by bad guys to send emails and invoices that could not look any more realistic. The scam emails were actually being sent by Paypal. The scam invoices that the emails linked to were hosted on the real Paypal website. Yet, fraudulent. The scam part of the emails was the phone number to call to dispute the phony charge in the phony invoice. In one case, the only tip-off to the scam was when the bad guys tried to install remote control software on the victim's computer.
This August 2021 article (Phishing campaign uses UPS.com XSS vuln to distribute malware) by Lawrence Abrams of Bleeping Computer describes a phishing email that pretends to be from UPS, the package delivery company. The malicious link in the email message points to the real ups.com website. The link abuses a bug in the website to download a malicious Word document.
REAL LIFE DOMAIN NAME SCAMS top
January 21, 2025: Don't fall for the IRS scam by Susan Bradley for AskWoody.com. A scam text message pretends to be from the IRS and sends victims to www.irs.gov.tax-popular.com.
December 18, 2024: Brian Krebs wrote How to Lose a Fortune with Just One Bad Click about someone who lost control of their Gmail/Google account. In part, the victim was scammed by an email message sent from google.com. So, it must be legit? Nope. The article references this December 2023 article by Graham Cluley: Google Forms Used in Call-Back Phishing Scam. Suffice it to say, that the Google Forms system can be abused by bad guys to send victims scam emails that really come from google.com. As I write this, it has been over a year and Google has not fixed this problem.
October 25, 2024: Amazon seizes domains used in rogue Remote Desktop campaign to steal data by Bill Toulas of Bleeping Computer. Quoting: "Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data ... APT29, also known as 'Cozy Bear' and 'Midnight Blizzard,' is a Russian state-sponsored cyber-espionage group linked to Russia's Foreign Intelligence Service (SVR)." The scam domains were made to appear as AWS (Amazon Web Services) domains. Among the many scam domains: us-east-1-aws.mfa-gov.cloud, awsplatform.online, aws-data.cloud, md-gov.cloud, s3-proofpoint.cloud, s3-knowbe4.cloud and s3-spacex.cloud.
October 9, 2023: Phishers Spoof USPS, 12 Other National Postal Services by Brian Krebs. About a common scan where victims get an SMS text message claiming to have been sent by the US postal Service, saying there was a problem with a package and a link to fix it. Some of scam domains cited in the article: usps.informedtrck.com, usps.receivepost.com, postreceive.com, usps.trckpackages.com, trackingusps.infortrck.com, tackingpos.com, usa-usps.shop and many more.
November 2022: In this article How social media scammers buy time to steal your 2FA codes Paul Ducklin disects a scam targeting Facebook users. Part of the scam involves domain names in the format facebook-help-nnnnnn. The bad guys claimed that the digits nnnnnn were a unique identifier for the victim.
November 2022: A Brian Krebs article mentioned ushank.com which was created to scam U.S. Bank customers.
October 2022: Typosquat campaign mimics 27 brands to push Windows, Android malware by Bill Toulas of Bleeping Computer. Quoting: "A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands. The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional "s," making them easy for people to miss." Some examples: tocrproject.com pretended to be torproject.com. I have downloaded Notepad++ many times from notepad-plus-plus.org. Bad guys are trying to scam people using notepads-plus-plus.org. The Brave browser is at brave.com. Bad guys created braves-browsers.org.
In August 2022, I got this scam text message pretending to be from Citibank and using the scam domain citi-online-supported06a.com.
In August 2022, Cloudflare blogged about their experience with a scam domain name (The mechanics of a sophisticated phishing scam and how we stopped it). They use Okta's identity and access management services and the scam domain that employees received text messages to visit was cloudflare-okta.com which really looks legit. Cloudflare is very serious about shutting down scam domains. They monitor new domain registrations looking for those that contain their name, and they attempt to have them shut down ASAP. In this case, however, the domain had been registered less than 40 minutes before the scam text messages were sent.
In July 2022, we learned that bad guys are abusing IPFS, a somewhat rare file system where data is retrieved based on its content rather than its location. Since IPFS locations have, up till then, been considered safe, this gets around systems that look for bad domains. See Decentralized IPFS networks forming the 'hotbed of phishing' from The Register. Among the IPFS domains used in phishing emails were: cloudflare-ipfs.com, ipfs.infura-ipfs.io, googleweblight.com, ipfs.filebase.io, nftstorage.link and ipfs.fleek.co.
In May 2022, we learned this: U.S. DoD tricked into paying $23.5 million to phishing actor (from Bleeping Computer by Bill Toulas). Part of the scam involved domain names. Quoting: "... conspirators registered the domain dia-mil.com, which is very similar to the legitimate dla.mil, and used it to send phishing emails." The bad guys were pretending to be from the Defense Logistics Agency.
In December 2021, many outlets wrote about a TV newscaster in India that was scammed into quitting her job, providing tons of personal information and almost moving to Boston for a non-existing job at Harvard. This is from the New York Times: The Harvard Job Offer No One at Harvard Ever Heard Of. The bad guys used the domain HarvardCareer.com as part of the scam. This was a large scam, several journalists and media personalities in India were targeted. Despite being alerted to the scam, Harvard University did nothing. I write this months after the scam and Harvard still has not bothered to take ownership of HarvardCareer.com.
In November 2021, Brian Krebs wrote about scams focused on un-delivered packages that used the returns-fedex.com domain.
In October 2021, Brian Krebs wrote about a scam that used coinbase.com.password-reset.com to scam coinbase.com users.
Security firm Proofpoint registered some look-alike domain names to use in training their customers about common scams. Among the domains were facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org. Facebook learned about this and went after the registrar to get ownership of the domains transferred to Facebook. See Proofpoint drops lawsuit, transfers phishing domains to Facebook (August 2021)
In October 2020, I was searching for a specific Chromebook and one of the top search results was the website consumes.report. It is a scam (see screen shot), pretending to be Consumer Reports. Their real domain name is consumerreports.org.
This August 2020 article about phone based scams includes these actual scam domain names: bofaticket.com, helpdesk-att.com and vzw-employee.com. In discussing these particular scams, the author, Brian Krebs says: ...domains used for these pages often invoke the company's name, followed or preceded by hyphenated terms such as 'vpn,' 'ticket,' 'employee,' or 'portal.'
In April 2020 bad guys hacked into a Sophos firewall device and downloaded malware from sophosfirewallupdate.com which did not belong to Sophos.
In March 2020, Facebook sued domain registrar Namecheap for registering domains designed to trick people. Some cited examples: instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site. In Oct. 2019, Facebook sued another registrar, OnlineNIC for registering domains such as www-facebook-login.com and facebook-mails.com.
For years, Microsoft has been disgraceful in how they handle their subdomains and, as a result, bad guys have been hijacking some of them. The domains cited as being miserably managed are microsoft.com, skype.com, office.com, msn.com, windows.com and xbox.com. Microsoft has been told about this many times, yet the problems linger. This is easily addressed, Microsoft is simply incompetent. It is fairly easy for bad guys to steal the vulnerable subdomains. Victims visiting something.office.com, for example, can be easily tricked into entering passwords that go directly to the bad guys. Recent accounts in the news from March 2020 are here and here. Two subdomains that researchers hijacked to demonstrate the problem were mybrowser.microsoft.com and identityhelp.microsoft.com. A video shows that the bad guys even got an SSL certificate for the subdomain they hijacked. This also made news in February 2020.
In Feb. 2020, I saw this scam text message on a phone. The domain citiunlocknow.com does not belong to Citibank.
In Nov. 2019, we learned of a fake payment service platform (PSP). Many small websites, rather than take credit cards directly, transfer their customers to a secure website run by a large ecommerce company such as Mastercard. An Australian company had their website hacked and instead of customers being transfered to the legitimate mastercard.com.au, they were sent to the scam site payment-mastercard.com.
This October 2019 article, Fake Tor Browser steals Bitcoin from Dark Web users notes that the scam domains tor-browser.org and torproect.org were used to lure victims. The real Tor website is torproject.org.
A September 2019 article about stolen iPhones included this scam, directed at someone whose iPhone had been stolen: "Your missing iPhone has been found by the police nearby and handed over to the Apple related department ... Please click apple-ios-id-gps.us/us and login to the Apple ID management system."
A June 2019 scam combined two methods. Pretending to be from British retailer Argos (argos.co.uk), bad guys at gknu.com sent phishing emails trying to get victims to go to
www.argos.co.uk.theninja.gknu.com/
www.argos.co.uk/account-login/
Note: this looks more convincing when viewed as a single string, but I broke it up into two lines for page display reasons.
In April 2019, Brian Krebs wrote about a service called Land Lords that creates Airbnb scams. A key piece of these scams are domains that look like airbnb.com, but, are not. The scam domain in the article was airbnb.longterm-airbnb.co.uk. It looked exactly like the real Airbnb website and requested victims to sign. The fake site forwarded the legit Airbnb credentials to the real Airbnb, but only after recording them. Other domains used to scam Airbnb were: airbnb.longterm-airbnb.co.uk, airbnb.request-online.com and airbnb-invoice.com. For another defense against this scam see the topic below on verified website identities.
When, also in April 2019, Krebs wrote about Wipro being hacked by phishing/scam email messages, the phony domain name he cited was
securemail.wipro.com.internal-message.app
Who even knew that a legitimate domain name can end in dot app? The bad guys loved using their internal-message.app domain so much they also may have used
securemail.capgemini.com.internal-message.app to scam employees of CapGemini.
The squidblacklist.org site maintains lists of bad domains. Their DNS Malicious Zone file has thousands of malicious domains, some of which are clearly designed to fool people. Just looking for Microsoft related domains turns up: accountsmicrosoft.com, microsoft.com-windows-cleaner-pc.live, drives-microsoft.com, livemicrosoftsupports.com, loginmicrosoftsonline.com, login.microsoftonline.com.atomysales.com, microsoft-0ffice365.com, microsoft365drive.com and microsoftcustomercares.com.
Arguably the biggest domain name screw-up ever, was by Equifax in 2017. I say this not because they were hacked, but because of their reaction. The Equifax domain is equifax.com. To post their response to the hacking incident, they created a new website: equifaxsecurity2017.com. They should have named their response website something like security2017.equifax.com or equifax.com/security2017. A techie exposed Equifax for the fools they are by registering a scam website securityequifax2017.com. In the ultimate irony, the official Equifax twitter account, sent people to the scam site. You can't make this stuff up. And, now that you have read this far, you know more about domain names than the techies at Equifax.
FINAL EXAM top
Think you've got it? You can test yourself at the OpenDNS Phishing Quiz. It shows you 14 website screen shots, each asking for information, and you have to judge if they are real or a scam/phishing.
This page: 11 views per day (over 1,796 days) Total views: 20,195 Created: February 26, 2020 |
This Page Last Updated January 23, 2025 | Site Page Views TOTAL 1,080,315 | Site Page Views TODAY 275 |
Website by Michael Horowitz @defensivecomput |
top |