A Defensive Computing Checklist    by Michael Horowitz
<--Back to the Main Defensive Computing Page

UNDERSTANDING DOMAIN NAME RULES     (Topic last updated: November 17, 2021)

Fake websites are an extremely common scam. To identify the fakes, you need to understand the rules for domain names.

Some domain names are: google.com, columbia.edu, irs.gov and RouterSecurity.org. Many scam website names look legit to someone who does not know the rules. And, there are lots of rules and scams targeted at people that don't know the rules.

  REAL LIFE DOMAIN NAME SCAMS

In November 2021, Brian Krebs wrote about scams focused on un-delivered packages that used the returns-fedex.com domain.

In October 2021, Brian Krebs wrote about a scam that used coinbase.com.password-reset.com to scam coinbase.com users.

Security firm Proofpoint registered some look-alike domain names to use in training their customers about common scams. Among the domains were facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org. Facebook learned about this and went after the registrar to get ownership of the domains transferred to Facebook. See Proofpoint drops lawsuit, transfers phishing domains to Facebook (August 2021)

In October 2020, I was searching for a specific Chromebook and one of the top search results was the website consumes.report. It is a scam (see screen shot), pretending to be Consumer Reports. Their real domain name is consumerreports.org.

This August 2020 article about phone based scams includes these actual scam domain names: bofaticket.com, helpdesk-att.com and vzw-employee.com. In discussing these particular scams, the author, Brian Krebs says: ...domains used for these pages often invoke the company's name, followed or preceded by hyphenated terms such as 'vpn,' 'ticket,' 'employee,' or 'portal.'

In April 2020 bad guys hacked into a Sophos firewall device and downloaded malware from sophosfirewallupdate.com which did not belong to Sophos.

In March 2020, Facebook sued domain registrar Namecheap for registering domains designed to trick people. Some cited examples: instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site. In Oct. 2019, Facebook sued another registrar, OnlineNIC for registering domains such as www-facebook-login.com and facebook-mails.com.

For years, Microsoft has been disgraceful in how they handle their subdomains and, as a result, bad guys have been hijacking some of them. The domains cited as being miserably managed are microsoft.com, skype.com, office.com, msn.com, windows.com and xbox.com. Microsoft has been told about this many times, yet the problems linger. This is easily addressed, Microsoft is simply incompetent. It is fairly easy for bad guys to steal the vulnerable subdomains. Victims visiting something.office.com, for example, can be easily tricked into entering passwords that go directly to the bad guys. Recent accounts in the news from March 2020 are here and here. Two subdomains that researchers hijacked to demonstrate the problem were mybrowser.microsoft.com and identityhelp.microsoft.com. A video shows that the bad guys even got an SSL certificate for the subdomain they hijacked. This also made news in February 2020.

In Feb. 2020, I saw this scam text message on a phone. The domain citiunlocknow.com does not belong to Citibank.

In Nov. 2019, we learned of a fake payment service platform (PSP). Many small websites, rather than take credit cards directly, transfer their customers to a secure website run by a large ecommerce company such as Mastercard. An Australian company had their website hacked and instead of customers being transfered to the legitimate mastercard.com.au, they were sent to the scam site payment-mastercard.com.

This October 2019 article, Fake Tor Browser steals Bitcoin from Dark Web users notes that the scam domains tor-browser.org and torproect.org were used to lure victims. The real Tor website is torproject.org.

When, also in April 2019, Krebs wrote about Wipro being hacked by phishing/scam email messages, the phony domain name he cited was
securemail.wipro.com.internal-message.app
Who even knew that a legitimate domain name can end in dot app? The bad guys loved using their internal-message.app domain so much they also may have used
securemail.capgemini.com.internal-message.app to scam employees of CapGemini.

A September 2019 article about stolen iPhones included this scam, directed at someone whose iPhone had been stolen: "Your missing iPhone has been found by the police nearby and handed over to the Apple related department ... Please click apple-ios-id-gps.us/us and login to the Apple ID management system."

A June 2019 scam combined two methods. Pretending to be from British retailer Argos (argos.co.uk), bad guys at gknu.com sent phishing emails trying to get victims to go to
www.argos.co.uk.theninja.gknu.com/www.argos.co.uk/account-login/

The squidblacklist.org site maintains lists of bad domains. Their DNS Malicious Zone file has thousands of malicious domains, some of which are clearly designed to fool people. Just looking for Microsoft related domains turns up: accountsmicrosoft.com, microsoft.com-windows-cleaner-pc.live, drives-microsoft.com, livemicrosoftsupports.com, loginmicrosoftsonline.com, login.microsoftonline.com.atomysales.com, microsoft-0ffice365.com, microsoft365drive.com and microsoftcustomercares.com.

Arguably the biggest domain name screw-up ever, was by Equifax in 2017. I say this not because they were hacked, but because of their reaction. The Equifax domain is equifax.com. To post their response to the hacking incident, they created a new website: equifaxsecurity2017.com. They should have named their response website something like security2017.equifax.com or equifax.com/security2017. A techie exposed Equifax for the fools they are by registering a scam website securityequifax2017.com. In the ultimate irony, the official Equifax twitter account, sent people to the scam site. You can't make this stuff up. And, now that you have read this far, you know more about domain names than the techies at Equifax.

IN CONCLUSION

Think you've got it? You can test yourself at the OpenDNS Phishing Quiz. It shows you 14 website screen shots, each asking for information, and you have to judge if they are real or a scam/phishing.

And now, really bad news. This August 2021 article (Phishing campaign uses UPS.com XSS vuln to distribute malware) by Lawrence Abrams of Bleeping Computer describes a phishing email that pretends to be from UPS, the package delivery company. The malicious link in the email message points to the real ups.com website. The link abuses a bug in the website to download a malicious Word document.

Finally, some good news about domain names. You may be able to see who owns a domain. Companies that register domains are called "Registrars" and they are required to make information about domains public. This database is referred to as "Whois" and, in the Whois system, the domain owner is referred to as the "Registrant." Some Registrars offering a Whois lookup are: Namecheap, Gandi, pair Domains, eNom and Tucows Domains. DomainTools also offers a Whois lookup.

Some one I know needed this to see if they were being scammed. They use TD Bank whose website is tdbank.com. But they got a text message that claimed to be from the bank, telling them to go to td.com. Is td.com really TD Bank or is it a scam? Whois to the rescue :-)
Other useful information provided by Whois, is a technical contact, an administrative contact, the name of the Registrar and, for techies, the authoritative DNS servers. That said, a domain owner may not want their contact information public. If you look up this domain (DefensiveComputingChecklist.com) for example, you will not find my home address. While people may want to hide, legitimate companies have no reason to do so. Needless to say, a bad guys hide their identity. However, law enforcement can always knock on the door of a registrar to see who paid for a domain.

 4,603 views of the Domain rules since February 26, 2020
Last Updated
November 17, 2021
Total
Page Views

 260,249
Page Views
Today

  2
Previous
Website View

7.3 minutes ago
Website by
Michael Horowitz
@defensivecomput
top
<--Back to the Main Defensive Computing Page
Copyright 2019 - 2021