Domain Resale Market Is Phisher Heaven 120
Krishna Dagli writes "Finish security firm F-Secure has discovered that alongside the sale of such innocuous domains as filmlist.com comes the resale of domains that obviously belong to banks or other financial institutions. Sedo.com, for example, is reselling domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. 'Why would anybody want to buy these domains unless they are the bank themselves — or a phishing scammer?,' F-Secure asks."
Not going to happen (Score:3, Interesting)
Anyway, I wouldn't count on the registrars changing their business model just because there are stupid people out there.
Re: (Score:2)
A more market-oriented approach would be to have the individual registrars establish policies. Then ha
Not registrar, registry? (Score:1)
Re: (Score:1)
Re: (Score:1)
--
Duh
Re: (Score:1)
Buyers interested to.. (Score:1)
Responsibility? (Score:2)
Also, are these domain names coming up for sale because the banks don't want them any more or because their subscription lapsed? I would have thought they'd automatically renew.
Re: (Score:2)
Obviously it's impossible to register every typo-variation of your real domain name, so that kinda answers my original question.
However, I remember back in 1999 or so I visited vodaphone.com, which brought up a nice friendly page explaining how thousands of their customers misspelled "vodafone", so they decided to register that domain name to correct the confusion, which I thought was rather nice.
Wrong question... (Score:2)
Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.
That's the wrong question, but you're close. Banks have a responsibility to authenticate themselves to users before users are allowed to make transactions. Right now that authentication is supposed to be done by the user looking at the website and recognizing the name. This is, and will always be a terrible form of authentication.
I've said it before, but banks should be
Re: (Score:2)
I wouldn't agree. In the UK I'm sure there's been instances of crooks taking over an empty shop, fitting it out like a real bank and conning people into depositing money there. There was certainly a case where a gang used a stolen ATM to grab card numbers and PINs. Where does the responsibility lie? With the consumer, or the bank?
To extend the tiresome analogy: if I to
Re: (Score:1)
Exactly, and the crook is the guy who does the phishing, not the registrar who sold the domain name. Think about this: You go into a liquor store and pick up a bottle of Everclear (90% alcohol). At the counter, the clerk says "Oh, I won't sell you that. It's too dangerous!" Your response would be "What? You have it, I want it, and it's legal to buy! Don't tell me I can't have it!" - Right? Yes. we resellers are suspicious of people who buy these names. Bu
why would anyone buy these domains? (Score:1)
Re: (Score:1)
That's a domain I've never heard of.... (Score:1)
It's too early in the morning for any bad spelling jokes.
Re: (Score:2)
Re: (Score:1)
I is next to U on the qwerty. People make typos. That's, er, kind of the whole point.
Re: (Score:2)
Typo-squatting a Phisers dream come true (Score:1)
How to stop phishing. (Score:1)
Re: (Score:2)
Re: (Score:2)
But it SAID that I needed to update my Windows Firewall in order to access my account again. They told me I can go to their website, login, go to the FAQ section, and follow the directions in section 4.3
Or I can just click this link for convenience.
Re: (Score:1)
Some nice Nigerian man offered me lots of money once too. It was quick and painless, just had to click on one link.
Unfortunately my stupid bank screwed up everything and ended up giving him the money instead. I felt terrible not being able to help him. To make things worse, I think the bad guys he was running away from ended up catching him, I never got a response from him again :(
Who cares why? (Score:1)
Oh, I don't know, maybe social commentary, satire, to voice a complaint. Who cares?
Just punish the ones actually using the sites to scam.
Click Farms (Score:4, Insightful)
Re: (Score:1)
Who would pay the big bucks to get his super-phishing domain cancelled?
Seems like one more groundless scare from F-Secure. A company that has been known to cry wolf [msn.com] regularly [techdirt.com] (especially when it create a market for their products [techdirt.com])
Obvious Problem (Score:2, Interesting)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
I'm in the UK. I was thinking about something a little more accountable to me than that.
Re: (Score:1)
Companies were started and trademarks were registered in countries where it is cheap to do so, with names like 'a-b-c', just to be able to register domain names like abc.eu.
Re: (Score:2)
Re: (Score:2)
Also, trademarks need not always be registered, meaning that people who might have a legitimately enforceable trademark or trademark-like right could not get a do
Re: (Score:1)
> (trademark, company name, brand,
>
> But it would propably not work here
>* it requires worldwide cooperation
No it doesn't. Cahoot, to use an example of a UK based online bank, would register Cahoot.tm (for example) and that's that.
>* it wouldn't prevent "phishing" using malformed domains from legacy TLD
I don't understand that. I'm not an expert on domai
Re: (Score:2)
And what about common names like Yellow? Would it go to Yellow Cab? Yellow Pages? Yellow Roadway? All of them at some point used Yellow as their "name".
Trademarks can be used in multiple places for multiple reasons
Re: (Score:2, Informative)
> MO. They both can legally use the name Budwiser (in certian markets) since originally thier markets did not overlap at all. Who
> would legally get the domain name?
They'd both be legal in their own countries. If I'm in the Czech Republic I could still use the guaranteed safe-from-phishing Budwiser.us.tm, in addition to the local Budwiser.cz.tm. It's not about `there c
maybe I'm stating the obvious but... (Score:1)
Re: (Score:2, Insightful)
3,600 Look-alike domains used in attacks in 2005 (Score:2)
A banking TLD (Score:2)
Re: (Score:2)
What and have registrars cut their income? (Score:1)
Cybersquatters... (Score:3, Interesting)
Turn it around then (Score:2)
If these sites do wind up phishing sites, at least sedo.com will know who owns them. So what you do is to contact the Internet Crime Complaint Center. [ic3.gov] Give them the address of the phishing site - and be sure to let them know that sedo.com sold them the domain, so they'll have the customer contact info.
Absurdity of the SEDO.com statement (Score:2)
"We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales."
Sounds like the approach many companies take when they find wrongdoing.
Like when I called the SBC datacenter in Texas and asked them if this was their IP address, and if they were hosting the website for Paypal.com. "yes, it is" and "no", the guy said. "well, you are now" I replied. He wanted to know what I expected him to do about it.
Are those really comparable? (Score:2)
There's a difference between "we don't proactively do XXX" and "we don't do XXX after we find out about it".
The other examples you give are the latter.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You can (and I do occasionally) fix this by null-routing them on your gateway :)
FTFA (Score:3)
Re: (Score:1)
Do they think we're idiots or something? They are proactively registering the darn things to resell, and then the two-faced morons turn around and say they ca
To put up a complaint website? (Score:2)
Just because *you* can't think of a good reason doesn't mean there isn't one. That one took me about three seconds. Try harder.
Acy
It doesnt have to be a phisher (Score:2)
It doesnt automaticaly have to be something with illegal intent.
Question (Slightly OT) (Score:2)
I guess personally I wonder if domain names matter so much anymore. It seems that the days of just going to "CompanyName.com" are over. Instead you google it, click through on an ad, type in from an email or business card, etc. So why not use "CompanyName2.com" or something.
It doesn't look pretty, unfortunately. To me, "CompanyName
Re: (Score:2)
Also critic site (Score:2)
If you are trying to put criticism about citi-bank, then you buy www.citi-bank.com and put up your sob story about how citi-bank forclosed on your mortgage, and auctioned it off for 1/2 what it was worth and gave you nothing back, despite the fact that you offered to buy the home from them at 3/4 of it's current value.
The economics of pre-emptive domain grabs (Score:2)
Re: (Score:2, Interesting)
Lets say you are citibank, you own citibank.com, and your forward citybank.com. Your "setting the expectation" that a forward will happen, in the customers mind. When they go to city-bank.com, and it looks the same, to them, as citybank or citibank (but it's actually phisher owned), they're sunk.
What NEEDS to happen instead, if registering alternate spellings or typos is part of a security strategy, you need to inform the custo
wtf? (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Case in point: 2 years ago I needed a new certificate.. went to a cert. dealer, filled in the name/address of my company and used the company email address. I got the certificate in under 2 hours.
No proof was required, just the existence of the domain and presumably they checked the whois. My address is unrelated to the company (which is just a virtual office with the trading address at the accountants) and I paid with my own cr
Why would anybody want to buy these domains? (Score:1)
Because domain sitters might want to earn from naive customers reaching these sites and clicking on contexual ads?
Why? (Score:1)
Good old advertising. People visit the domain mistakenly, whether through Google ads, mistyping, or whatnot, and see ads. These ads are targeted towards financial topics. People click them, owner makes money. No real scam, just advertising dollars coming in.
(Of course, phishing is another possibility, but it's not the only one.)
Re: (Score:2)
Yep, it works like this:
1.) Register bankofspamerica.com
2.) Get hits from fat-fingered clueless n00bs.
3.) Profit!
Legitimate Use (Score:2)
Jeremiah Johnson (Score:1)
He then proceeded to kill a grizzled bear with his bare hands...
Spelign (Score:1)
Typo? (Score:1)
actually (Score:1)
Re: (Score:2)
Scary. I could well understand why this might have you all nervous. ;)
The answer is educational, legal, and economic (Score:2)
Just like anything else... (Score:1)
I recall when I was young and one of the gum ball machines was broken at the local convenience store... what did I do? I found a weakness and after 10 minutes of exploitation, was 100 gum balls richer!
Invent a service and you'll have exploits. Yin and yang.
Of course people will Phish with domains that are remotely similar to the bank names... then again, people are phisihing with crap domains that mean nothing, IE: smash my keyboard randomly and registe
God BLESS Ameriuca (Score:2)
I and all the other proud citizens of Ameriuca resent this craven implication.
Bank of Ameriuca (Score:3, Funny)
I could comfotably read a book... (Score:1)
...from all the light given-off by the flaming trolls in this thread.
They sure stirred-up the hornet's nest with this one.
So, the question seems to be: Where does the accountability lie in fraudulent domains?
There's the school of origination; the domain-registrar is wrong for selling it.
You might as well arrest the gun-shop owners for allowing shootings to happen.
Then the camp that believes the TLD is most telling. (e.g., dot-com vs. dot-biz)
Gimme a break, the TLD breakout was back in 2000;
Ad Revenue genius! (Score:2)
Sedo once wanted to sell MyWay.Com :-) (Score:1)
credit card promotion (Score:2)
Even though many banks and programs (almost all of them) prohibit using trademark domains and even keywords (on bidding services like Google ads), many people get domains like that and promote through type-ins
so it is not just phishers, but fishy advertisers that want those domains....
ps: yes I used to promote credit cards, and student loans, No I never used domains like that and never spammed.
F-Secure? (Score:2)
Rich!
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Um, you can Dress like GWB, Talk like GWB, and try to persuade people to do
Re: (Score:3, Insightful)
Copyright law, ok.
Patent law, ok.
Restrictions on identity theft, no.
Identity can lose its intrinsec value when copied. That's not cool.
The issue with domain ownership is that regulating domains could be bad for the internet itself, because it would impose more regulation, and we all know tat regulation is bad for the net, even if deregulation has its drawbacks.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
What do you care the reasons behind my wanting www.bankofameriva.com are? Just because your small mind can't think of anything more creative than "phishing scams", it doesn't mean that the world should be warped to fit your small-mindedness.
People who want to regulate the sale of "near miss" domain names are no better than fundamental christians or muslims who want to impose their version of Sharia law on the entire world.
Come on, man, I *know* you can troll better than that. I've seen you do better on
Re: (Score:3, Informative)
1. They're phishing.
2. They're typo-squatting in the hope of selling it to Bank of America.
3. They're link farming/click farming hoping for lots of typo hits.
4. Their name happens to be Banko F. Ameriuca.
In all cases there's no legal compulsion for Sedo to keep the domain out of any one person's hands. It's got nothing much to do with them. However, there is an ethical obligation on the part of
How many "likely" typos are there? (Score:3, Insightful)
"i" and "u" (Score:3, Insightful)
I don't know what kind of crazy keyboard you're using, but on mine, the "i" and the "u" are right next to each other.
http://www.mwbrooks.com/dvorak/layout.html [mwbrooks.com]
Mine doesny even have a ewe (Score:1)
plus cos was 30 bucks
damn ebay
Between r and s... (Score:2)
Re: (Score:1)
Please disreguard the above nulls they mean nothing.
Re: (Score:1)
Re: (Score:2)
6. A website outlining grievances.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)