Forgot your password?
typodupeerror

Domain Resale Market Is Phisher Heaven 120

Posted by CmdrTaco
from the big-shock-here dept.
Krishna Dagli writes "Finish security firm F-Secure has discovered that alongside the sale of such innocuous domains as filmlist.com comes the resale of domains that obviously belong to banks or other financial institutions. Sedo.com, for example, is reselling domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. 'Why would anybody want to buy these domains unless they are the bank themselves — or a phishing scammer?,' F-Secure asks."
This discussion has been archived. No new comments can be posted.

Domain Resale Market Is Phisher Heaven

Comments Filter:
  • Not going to happen (Score:3, Interesting)

    by plover (150551) * on Wednesday November 01, 2006 @11:36AM (#16673353) Homepage Journal
    Does anyone really think a domain registrar has any incentive to stop phishers? "Oh, sure, you want us to cut our potential sales just because a typo-squatter might be phishing?" I wonder how much of their revenue comes from selling the actual names vs how much comes from the spelling error names?

    Anyway, I wouldn't count on the registrars changing their business model just because there are stupid people out there.

    • by jfengel (409917)
      Even if a domain registrar were to change their business model to prevent this, it would only take one unscrupulous registrar to sell the domain names. ICANN could force policy on the registrars and yank the license of anybody caught selling near-miss domain names, but the blanket policy they'd have to introduce would both miss a lot of phishing-oriented names and keep people from getting some valid names.

      A more market-oriented approach would be to have the individual registrars establish policies. Then ha
      • Instead of focusing on the registrar, one could target registries and appeal for some action. But like the grandparent said, it's all about the Benjamins. VeriSign (.com/.net operator) loves the PPC and domain after market. It means they get their $6 times hundreds of millions.
    • The way I see it: Domain names are cheap. Companies seeking to protect their online identity will do so commercially. There is only a certain amount of financial gain, bankofamerica-online.com, for example, could reap a phisher, this is the top limit of buying these sites. If, when buying a domain name, it was by-default necessary to register/restrict all permutations on these names, the cost for individual domain names would increase (for example, www.idahoexpat.com requires effective purchase of www.id
    • by nasta (598787)
      Well, ICAN really should create a .bank domain, and only allow banks to register within it. Maybe folks would learn that banks only use the .bank domain and not anything else.

      --
      Duh
    • by Pinkfud (781828)
      I run a small domain reseller business called Net With Us. (No link because I don't want my poor little shop Slashdotted). That puts me in position to comment on this. The domain search engine we resellers use comes up with those look-alike names automatically when you do a search for availability. There's no practical way to block that and still have the functionality. There's also no legal/moral way to refuse the sale of a name that's available. You want buckinghampalaceonline.co.uk? If it's available, I'
  • get their stories on www.419eater.com
  • Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.

    Also, are these domain names coming up for sale because the banks don't want them any more or because their subscription lapsed? I would have thought they'd automatically renew.
    • Replying to myself, sorry.

      Obviously it's impossible to register every typo-variation of your real domain name, so that kinda answers my original question.

      However, I remember back in 1999 or so I visited vodaphone.com, which brought up a nice friendly page explaining how thousands of their customers misspelled "vodafone", so they decided to register that domain name to correct the confusion, which I thought was rather nice.

    • Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.

      That's the wrong question, but you're close. Banks have a responsibility to authenticate themselves to users before users are allowed to make transactions. Right now that authentication is supposed to be done by the user looking at the website and recognizing the name. This is, and will always be a terrible form of authentication.

      I've said it before, but banks should be
    • Here's a thought - do banks have a responsibility to register domain names related to themeselves? I think one could make that argument.

      I wouldn't agree. In the UK I'm sure there's been instances of crooks taking over an empty shop, fitting it out like a real bank and conning people into depositing money there. There was certainly a case where a gang used a stolen ATM to grab card numbers and PINs. Where does the responsibility lie? With the consumer, or the bank?

      To extend the tiresome analogy: if I to

      • by Pinkfud (781828)
        But the ultimate responsibility lies with the crook

        Exactly, and the crook is the guy who does the phishing, not the registrar who sold the domain name. Think about this: You go into a liquor store and pick up a bottle of Everclear (90% alcohol). At the counter, the clerk says "Oh, I won't sell you that. It's too dangerous!" Your response would be "What? You have it, I want it, and it's legal to buy! Don't tell me I can't have it!" - Right? Yes. we resellers are suspicious of people who buy these names. Bu

  • ...or an advertising company waiting for somebody to mis-type a URL and then get buried under a mountain of advertisements?
  • I'll have to go check out bankofameriuca.com? Is Bank Of Americuca a good bank?

    It's too early in the morning for any bad spelling jokes.
    • by plover (150551) *
      The Bank of Ameriuca is one of the most highly respected banks in the Untied States of Ameriuca. You should trust all your money with them .. but wait just a few seconds for my sedo.com session to refresh ... there you go. Happy Banking!
    • Are you a total idiot or trolling?

      I is next to U on the qwerty. People make typos. That's, er, kind of the whole point.

    • by creimer (824291)
      Bank Of Americuca is a sperm bank. Deposits are always welcome.
  • Any repetable domain resaler shouldn't allow the sale of common misspellings of major corporations. Any reseller with half a brain should be able to tell that www.mispelledcreditcard.com domain bought by any other party other than the owner of the correct domain name as something Phisy (sorry couldn't help myself).

    end transmission
  • Fishing can single-handedly become a thing of the past if people stop clicking on links in their emails!
    • Now not clicking links in my emails is adding to water pollution? Eeek! Off to go click all of those links!
    • if people stop clicking on links in their emails!

      But it SAID that I needed to update my Windows Firewall in order to access my account again. They told me I can go to their website, login, go to the FAQ section, and follow the directions in section 4.3

      Or I can just click this link for convenience.
      • Some nice Nigerian man offered me lots of money once too. It was quick and painless, just had to click on one link.

        Unfortunately my stupid bank screwed up everything and ended up giving him the money instead. I felt terrible not being able to help him. To make things worse, I think the bad guys he was running away from ended up catching him, I never got a response from him again :(

  • "Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?"

    Oh, I don't know, maybe social commentary, satire, to voice a complaint. Who cares?

    Just punish the ones actually using the sites to scam.

  • Click Farms (Score:4, Insightful)

    by prothid (302906) <slashdot@un[ ].org ['fit' in gap]> on Wednesday November 01, 2006 @11:43AM (#16673465) Homepage
    People that want these domains run click farms. They make their money by showing ads based on the site the person meant to visit, from Google or whomever. It doesn't make sense for a phisher to pay big money for these domains when they can phish just as well with ksajdfxdvos.com.
  • Obvious Problem (Score:2, Interesting)

    by Threni (635302)
    I don't understand why there's not a domain like `.tm` (for example) where you'd need a trademark or some other legal device before you could register it. Some sort of search could be performed before the domains were approved and allowed to be used. If such a system were monitored properly - publicly aired before approval so people could stop any abuses that got past the legal bit - then wouldn't it go some way - if not perhaps the whole way - towards stopping that sort of phishing?
    • Because that would make too much sense for The Internet
    • by kibbylow (257730)
      That's a great idea! We could get the US patent office to monitor it!
      • by Threni (635302)
        > That's a great idea! We could get the US patent office to monitor it!

        I'm in the UK. I was thinking about something a little more accountable to me than that.
    • by kurtdg (138723)
      If we have learned one thing from the .eu sunrise period, it's that relying on trademarks does NOT solve domain name problems.

      Companies were started and trademarks were registered in countries where it is cheap to do so, with names like 'a-b-c', just to be able to register domain names like abc.eu.
    • it might upset the people in .tm - Turkmenistan. I would like it if the registrants in a gTLD were required to have incorporated in multiple countries else be relegated to their cc's and move the .gov and .mil into cc's as well, but I also know it will never happen. That alone might placate a lot of the calls for a more international governance of the internet.
    • by Puk (80503)
      One major problem with this is that trademarks are both territorial and (at least in the United States) industry-tied. So you can have "Spreckles" legitimately trademarked as a soda company in the United States, a shoe manufacturer in the United States, and a soda company in Brazil (chosen at random -- I know nothing about Brazilian trademark law).

      Also, trademarks need not always be registered, meaning that people who might have a legitimately enforceable trademark or trademark-like right could not get a do
  • Some sites register a lot of variations, google for one. The amount of times I've typed Gogle or gooogl and hundreds of other variations. The problem is, it's not very cost effective and there's obviously going to be too many variations. I mean, what if you accidentally type a variation which the company hasn't actually registered itself? One that a phisher has registered. If they make the site appear convincing you can't possibly tell which variations are fine and which aren't! People just need to pa
    • Re: (Score:2, Insightful)

      by chroot_james (833654)
      Cost effective? Domains cost like $10 a pop... I think if domain names prove to be a source of identity theft, companies will happily buy domain lookalikes rather than pay people to investigate fraud or suffer the loses...
  • According to a Netcraft report [netcraft.com], 3,659 "look-alike" domains (names designed to confuse the recipient into believing they belonged to the bank) were used in phishing attacks in 2005. A lot of these used visual tricks (substituting the number 1 for the letter l, for example) to present a plausible URL. Anti-phishing services are getting better at blocking these sites, but they continue to feature in a large number of scams.
  • A banking tld would solve the problem. All owners would have to be official banks or similar financial organisations. The registrars would charge a little bit extra and check that the applicants really are banks.

     
  • Registrars are not going to look and say "Hey, that name looks fishy..." they are going to say "okay, and your credit card number is...." People need to pay attention to what they are clicking on, especially in email. Granted I've mistyped a name here and there (common we are all human, right?) but if people stopped clicking on the misspellings, the scammers would just have to go find another way to get their "messages" out...
  • Cybersquatters... (Score:3, Interesting)

    by GreyPoopon (411036) <gpoopon@nOSPam.gmail.com> on Wednesday November 01, 2006 @11:53AM (#16673605)
    Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?
    One other possibility. Cybersquatting...the online equivalent of extortion. Anyway, the practice of registering these "typo" domains shouldn't be illegal. But they should be an automatic trigger for a detailed investigation by the justice department. It's like criminals hanging a sign on their front door announcing their intentions to commit a crime. The DoJ should be loving it....
  • If these sites do wind up phishing sites, at least sedo.com will know who owns them. So what you do is to contact the Internet Crime Complaint Center. [ic3.gov] Give them the address of the phishing site - and be sure to let them know that sedo.com sold them the domain, so they'll have the customer contact info.

  • Sedo.com says
    "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales."

    Sounds like the approach many companies take when they find wrongdoing.

    Like when I called the SBC datacenter in Texas and asked them if this was their IP address, and if they were hosting the website for Paypal.com. "yes, it is" and "no", the guy said. "well, you are now" I replied. He wanted to know what I expected him to do about it.
    • I think a better question is, what have they done now these particular domains have been pointed out to them?

      There's a difference between "we don't proactively do XXX" and "we don't do XXX after we find out about it".

      The other examples you give are the latter.
      • Yes, but it has not been established that they do anything reactively either. Do they?
        • by argent (18001)
          I have no idea. I'm not defending these companies, I'm just pointing out that the information in the article does not lead to the conclusion the OP arrived at.
    • by smash (1351)
      I for one don't want their internet connection to have routing to ME.

      You can (and I do occasionally) fix this by null-routing them on your gateway :)

  • by deblau (68023) <slashdot.25.flickboy@spamgourmet.com> on Wednesday November 01, 2006 @11:58AM (#16673689) Journal
    "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales."
    Yeah, let's see how impossible it is when Paypal, Visa, Chase, Citibank, and BofA sue you for trademark infringement and unfair competition, with hundreds of other companies waiting in the wings.
    • "Sedo told TechWeb that it had a process for pulling domain names but because of the sheer volume of domains on sale through its site it relied on trademark holders to notify it of potential problems. "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales.""

      Do they think we're idiots or something? They are proactively registering the darn things to resell, and then the two-faced morons turn around and say they ca
  • Maybe they are tired of the shitty service banks today give you and want to put up a website explaining it?

    Just because *you* can't think of a good reason doesn't mean there isn't one. That one took me about three seconds. Try harder.

    Acy
  • It could be as 'innocent' as popup ads for those that mistype a URL.

    It doesnt automaticaly have to be something with illegal intent.
  • So let's say that a squatter has a domain that I REALLY want (for a customer, etc) for a legitimate use. Should I bite the bullet and feed the troll? Or find an alternative?

    I guess personally I wonder if domain names matter so much anymore. It seems that the days of just going to "CompanyName.com" are over. Instead you google it, click through on an ad, type in from an email or business card, etc. So why not use "CompanyName2.com" or something.

    It doesn't look pretty, unfortunately. To me, "CompanyName
    • by Tony Hoyle (11698)
      If it's a registered company you want it for, file a domain dispute with ICANN and get it taken off them - I've seen this done multiple times and it's a *lot* cheaper than paying the squatter (who usually just caves in and gives it up.. they have thousands of these things and aren't prepared to fight).
  • Another reason you might buy these sites is that you hate the company.

    If you are trying to put criticism about citi-bank, then you buy www.citi-bank.com and put up your sob story about how citi-bank forclosed on your mortgage, and auctioned it off for 1/2 what it was worth and gave you nothing back, despite the fact that you offered to buy the home from them at 3/4 of it's current value.

    • What's interesting is that most banks and major corporations will now spend the money to register the "sucks" version of their domain in all major TLDs, but don't take the same step with domains that would be useful for phishing. Domains are cheap enough ($3 to $9 a year, depending upon your registrar) that it wouldn't take a lot of bucks to register these variations and point them at their .com. The problem is that the phishers and typosquatters thought of this before the banks did. These folks who are sel
      • Re: (Score:2, Interesting)

        by jargon82 (996613)
        Forwarding misspelled domains to your .com is a HORRIBLE idea. Here's why:
        Lets say you are citibank, you own citibank.com, and your forward citybank.com. Your "setting the expectation" that a forward will happen, in the customers mind. When they go to city-bank.com, and it looks the same, to them, as citybank or citibank (but it's actually phisher owned), they're sunk.

        What NEEDS to happen instead, if registering alternate spellings or typos is part of a security strategy, you need to inform the custo
  • With ssl, shouldn't this kind of thing be a non-issue? If a cyber squatted site doesn't have a legitimate certificate, I won't be able to log in to the https server without being presented with a window telling me who published the cert. I wouldn't log in to a bank http server; I would only use https. I would never continue to log in if the cert was self published in Nigeria or something like that. Am I missing something? It doesn't seam like the url has any purpose in terms of authentication at all.
    • Re: (Score:3, Insightful)

      by geoffspear (692508)
      I don't think the phishers care if they don't get to steal your identity, as long as the 99% of web users who don't know what SSL is can still be fooled. So yes, you're missing something.
      • by Tony Hoyle (11698)
        Plus it's fairly easy to get a certificate if you own the domain in question.

        Case in point: 2 years ago I needed a new certificate.. went to a cert. dealer, filled in the name/address of my company and used the company email address. I got the certificate in under 2 hours.

        No proof was required, just the existence of the domain and presumably they checked the whois. My address is unrelated to the company (which is just a virtual office with the trading address at the accountants) and I paid with my own cr
  • "Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?", F-Secure asks."

    Because domain sitters might want to earn from naive customers reaching these sites and clicking on contexual ads?
  • by twistah (194990)
    Why would anybody want to buy these domains unless they are the bank themselves - or a phishing scammer?", F-Secure asks.

    Good old advertising. People visit the domain mistakenly, whether through Google ads, mistyping, or whatnot, and see ads. These ads are targeted towards financial topics. People click them, owner makes money. No real scam, just advertising dollars coming in.

    (Of course, phishing is another possibility, but it's not the only one.)
    • twista says:
      Good old advertising. People visit the domain mistakenly, whether through Google ads, mistyping, or whatnot, and see ads. These ads are targeted towards financial topics. People click them, owner makes money. No real scam, just advertising dollars coming in.


      Yep, it works like this:

      1.) Register bankofspamerica.com
      2.) Get hits from fat-fingered clueless n00bs.
      3.) Profit!

  • What if a competing bank wants to buy up all its competitors' banks domain names look-a-likes? When you mistype the name, you get a site that gives you a low APR credit card or low cost stock trading options or free checking from a site that's obviously not your bank; is an ad.
  • Sedo told TechWeb that it had a process for pulling domain names but because of the sheer volume of domains on sale through its site it relied on trademark holders to notify it of potential problems. "We have more than six million domains for sale," said Jeremiah Johnston, Sedo's general counsel. "It's impossible for us to proactively filter sales." ®

    He then proceeded to kill a grizzled bear with his bare hands...
  • It's spelled Finnish.
  • Anyone notice the /. subject refers to Phishing Heaven whereas the original theregister article uses the word Haven?
  • I might need to buy that BoA domain. I'm closing my accounts with BoA because--well it's too long of a story to get into but it involves them signing me up for credit cards I have not confirmed or even received and when I complained about it I got an email back threatening to report me to security for referring to their website as a webshite. So yes, I am interested in that typo domain, not for phishing or link farming, but as the first wave of my legitimate war on BoA. I think I'll probably for something m
    • I got an email back threatening to report me to security for referring to their website as a webshite.

      Scary. I could well understand why this might have you all nervous. ;)

  • First, put more effort into explaining the threat to Joe Sixpack and Jane Champagne. Banks have already started to do this themselves but it would be nice to see more "public service"-type announcements. Right now there are just too many people who don't understand the dangers, which makes it possible for Internet scams to succeed at a fairly high rate. Your average user apparently doesn't understand even the basics of how this stuff happens, so we need to work to explain how the Internets get through the s
  • It's just like everything else out there...

    I recall when I was young and one of the gum ball machines was broken at the local convenience store... what did I do? I found a weakness and after 10 minutes of exploitation, was 100 gum balls richer!

    Invent a service and you'll have exploits. Yin and yang.

    Of course people will Phish with domains that are remotely similar to the bank names... then again, people are phisihing with crap domains that mean nothing, IE: smash my keyboard randomly and registe
  • domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. "Why would anybody want to buy these domains unless they are the bank themselves -- or a phishing scammer?", F-Secure asks."

    I and all the other proud citizens of Ameriuca resent this craven implication.
  • by zecg (521666) on Wednesday November 01, 2006 @01:57PM (#16675699)
    Don't knock it, I've been a loyal customer of the Bank of Ameriuca for three days. They've given me life insurance dirt cheap, some very fine investment tips (a hot new web 2.0 company guaranteed to soar like an eagle in a week!) and offered free hosting for some homemade porn I've made. Also, I seem to have scored an elephant desktop friend which knows about free screensavers. It was about time banks realized that they have to offer more diverse services for our money.
  • ...from all the light given-off by the flaming trolls in this thread.

    They sure stirred-up the hornet's nest with this one.

    So, the question seems to be: Where does the accountability lie in fraudulent domains?

    There's the school of origination; the domain-registrar is wrong for selling it.
    You might as well arrest the gun-shop owners for allowing shootings to happen.

    Then the camp that believes the TLD is most telling. (e.g., dot-com vs. dot-biz)
    Gimme a break, the TLD breakout was back in 2000;

  • I dont know how clueless these people are but mis-spellings and mis-typings get you page hits and adds viewed. Thats why the pages of those sites are usually filled with adds.
  • As said, their verification system is very poor. They once accepted MyWay.com for sale. http://convergence.in/blog/2006/10/11/sedo-lists-m ywaycom-for-sale-on-its-website/ [convergence.in]
  • You get $0-5 for an application, and $10-$60 for an approved client.

    Even though many banks and programs (almost all of them) prohibit using trademark domains and even keywords (on bidding services like Google ads), many people get domains like that and promote through type-ins ...

    so it is not just phishers, but fishy advertisers that want those domains....

    ps: yes I used to promote credit cards, and student loans, No I never used domains like that and never spammed.
  • So, while Norton and McAfee have little else to do than bitch about the kernel lock-down in Vista, the makers of that delightful little AV program F-Prot are out actually, you know, looking into security issues?

    Rich!

Of course you can't flap your arms and fly to the moon. After a while you'd run out of air to push against.

Working...