Domain Resale Market Is Phisher Heaven

Krishna Dagli writes "Finish security firm F-Secure has discovered that alongside the sale of such innocuous domains as filmlist.com comes the resale of domains that obviously belong to banks or other financial institutions. Sedo.com, for example, is reselling domains like chasebank-online.com, citi-bank.com and bankofameriuca.com. 'Why would anybody want to buy these domains unless they are the bank themselves — or a phishing scammer?,' F-Secure asks."

Click Farms

[prothid]

People that want these domains run click farms. They make their money by showing ads based on the site the person meant to visit, from Google or whomever. It doesn't make sense for a phisher to pay big money for these domains when they can phish just as well with ksajdfxdvos.com.

How many "likely" typos are there?

[patio11]

Aside from the, hmm, 2 people in the country who think there is a "u" in America, it would appear that that particular domain isn't being used for fat-fingered folks (u is nowhere near either c or a on the keyboard -- you have to go out of your way to hit it), so it is probably being used for phishing. The hope is that someone is less than cautious in reading it and doesn't recognize the inserted letter. Lets say someone decides to match up the first six letters of the domain exactly and then inserts one letter at an arbitrary point elsewhere. To combat this, bank of america would have to buy over *twenty tril1ion* domains which are equally as likely as bankofamericua.com (26 letters to insert, 8 positions to insert them at, 26^8 = lots). And that would only defend against *one* particular style of typo-squatting. If you combine the "insert a random letter" trick with "replace the I in America with a 1", then that is another twenty trillion domains to you have to buy.

P.S. Slashdotters who think you are immune because you are always a careful reader -- how many of you caught the phisher-style substitution I made in this post? Your brain is hard-wired to ignore the sort of slight differences that your computer is wired to treat as very serious.

Re:maybe I'm stating the obvious but...

[chroot_james]

Cost effective? Domains cost like $10 a pop... I think if domain names prove to be a source of identity theft, companies will happily buy domain lookalikes rather than pay people to investigate fraud or suffer the loses...

"i" and "u"

[XanC]

I don't know what kind of crazy keyboard you're using, but on mine, the "i" and the "u" are right next to each other.

http://www.mwbrooks.com/dvorak/layout.html [mwbrooks.com]

Re:wtf?

[geoffspear]

I don't think the phishers care if they don't get to steal your identity, as long as the 99% of web users who don't know what SSL is can still be fooled. So yes, you're missing something.

Re:Who are you? The fucking thought police?

[orasio]

Uhhh ... OK. So while we're at it, let's get rid of copyright law, patent law, and restrictions on identity theft.


Copyright law, ok.
Patent law, ok.

Restrictions on identity theft, no.
Identity can lose its intrinsec value when copied. That's not cool.

The issue with domain ownership is that regulating domains could be bad for the internet itself, because it would impose more regulation, and we all know tat regulation is bad for the net, even if deregulation has its drawbacks.