Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: https://yourfakebank.support -- TLD confusion starts! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
https://yourfakebank.support -- TLD confusion starts!

Pretty much ever since the new top level domain (TLD) ".biz" went online a couple years ago, and the only ones buying domains in this space were the scammers, we kinda knew what would happen when ICANN's latest folly and money-grab went live. It looks like a number of the "new" top level domains, like ".support", ".club", etc have now come online. And again, it seems like only the crooks are buying.

We are currently investigating a wave of phishing emails that try to lure the user to a copy of the Bank of America website. The main difference, of course, is that any login credentials entered do not end up with Bank of America, but rather with some crooks, who then help themselves to the savings.

Phishing emails per se are nothing new. But it appears that URLs like the one shown in the phishing email above have a higher success rate with users. I suspect this is due to the fact that the shown URL "looks different", but actually matches the linked URL, so the old common "wisdom" of hovering the mouse pointer over the link to look for links pointing to odd places .. won't help here.

But wait, there's more! Since the crooks in this case own the domain, and obviously trivially can pass the so-called "domain control validation" employed by some CA's, they actually managed to obtain a real, valid SSL certificate!

Quoting from the Certificate Authority's web site:

Comodo Free SSL is a fully functional Digital Certificate, recognized and trusted by 99.9% of browsers. Your visitors will see the golden padlock and won't see security warnings. What will you get:

  • Ninety day free SSL Certificate (other CAs offer 30 days maximum.)
  • Issued online in minutes with no paperwork or delays
  • Highest strength 2048 bit signatures / 256 bit encryption
  • Signed from the same trusted root as our paid certificates
  • Recognized by all major browsers and devices

They don't mention why they think any of this is a good idea.

Addition of SSL to the phish means that another "scam indicator" that we once taught our users is also no longer valid. When a user clicks on the link in the phishing email, the browser will actually show the "padlock" icon of a "secure site". See the screenshot below.

 

If you have seen other recent banking phishes that use new top level domains and/or valid SSL certificates, please let us know via the contact form, or the comments below!

 

 

Daniel

367 Posts
ISC Handler
The new TLDs are indeed pretty much a money grab. Since most any serious business or organization will pound on anyone else using their name as orgname.whatever, and only does real business as orgname.com-or-org, when used for real these domains are 99% of the time just redirectors to the primary site. What a waste of time and money for everyone but the registrars!
packetdude

22 Posts Posts
News about the faked SSL is very discouraging. However, I believe that our first line of defense is the user. Quoting Bruce Schneier... "Given a choice between dancing pigs and security, users will pick dancing pigs every time."

We need to do a better job of teaching our users how to recognize and avoid the multitude of threats that target us online, our inboxes, smartphones.... I've created a site that tries to do that: TheDailyScam.

We invite your feedback of our effort.
Anonymous

Posts
This is what I received this morning, amongst the other legit emails from chase just about the same time.


Dear ChaseOnline SM Customer:

We're writing to let you know that you have not enroll for automatic updates,to get immediate alert,if your account was accessed from unknown device or unsual activities.

To register for updates, log on to. CASE-23021 HERE -->hxxp://www. infobike. es/libraries/1.php [spaces added]

Please don't reply directly to this automatically-generated e-mail message.

Sincerely,

Online Banking Team


Please don't reply directly to this automatically-generated e-mail message.

Sincerely,

Online Banking Team

I have reported that to chase abuse team.
Anonymous

Posts
I agree that these new TLDs are mostly gimmicks and lead to security risks. The issue is that the vast majority of businesses and people still only associate .com, .net, and .org with legitimate businesses (and I don't think this will ever change). I've been on the Internet since the first version of AOL and I can count on one hand the number of legitimate websites/businesses that I've used that *haven't* ended in .com, .net, or .org. I've seen .biz and .us but even those raise suspicion. Also, anyone registering a new business will still try to get the coveted .com because they know that the .biz, .info, or any other "exotic" TLD doesn't cut it. Also, I can imagine that any business with an exotic TLD would lose some traffic simply because people by default use .com instinctively which could lead to lost business. E.G. the legitimate website is mycompany.biz but the person surfs to mycompany.com instead and is presented with an adult site. Not good.

The country TLDs are different, those are fine (.UK, .CA, .CH, etc.). But the .biz, .support, .pro, .me, etc. are IMO annoyances and worse, security risks for exactly the reasons outlined in this diary.

IMO TLDs should be limited to:
- country specific TLDs (.UK, .CH, etc.)
- .com
- .net
- .org
- .gov
- .edu
- .adult (for all adult sites so that it's much simpler to create filters for children, etc. - but that's a separate and very complex subject for another discussion)

The others are mostly spam and only lead to confusion and security risks.
da1212

69 Posts Posts
If many TLD such as .support are not legitimate what about setting up an internal DNS zone so that anything resolving to *.support will resolve to nothing.
Bill

1 Posts Posts
Security on the Internet (and everywhere else) has always been an arms race.
I see the freedom of TLD's as progress (less limitations, more possibilities) and
prevention of progress is never a good strategy for security.

We need to adapt to these new possibilities and specifically the banks, etc.
need to take a more active role on how to securely and intuitively provide their
digital services to the customer. There is ample room for improvement.
beamer

10 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!