How To Make A Phish Look Real

By | June 12, 2004

Here’s an interesting — and troubling — variation on the phishing scam: Using country-specific domain name to make a phishing link look real.

The problem for phishers has always been to conceal the fact that the link victims are asked to click on takes them to a website address that looks dodgy — either the URL clearly does not belong to the company the phishing email claims to be from, or the link has to so heavily disguised in the email the victim doesn’t get suspicious. Phishers have tried registering real sounding domain names (www.securepayeee.com, or somesuch) to get around this, but it’s not easy to come up with names that aren’t taken, and nowadays unless the name has paypal or ebay or citibank somewhere in the URL, victims are not going to be fooled. Hence this new twist:

The phishing email in question is the same as any another PayPal phish – “We recently reviewed your account, and suspect that your PayPal account may  have been accessed by an unauthorized third party.” But the link victims are expected to click on, visible as https://www.paypal.com/cgi-bin/webscr?cmd=_fraud-check&limited_access=1086452724=”/A”> resolves to www.paypal.de.com , which looks credible as a legitimate PayPal website in Germany.

De.com is actually owned by CentralNic Ltd, a private London Based domain name registry, which also own US.COM, EU.COM, UK.COM, CN.COM, RU.COM, and twelve others that “represent the worlds most populated countries.” According to eNom, Inc, one of the Internet’s accredited registrars which issued the country specific domains, ”there are no restrictions or rules when registering these domains, unlike other domains which require you to be a citizen of the country in order to make a purchase.”

In other words, easy pickings for phishers. And of course, this means that anti-phish devices such as SpoofStick, which look at the underlying domain name to gauge whether a website is fraudulent or not, are not going to be much help here because they would only show the domain to be de.com, which doesn’t sound phishy enough to deter anyone but the most alert user.

My tupennies’ worth: Domain registrars must take on some of the responsibility for these registrations. It’s not acceptable to just let anyone register a paypal domain and say it’s not your business. Secondly, anti-phishing devices must make clear they can’t guard against every phishing attack.