The Continuing Marvels Of Phishing

I continue to marvel at phishing attacks, and how they tweak themselves just enough to make you wonder hard about whether you can afford to ignore them.

Take this one for example. Simple text email, no fancy graphics. But the URL looks real enough, the text makes you wonder whether someone has tried to access your eBay account — causing you to think you should follow the link, just in case.

Dear eBay member,

Thank you for submitting your change of e-mail address request.
Instructions on completing the change have been sent to your new email address.
Once the process is completed, your eBay-related email will no longer be routed to
this email address.

Change of E-mail address request was made from:
IP Address:
ISP Host:

If you or anyone with authorized access to your account did not make this change,
please go to review your sign ininformations:

***Do Not Reply To This E-Mail As You Will Not Receive A Response***

Thank you for using eBay!

eBay Account Management

Having SpoofStick and other similar anti-phishing tools won’t really help you here, because they’ll just show you’re visiting, which could be real enough. Even checking the WHOIS information isn’t that helpful, since the information there is no more or less suspicious than registry information of other legitimate sites. Even the website itself,, looks normal enough.

The only real clue is in the language, which doesn’t make a lot of sense (why would the change of email address be sent to your new email address for verification?) errors (‘sign ininformations’; no proper addressee ‘Dear eBay Member’; the email address being one I know is now in the hands of ‘Nigerian’ scammers), and in the fact that if you should actually visit the link, you’ll be asked, without further ado, to enter your credit card information.

What I’d like to know is: Why do registrars still allow these kind of domains to be registered, why is the site still active, and why don’t eBay do a better job of policing these kind of sites? Surely it’s not too hard to monitor these eBay-linked domain name registrations?

More On Phishing And Top Level Domains

Further to my posting on top level domains being registered with clear criminal intent (the example I used was, in ‘How to make a phish look real’) I just received this from Joe Alagna, Manager, North American Markets for CentralNic, the registrar for the TLD in question. Here’s his reply in full:

I wanted to respond to your blog article related to phishing. I am the Manager, North American Markets, for Centralnic and I want to assure you that we are very concerned about the problem of phishing as well.

There are a few issues in your article that concerned me…

1. Although we do not place restrictions on our domains, they are no more prone to phishing use than many regular ccTlds. I have personally received phishing messages based on Chinese, Polish, Czech, and other ccTlds. There are many ccTlds that do not have restrictions and the trend amongst County Code operators is to reduce those restrictions on residency, etc.

The reason for this is that ccTld operators have found that their sales increase when they reduce restrictions. It’s a double edged sword; more sales, more potential abuse.

My point however, is this… You are correct about our domains being easy pickings for phishers, but I think it is unfair to have singled us out because of one example (which we will investigate).

2. Centralnic would like to make it known that we are very willing to help if someone thinks that our domains are being used for fraudulent purposes. We do manage a live whois registry which can be viewed by the public and by the authorities to determine registrant details and which can be queried by any anti-phishing tool. Our whois data can be publicly viewed here.

3. Regarding your contention on registrar responsibility, there are ongoing actions within the registrar/registry community to fight fraud and phishing. The most important of which is verifying whois authenticity. You can read about some of the ongoing work here (PDF).

The problem is that with over 60 million domains registered world-wide, it is very difficult to know that each registrant is real. The industry is trying to get better at that.

4. Finally, we work with a few world renowned brand managers like who regularly try to educate financial institutions about these problems. Companies like Bank of America have registered most all of our domains to protect their customers. It’s a little expensive, but definitely a bargain when it comes to the cost of fraud and phishing. See here.

Financial institutions have the largest risk and responsibility in this. I just want to assure you that they are not in this fight alone and that Centralnic is very sensitive to the problem.

Articles like yours are very important because when all is said and done, the best protection is an educated end-user. I just want you to know that Centralnic is committed to the important battle against this type of fraud.

Thanks for the comment, Joe. I notice the website in question has been removed.

How To Make A Phish Look Real

Here’s an interesting — and troubling — variation on the phishing scam: Using country-specific domain name to make a phishing link look real.

The problem for phishers has always been to conceal the fact that the link victims are asked to click on takes them to a website address that looks dodgy — either the URL clearly does not belong to the company the phishing email claims to be from, or the link has to so heavily disguised in the email the victim doesn’t get suspicious. Phishers have tried registering real sounding domain names (, or somesuch) to get around this, but it’s not easy to come up with names that aren’t taken, and nowadays unless the name has paypal or ebay or citibank somewhere in the URL, victims are not going to be fooled. Hence this new twist:

The phishing email in question is the same as any another PayPal phish – “We recently reviewed your account, and suspect that your PayPal account may  have been accessed by an unauthorized third party.” But the link victims are expected to click on, visible as”/A”> resolves to , which looks credible as a legitimate PayPal website in Germany. is actually owned by CentralNic Ltd, a private London Based domain name registry, which also own US.COM, EU.COM, UK.COM, CN.COM, RU.COM, and twelve others that “represent the worlds most populated countries.” According to eNom, Inc, one of the Internet’s accredited registrars which issued the country specific domains, ”there are no restrictions or rules when registering these domains, unlike other domains which require you to be a citizen of the country in order to make a purchase.”

In other words, easy pickings for phishers. And of course, this means that anti-phish devices such as SpoofStick, which look at the underlying domain name to gauge whether a website is fraudulent or not, are not going to be much help here because they would only show the domain to be, which doesn’t sound phishy enough to deter anyone but the most alert user.

My tupennies’ worth: Domain registrars must take on some of the responsibility for these registrations. It’s not acceptable to just let anyone register a paypal domain and say it’s not your business. Secondly, anti-phishing devices must make clear they can’t guard against every phishing attack.

The Future Of Domain Names?

Interesting piece from The Register’s Kieren McCarthy on the changing nature of domain names. He points to the recent case of a guy renting out to allow People for the Ethical Treatment of Animals to lead a very successful campaign on the BSE issue. In the future, individuals and companies may end up renting out domain names rather than selling them:

As anyone who follows the domain name market will tell you, the price of domains has recovered and is almost standing at pre-dotcom-bust figures. It makes sense then that some speculators may invest in an expensive domain and then lease it out to people in fixed-term contracts – just like the housing market. You need not sell the domain completely – you simply accept a long-term lease or even monthly rents, depending on the market and the domain.

The Register reckon this might redress some of the imbalance in the domain name market, pulling “God-like power over domains away from companies like VeriSign which have abused the market for long enough but are impossible to remove”.

News: The Power Of The Net

 Pointed out by my old friend Robin Lubbock, here’s an excellent essay by Dan Gillmor on the self-righting Internet community, where one bad turn is usually overwritten by several good ones. He makes some sharp comments on the VeriSign ‘domain-stealing’ controversy, which I haven’t touched on in this blog. The bottom line: there are some pretty awful people out there, but they usually get drowned out by the decent folk. Long may it last.