Phishing and the Peril of Fonts

I’m amazed at how lax domain registrations still are, despite the fact that phishing is now so much a household word that even my mum’s heard of it. But here’s another trick being used to try to dupe those people who still remain gullible: change the “o” in online to “c” because in many email readers it will look more or less the same:

Halifax2

Which it does, actually. Quite a neat trick, if you like that kind of thing. (There really is a Halifax Online, and the website address is exactly the same, minus the o/c thing. Even the homepage is the same Javascript login page as above, and everything looks the same minus a note at the bottom saying the bank never asks for personal details via email.)  Clicking on this link will take you to a webpage, that, surprise, surprise, looks very much like the UK’s Halifax Building Society:

Halifax3

I haven’t investigated it further, but I’m assuming the data entered quickly finds its way into the pockets of scumbags, and there’s probably some other nice bits and bobs being loaded onto one’s computer as it happens. The site is still live as of writing, with the address in the first screenshot above.

What amazes me is that the registrar won’t bat an eyelid at what is obviously a very dodgy domain name — Halifax being quite a well-known brand in the UK — and, indeed, even accepts the registration as a “private” one, and therefore allows the person registering the domain to not submit any address or phone number:

The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.

The registrar in this case is PIPEX Communications Hosting Ltd, also known as 123-Reg.co.uk, whom I’ve asked to comment on this. Halifax is also being told about it, just in case they don’t know.

Well-Meaning Pressure Group Or Sleazy Promotional Gimmick?

Maybe I’m getting too wary, but when I received a press release from something called the Internet Security Foundation, I wasn’t convinced. And I’m still not.

The email was provocative enough: The headline ran “Microsoft’s Policy Leaves Millions Open to Identity Theft; Internet Security Foundation Releases Free Protection Tool”. An explanation followed that users were vulnerable because they erroneously believed that their stored passwords in Windows were safe because they appeared in asterisks. “The truth is,” the release said, “that such passwords are not normally protected in Microsoft Windows and can be easily reviewed by using software like SeePassword (www.SeePassword.com).”

This is true. And a good point. But who is the Internet Security Foundation? The email suggested that I visit their website for more information about the foundation. I did, and all I found was one page, which was a virtual re-run of the press release. No ‘About’ page or anything, at least when I visited it. The only couple of links led to a download file, and to SeePassword, the software mentioned in the release and an external webpage which didn’t load at the time of visiting. So who are these guys, and is this for real?

I checked their whois data, which will at least tell me who registered the site. It was KMGI Corp., a New York-based advertising agency whose website design bears uses distinctive fonts — indeed the same fonts as the Internet Security Foundation. KMGI, I read elsewhere, is also a software company (although no mention is made on their website) and are the guys behind SeePassword, the software the ISF website suggests I use — “If you first need to look up any forgotten passwords, you can use SeePassword software available at www.SeePassword.com“. SeePassword, according to the PCMag article, costs $20.

Now I’m suspicious. Has KMGI set up a spurious foundation to try to sell a product? The only online references to the Internet Security Foundation I can find are in the NYT. But if you look closely at the story, there’s a correction at the bottom which corrects the reference to the organisation. “The group is the Information Security Foundation, not the Internet Security Foundation.” (If you do a Google search, such references are all to the NYT article.) So now I’m getting very suspicious. What is going on?

I tried calling the public relations number on the press release and left a message. If I get any clarification I’ll post it. But my feeling is: If this ISF is kosher, it should make clear who it is and its interest, if any, in a company that sells a product it recommends. And while pointing out the asterisk security issue is a good one, it’s not exactly a new problem. To me the whole thing smacks of promotional gimmick, rather than a clean and well-intentioned issue-raiser. But maybe I’m getting too wary.

The Continuing Marvels Of Phishing

I continue to marvel at phishing attacks, and how they tweak themselves just enough to make you wonder hard about whether you can afford to ignore them.

Take this one for example. Simple text email, no fancy graphics. But the URL looks real enough, the text makes you wonder whether someone has tried to access your eBay account — causing you to think you should follow the link, just in case.

Dear eBay member,

Thank you for submitting your change of e-mail address request.
Instructions on completing the change have been sent to your new email address.
Once the process is completed, your eBay-related email will no longer be routed to
this email address.

Change of E-mail address request was made from:
IP Address: 201.188.117.10
ISP Host: cache-dtc-ae11.proxy.msn.com

If you or anyone with authorized access to your account did not make this change,
please go to review your sign ininformations:

          http://billing.request-ebay.com

***Do Not Reply To This E-Mail As You Will Not Receive A Response***

Thank you for using eBay!

eBay Account Management

Having SpoofStick and other similar anti-phishing tools won’t really help you here, because they’ll just show you’re visiting request-ebay.com, which could be real enough. Even checking the WHOIS information isn’t that helpful, since the information there is no more or less suspicious than registry information of other legitimate sites. Even the website itself, request-ebay.com, looks normal enough.

The only real clue is in the language, which doesn’t make a lot of sense (why would the change of email address be sent to your new email address for verification?) errors (‘sign ininformations’; no proper addressee ‘Dear eBay Member’; the email address being one I know is now in the hands of ‘Nigerian’ scammers), and in the fact that if you should actually visit the link, you’ll be asked, without further ado, to enter your credit card information.

What I’d like to know is: Why do registrars still allow these kind of domains to be registered, why is the site still active, and why don’t eBay do a better job of policing these kind of sites? Surely it’s not too hard to monitor these eBay-linked domain name registrations?

More On Phishing And Top Level Domains

Further to my posting on top level domains being registered with clear criminal intent (the example I used was paypal.de.com, in ‘How to make a phish look real’) I just received this from Joe Alagna, Manager, North American Markets for CentralNic, the registrar for the TLD in question. Here’s his reply in full:

I wanted to respond to your blog article related to phishing. I am the Manager, North American Markets, for Centralnic and I want to assure you that we are very concerned about the problem of phishing as well.

There are a few issues in your article that concerned me…

1. Although we do not place restrictions on our domains, they are no more prone to phishing use than many regular ccTlds. I have personally received phishing messages based on Chinese, Polish, Czech, and other ccTlds. There are many ccTlds that do not have restrictions and the trend amongst County Code operators is to reduce those restrictions on residency, etc.

The reason for this is that ccTld operators have found that their sales increase when they reduce restrictions. It’s a double edged sword; more sales, more potential abuse.

My point however, is this… You are correct about our domains being easy pickings for phishers, but I think it is unfair to have singled us out because of one example (which we will investigate).

2. Centralnic would like to make it known that we are very willing to help if someone thinks that our domains are being used for fraudulent purposes. We do manage a live whois registry which can be viewed by the public and by the authorities to determine registrant details and which can be queried by any anti-phishing tool. Our whois data can be publicly viewed here.

3. Regarding your contention on registrar responsibility, there are ongoing actions within the registrar/registry community to fight fraud and phishing. The most important of which is verifying whois authenticity. You can read about some of the ongoing work here (PDF).

The problem is that with over 60 million domains registered world-wide, it is very difficult to know that each registrant is real. The industry is trying to get better at that.

4. Finally, we work with a few world renowned brand managers like MarkMonitor.com who regularly try to educate financial institutions about these problems. Companies like Bank of America have registered most all of our domains to protect their customers. It’s a little expensive, but definitely a bargain when it comes to the cost of fraud and phishing. See here.

Financial institutions have the largest risk and responsibility in this. I just want to assure you that they are not in this fight alone and that Centralnic is very sensitive to the problem.

Articles like yours are very important because when all is said and done, the best protection is an educated end-user. I just want you to know that Centralnic is committed to the important battle against this type of fraud.

Thanks for the comment, Joe. I notice the website in question has been removed.