Domain spoofing is a cunning way to lure the unwary to fake web-sites set up by cyber-criminals to impersonate real sites. These are usually the shop-front to elaborate phishing scams set up you steal your account information, financial data, even your entire identity.
Say you receive an email from your bank asking you to go to a page on it’s site and update your details. For one thing, reputable financial institutions never do this, but let’s look into this further.
The link in the message leads us to a fake site impersonating your bank, where you are invited to enter your data. This relies on the fake site not only looking like the real thing, but having a spoof web address, or URL, close enough to the real thing to catch the unobservant.
All socially well adjusted and well-educated people want to act responsibly to communications from officialdom and organisations with which we have real-life relationships. It is no different on the Internet. We want to believe what our eyes are telling us is genuine, the more so the busier we get. We want to deal with these chores quickly and efficiently. We don’t proof-read what we’re seeing. This is the psychology the cyber-criminals rely on.
What is Domain Spoofing?
Let’s take my website as a quick example to explain domain spoofing.
wordpress.com is the domain on which it is hosted.
wordpress.com/contact/ is a domain plus a folder. Folders are suffixed to the right of the domain address.
It’s a simple hierarchy like the one on your computer hard-drive. C;\ is the root (domain), Progam Files the folder structure C:\Program Files.
Where it gets interesting is the sub-domain. In the Domain Name System used on the Internet, wordpress.com is the parent. Sub-domains are added as a prefix to the left of the domain. Hence:
- allanjsmithie.wordpress.com is a sub-domain of wordpress.com. So far, so safe
- allanjsmithie.wordpress.com/contact.html is a sub-domain plus a web-page. Still safe.
Back to the spoofing scam. Lets say my bank’s official site is; ww2.mybanksite.com. That’s it’s proper domain name with the right top-level domain (the .com portion).
In the phishing email you see a link that is ww2.mybanksite.com.dll.kz. This is the phishing website, where the ww2.mybanksite.com is a sub-domain of dll.kz which has NOTHING to do with the official mybanksite.
Therefore: ww2.mybanksite.com.dll.kz/enter-account-details.htm is a phishing page. It belongs to the sub-domain ww2.mybanksite.com under dll.kz, which is not mybanksite at all!
The spoof domain attempts to look innocuous using the dll.kz, your eye is drawn to the thing you expect to see, the part containing ww2.mybanksite.com.
Not only does the phishing URL look very similar to the real one, but smart criminals may even be including actual page content and actual links to unsecured pages on the official site they spoof (typically advice or general information pages in front of any security layer).
So what do we look for? The last dot or period in the address before any slashes. Hence in:
the last thing before the / is the .kz; that’s the top level domain. The alarms bells should ring right away – my bank is a .com!
Then also dll.kz as the domain name is nothing like your bank! Counting back the periods from right to left, ww2.mybanksite.com is nothing but a sub-domain on someone else’s site. Take the mouse away from that link and move away now! AJS
Note: Internet Explorer 8 onward helps in identifying the main domain by graying out the sub domain and the directory structure.