Software, Technology

How-to: Spot Domain Spoofing


Image: Information Security by Renjith Krishnan, FreeDigitalPhotos.netDomain spoofing is a cunning way to lure the unwary to fake web-sites set up by cyber-criminals to impersonate real sites. These are usually the shop-front to elaborate phishing scams set up you steal your account information, financial data, even your entire identity.

Say you receive an email from your bank asking you to go to a page on it’s site and update your details. For one thing, reputable financial institutions never do this, but let’s look into this further.

The link in the message leads us to a fake site impersonating your bank, where you are invited to enter your data. This relies on the fake site not only looking like the real thing, but having a spoof web address, or URL, close enough to the real thing to catch the unobservant.

All socially well adjusted and well-educated people want to act responsibly to communications from officialdom and organisations with which we have real-life relationships. It is no different on the Internet. We want to believe what our eyes are telling us is genuine, the more so the busier we get. We want to deal with these chores quickly and efficiently. We don’t proof-read what we’re seeing. This is the psychology the cyber-criminals rely on.

What is Domain Spoofing?
Let’s take my website as a quick example to explain domain spoofing.
wordpress.com is the domain on which it is hosted.
wordpress.com/contact/ is a domain plus a folder. Folders are suffixed to the right of the domain address.
It’s a simple hierarchy like the one on your computer hard-drive. C;\ is the root (domain), Progam Files the folder structure C:\Program Files.

Where it gets interesting is the sub-domain. In the Domain Name System used on the Internet, wordpress.com is the parent. Sub-domains are added as a prefix to the left of the domain. Hence:

  • allanjsmithie.wordpress.com is a sub-domain of wordpress.com. So far, so safe
  • allanjsmithie.wordpress.com/contact.html is a sub-domain plus a web-page. Still safe.

Back to the spoofing scam. Lets say my bank’s official site is; ww2.mybanksite.com. That’s it’s proper domain name with the right top-level domain (the .com portion).

In the phishing email you see a link that is ww2.mybanksite.com.dll.kz. This is the phishing website, where the ww2.mybanksite.com is a sub-domain of dll.kz which has NOTHING to do with the official mybanksite.

Therefore: ww2.mybanksite.com.dll.kz/enter-account-details.htm is a phishing page. It belongs to the sub-domain ww2.mybanksite.com under dll.kz, which is not mybanksite at all!

The spoof domain attempts to look innocuous using the dll.kz, your eye is drawn to the thing you expect to see, the part containing ww2.mybanksite.com.

Not only does the phishing URL look very similar to the real one, but smart criminals may even be including actual page content and actual links to unsecured pages on the official site they spoof (typically advice or general information pages in front of any security layer).

So what do we look for? The last dot or period in the address before any slashes. Hence in:
ww2.mybanksite.com.dll.kz/enter-account-details.htm
the last thing before the / is the .kz; that’s the top level domain. The alarms bells should ring right away – my bank is a .com!

Then also dll.kz as the domain name is nothing like your bank! Counting back the periods from right to left, ww2.mybanksite.com is nothing but a sub-domain on someone else’s site. Take the mouse away from that link and move away now! AJS

Note: Internet Explorer 8 onward helps in identifying the main domain by graying out the sub domain and the directory structure.

Image: Information Security by Renjith Krishnan, FreeDigitalPhotos.net

About Allan J. Smithie

Allan J. Smithie is a journalist and commentator based in Dubai.

Discussion

4 thoughts on “How-to: Spot Domain Spoofing

  1. Reblogged this on txwikinger's blog.

    Posted by txwikinger | March 13, 2012, 2:07 am
  2. Great resource, as usual! Thanks

    Posted by Mo | May 20, 2012, 5:55 pm
  3. This is really obvious when you look at the web address and I never did before.

    Posted by Belke | June 5, 2012, 6:33 am

Trackbacks/Pingbacks

  1. Pingback: News: New Top Level Web Domains « Everything Express - October 1, 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter Updates

Follow us on Twitter @EverythingExpre

Find Us on Facebook

Enter your email address to follow this blog and receive notifications of new posts by email.

Categories

Library

BBC World News

BBC World News
Opens the BBC World News page.
%d bloggers like this: