Combosquatting trick is 100 times more potent than earlier web page scams: Internet Scambusters #808
Combosquatting — combining a real email address with just another single word to lure users to fake web pages — is a roaring success for scammers.
Millions of new domains using the trick have been set up and some top brand names have been targeted.
In this week’s issue, we’ll explain exactly what combosquatting is, how it works, and what you can do to limit your chances of being caught out.
Let’s get started…
Combosquatting — A New Fake Web Page Scam that Can Fool Experts
Internet crooks have come up with a new way of tricking users into visiting a fake website — combosquatting.
In the past, they relied on people mistyping the name of the site they wanted to visit, taking them instead to a site using the mistyped name that looks like the real thing — a tactic known as typosquatting, which we’ve reported on before.
The aim, of course, is to fool you into typing in your user name and password, which can then be used for identity theft. Or the scammers may simply want to upload malware onto your PC or link it to a botnet.
People have wised up to that trick now. So, the scammers have switched tactics by using the real address (URL) of the website you’re seeking, plus another word or phrase.
They register this entire new name and use special techniques — known as search engine optimization — to make sure their name appears at or near the top of any search you do.
They may even pay to advertise their sites.
The extra word or phrase they use is calculated to convince users that it’s a good site. For instance, they may add the word “security” to the end of a bank name. Who wouldn’t think this is the real thing?
According to the technology website ZDNet.com, the malicious names “even included some which had previously been registered by the (genuine) companies themselves, combining words with their trademarks.”
These would-be sites that, for various reasons, the genuine firms had allowed to expire. So, taking them over may be even more convincing to potential victims.
A study presented late last year by researchers at Stony Brook University and Georgia Institute of Technology disclosed that more than 250 well-known brands and trademarks were victims of this combosquatting trick — and that the tactic was highly successful.
Top names used for fake variations included JCPenney, Nike, Expedia, Bank of America, and even Facebook.
In fact, the researchers claim the use of combosquatting is about 100 times more common than typosquatting. More than 2.7 million phony domains have been registered just for these 250+ brands and trademarks.
ZDNet quoted Georgia Tech assistant professor Manos Antonakakis as saying: “This attack is hiding in plain sight, but many people aren’t computer savvy enough to notice the difference in the URLs containing familiar trademarked names.”
The findings, another researcher said, were mind-blowing. The potential use of the technique is unlimited. Unlike typosquatting, which has only a limited number of ways a name might be misspelt, combosquatting scammers could add as many different words and phrases as they want to a URL, and then register this extended domain name.
The result is that the number of phony site names has been, and continues to be, steadily growing.
Further proof of the scam’s effectiveness is that many of these fake names were found to have survived on the Internet for around three years — an exceptionally long time for a scam site.
“Users unfortunately have to be better educated than they are now,” Antonakakis was quoted as saying.
“Organizations can provide training in the on-boarding process that takes place for new employees, and they can protect their network perimeters to prevent users from being exposed to known combosquatting domains. More needs to be done to address this growing cybersecurity problem.
“These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”
Meanwhile, users are urged to be extra vigilant to the danger. In the past, you’ve been able to rely on the URL address line including the prefix “https,” with that final “s” indicating the page is secure, but that may not be a guarantee of its genuineness.
Instead, make sure you know the correct URL for the secure sites you usually use, especially banks, and beware of brand and trademark names that are followed by a hyphen or period, and then another word.
If you’re in doubt, you may be able to contact the organization concerned, such as a bank, and phone them to ask for their correct web address. Also, check your email records for previous communications or look at statements and paper bills for the correct URL.
Read the full Georgia Tech PDF report: Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse.
Alert of the Week
Does your local police department offer a “safe haven” area for meeting potential buyers or sellers advertising on Craigslist and other classified sites?
Many police departments across the U.S. have now set up a camera monitored “Internet Purchase Exchange Location.”
If your buyer or seller insists on meeting on the street or in a parking lot, check if your police department offers this service and do your deal there.
If the other person is a crook, he/she won’t show up.
Time to conclude for today — have a great week!