Real or fake?
The other day, security writer/worker (what doesn’t that guy work on these days?) developed a handy-dandy little game called “Phish or Fake.” He wrote about it in his blog post here.
In the game, he shows you a domain like BANCOFAMERICAN.COM and asks you whether or not the domain really belongs to Bank of America? The game then shows you lots of domains, asking you Yes or No. There are a lot of domains out there that you would never think belong to BofA:
- ATLANTAMORTGAGEADVISORS.COM
- CREDITCARDINVITE.COM
- MERRILLNETACCESS.COM
- AFFILIATEDHOMELENDING.COM
- DERIVDEALER.COM
- COUNTRYWIDEREVERSEMORTGAGE.COM
- BACMERRILLLYNCH.COM
- XN--FIQZ9S5N9AK3P.COM
Looking at these domains above, you’d never be able to distinguish them from phishing domains:
- COMBANKOFAMERICA.COM
- MAXAMVBANKOFAMERICA.COM
- BANKUFAMERICA.COM
- BANKOFAMERICAPRIVACYASSIST.COM
- BANKERSLIFEINSURANCECOMPANYOFAMERICA.COM
- BANKOFAMERICA-LOAN-MODIFICATIONS.COM
- BANK-OF-AMERICA-INCORPORATED-CO-OPERATIVE-BANK.COM
- BANKOFAMERICA-LOAN-MODIFICATIONS.COM
When I first played this game, my score sucked. I tried to tell the difference between them by visual inspection alone. It cannot be done, there’s no rhyme or reason to it. If I, as a security professional, can’t tell the difference, how do we expect the average user to do it?
One way is to do a WHOIS lookup on all of the links. Of course, 0% of people on the Internet even know what a WHOIS lookup is (figure rounded down). If you get a message in your email from Bank of America and it contains a link that doesn’t point to something you recognize, how would you ever know that it’s legitimate simply by visual inspection?
You can’t.
However, it’s not as bad as it sounds. While Bank of America does have a lot of domains registered to them, it doesn’t mean they use all of them. They may buy them up in advance to avoid somebody else purchasing them, squatting on them and forcing them to pay up a lot more money later on.
Or, they may buy up whatever combinations they can think of so phishers cannot use them later on. That, of course, is a game they will never win because phishers can come up with an almost infinite number of domains that sound legitimate that BofA never thought to pre-acquire. They can also use HTML tricks to conceal the real URL direction (many users do not hover their mouse over the link to see where it actually goes).
I don’t know who BofA sends mail as; but going by the number of domains they have registered there is a lot they could send as.
Let’s hope they never do.
Comments
Anonymous
February 09, 2012
Cyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks.Anonymous
February 09, 2012
Currently automated queries for WhoIs data are generally forbidden. It would help enormously if the WhoIs lookup could be automated. Email clients could then show elements of the WhoIs data next to the sender domain or alternatively servers could use it to block email based on suspicious WhoIs entries. Does anyone know of the technical reasons why WhoIs servers can't handle automated queries?Anonymous
February 13, 2012
Hexamail, I think the main advantage of not allowing to automatic whois queries is to reduce the ease of getting real phone/email/address of domain owners. Since the requirements when registering a domain is to give real contact details, it means that if as a private person you register a domain then your details are free for anyone to find. Allowing automatic non-metered access will make it even easier to quickly run through a large number of domains and to take the personal details from them. Some registrars do provide a service of hiding the details and providing their own instead, but it's not that common, and usually requires paying a substantial extra...Anonymous
February 29, 2012
I think that for the average user though, they wouldn't understand.