‘tis the season to be squatting
on 16 Dec, 2011
Guest Blog from Rik Ferguson Director Security Research & Communication EMEA. Trend Micro
In the run up to Christmas criminals are abusing the opportunity to prey on online shoppers with tired eyes and weary fingers. Many thousands of misspelled versions of popular retail destinations have been registered by criminals in the hope that the unwary consumer will land there by accident. Customers of popular online retailers such as John Lewis, Debenhams and Argos have all been targeted.
The criminal websites are often copies of the legitimate website, copies that aim to pass off counterfeit goods, redirect the visitor through money-spinning advertising links or to harvest personal and financial information if a “purchase” is made. In other instances the misspelled domain names can lead to objectionable content or even to websites loaded with exploits that aim to infect the victim machine with information stealing malware or to recruit it into a botnet, a network of compromised machines under the remote control of a criminal.
Typosquatting has been around almost as long as the world-wide web, in fact US legislation dating back to 1999, the Anticybersquatting Consumer Protection Act, contains a specific clause (Section 3a) aimed at combating this phenomenon. In the past individual companies have been known to spend large amounts of money in bringing cybersquatters to justice. Lego, for example, have previously spent more than half a million US dollars pursuing cybersquatters through the Uniform Domain-Name Dispute-Resolution Policy (UDRP) going after such domain names as legoworskhop.com in and effort to protect their brand.
However in this most recent outbreak of typosquatting, we are not talking about domain names which simply include the names of well-known brands, rather those that prey on our lack of attention to detail. In the rush to get the online Christmas shopping done, how sure can you really be that you were shopping at the legitimate debenhams.com rather than the typosquatted debanhams.com, or marksandspencer.com rather than marsandspencer.com or markandspencer.com.
This year and last, British law enforcement have been doing their best to crack down on dodgy online shopfronts, however efforts to suspend illegitimate domain names can only ever represent a game of whac-a-mole in the fight against evil online traders. Criminals can register vast reserves of domain names in advance and, when one gets shut down, simply activate another as required. And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet:
“We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):
1. 4.4.1 .co.uk; or
2. 4.4.2 .org.uk.
In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters“
Until regulation is tightened and international cooperation is improved then well-intentioned law-enforcement initiatives will only be treating the symptom not addressing the cause. In the meantime, be careful where you click and if you are planning on some serious online shopping sessions you may be wise to create yourself some bookmarks to popular online shopping sites rather than relying on your typing skills standing up to the Christmas rush.