Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday November 17 2019, @06:41AM   Printer-friendly
from the protect-your-business dept.

Submitted via IRC for Bytram

Holiday Shoppers Beware: Look-Alike Domains Are Targeting Your Wallet

The holiday shopping season is approaching, and many consumers will find their gifts online. After all, cyber Monday has practically turned into its own major holiday. Unfortunately, as online shopping continues to grow, so does the targeting of consumers through malicious look-alike domains.

Cyber attackers create fraudulent domains by substituting a few characters in the URLs. Because they point to malicious online shopping websites that closely mimic legitimate, well-known retail websites, it makes it increasingly difficult for customers to detect the fake domains. Additionally, given that many of these malicious pages use a trusted TLS certificate, they appear to be safe to online shoppers who unknowingly provide sensitive account information and payment data.

[Note - This article is directed at retailers and ecommerce sites rather than consumers. - Fnord666]

Some interesting details:

  • Growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four times.
  • The total number of certificates used for look-alike domains is more than 400% greater than the number of authentic retail domains.
  • Over half (60%) of the look-alike domains studied use free certificates from Let's Encrypt.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Subsentient on Sunday November 17 2019, @06:50AM (8 children)

    by Subsentient (1111) on Sunday November 17 2019, @06:50AM (#921202) Homepage Journal

    When Let's Encrypt launched, I knew this was going to happen. I warned SN about using Let's Encrypt several years ago because I foresaw major browsers dropping them as a trusted CA because of widespread abuse.

    Never, ever have faith in humanity. You will be disappointed EVERY time. My cynicism predicted this outcome. Wonder how long till they drop it as a CA. I predict Chrome will be the first to drop it.

    --
    "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 5, Insightful) by Booga1 on Sunday November 17 2019, @07:22AM

    by Booga1 (6333) on Sunday November 17 2019, @07:22AM (#921204)

    The real problem is that people were taught to trust the icons.. I.E: they see a lock, or a green lock and think "I'm safe. This is the website I wanted."
    Google/Chrome has pushed this, even going so far as to declare unencrypted connections as "unsafe" even when they're perfectly fine. However, you may be right. They may be the first to drop them.
    Of course, ICANN's approval of internationalized domain names was also a horrible idea and now the predictions about malware and lookalikes are coming true.
    Let's Encrypt might still be safe since they are following guidelines and the domains are all legitimate, from a technical standpoint at least. I can't think of a certificate provider that verifies the actual website content. There's no point to that since all you need to do is serve "safe" content when you set things up and switch to malicious content later.

  • (Score: 0) by Anonymous Coward on Sunday November 17 2019, @07:25AM

    by Anonymous Coward on Sunday November 17 2019, @07:25AM (#921205)

    https://news.umich.edu/how-lets-encrypt-doubled-the-internets-percentage-of-secure-websites-in-four-years/ [umich.edu]

    Major browsers aren't dropping support for Let's Encrypt though. And Mozilla is one of the founders of Let's Encrypt.

    The major browsers can maintain or use blacklists instead. Are all of them are doing that?

  • (Score: 1, Informative) by Anonymous Coward on Sunday November 17 2019, @08:26AM

    by Anonymous Coward on Sunday November 17 2019, @08:26AM (#921213)

    The difference is that these are legitimate certificates for illegitimate websites. All other trust revocations came from the issuance of illegitimate certificates for ligitimate websites. Even without Let's Encrypt, somebody would still sell these DV certificates. Probably one of the big names too.

  • (Score: 3, Insightful) by darkfeline on Sunday November 17 2019, @11:32AM

    by darkfeline (1030) on Sunday November 17 2019, @11:32AM (#921236) Homepage

    This isn't abuse though? HTTPS tells you that you actually are connecting to the server in the URL and that no one else is eavesdropping. All of this is still true.

    Users will need to re-learn to check the URL, if they stopped doing that. Both Firefox and Chromium gray out the non-domain parts of the URL for this reason, and they stopped using green lock icons for HTTPS and use a muted gray lock icon, the idea being that HTTPS should be the norm rather than the exception.

    Users who were relying solely on HTTPS to trust a website were screwed anyway.

    --
    Join the SDF Public Access UNIX System today!
  • (Score: 2) by VLM on Sunday November 17 2019, @02:34PM (1 child)

    by VLM (445) Subscriber Badge on Sunday November 17 2019, @02:34PM (#921244)

    weeeeeelllll you gotta consider that this article is posted on a site that sells more or less competing product at a very high price.

    Its like panicking that Toyota is going downhill because you read an article explaining how Toyota is inferior... and further research indicates its literally posted on ford.com, so I'd take that breathless warning of danger with a grain of salt. I mean, like, serious, as a standard SN car analogy aside from "hilarious" site hacking stories, you don't expect to read an article on ford.com about how nobody needs a F-150 and just buy a Tacoma?

    • (Score: 1, Informative) by Anonymous Coward on Sunday November 17 2019, @02:50PM

      by Anonymous Coward on Sunday November 17 2019, @02:50PM (#921246)

      Ford was bought out by Yugo a long time ago.

  • (Score: 3, Interesting) by FatPhil on Sunday November 17 2019, @11:06PM (1 child)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Sunday November 17 2019, @11:06PM (#921328) Homepage
    The problem is trusting any CA A CA took money off someone, that's all that a certificate proves. I have more trust for self-signed certificates than for ones from 99% of the CAs in the firefox defaut trust list.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 1, Interesting) by Anonymous Coward on Sunday November 17 2019, @11:43PM

      by Anonymous Coward on Sunday November 17 2019, @11:43PM (#921336)

      Now that is real paranoid. I totally trust CNNIC to issue certificates for any domain, including *.gov or the Tibetan diaspora. We all know that every CA uses extreme vetting for all the certificates they issue /s

      In all seriousness, the first question I ask people when they don't believe self-signed TOFU with HTTPS is secure, I always ask whether they share the same belief with SSH an its security and most don't get the reference.