SoylentNews is people
SoylentNews
from the aich-tee-tee-pee-ess-colon-slash-slash-aich-tee-tee-pee-dot-pee-ess dept.
Crafty Web Skimming Domain Spoofs "https":
Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site's source code: "http[.]ps" (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).
This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida.
[...] A simple search on the malicious domain "http[.]ps" at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations.
The http[.]ps domain is hosted in Russia, and sits on a server with one other malicious domain — autocapital[.]pw. According a Mar. 3 Twitter post by security researcher and blogger Denis Sinegubko, the autocapital domain acts as a collector of data hoovered up by the http[.]ps skimming script.
Jerome Segura over at Malwarebytes recently wrote about a similar attack in which the intruders used http[.]ps to spoof the location of a script that helps improve page load times for sites that rely on Web infrastructure firm Cloudflare.
Don't believe everything you [think you] see!
(Score: 0) by Anonymous Coward on Thursday March 12 2020, @02:25PM (4 children)
Is it actually this: "http[.]ps" (brackets removed)?
Because it seems like this: "http[.]s" would be a better visual spoof.
(Score: 2, Informative) by throckmorten on Thursday March 12 2020, @03:04PM (1 child)
.S isn't a valid CCTLD, .PS is
(Score: 3, Interesting) by maxwell demon on Thursday March 12 2020, @04:16PM
But htt[.]ps would also be closer than http[.]ps, while still being a valid domain name.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday March 12 2020, @06:06PM (1 child)
I guess they make it look similar to https but change it slightly so most people think it says https?
Browsers are supposed to have that little locked symbol showing if the certificates are all authenticated correctly. I imagine that the little lock wouldn't show up if it wasn't so, unless the browsers have poor security and need to be fixed and updated accordingly, so if someone did think it was an https domain when in fact it wasn't they should be able to see that the lock isn't present.
(Score: 0) by Anonymous Coward on Friday March 13 2020, @06:59AM
Wow. You're right. There's a green lock symbol on the url bar to the left of https
The nice thing about standards is that we have so many of them.