
Something Wicked This Way .coms: this sure seems like a big hole in the web - code_Whisperer
Here&#x27;s the TL;DR of an earlier post: I accidentally mistyped a domain name configuration value while updating a website and found what I feel is a phishing op. If you take any .com domain, and add a second.com to the end (I do NOT recommend actually trying this unless you know what you are doing) you will see what appears to be a typo phishing operation.<p>My question: is this well known? Because I&#x27;ve never seen it written up before when I peruse web security stuff.  For the full write-up of my experience and an associated screenshot check out: http:&#x2F;&#x2F;www.oldirtyhacker.com&#x2F;something-wicked-this-way-coms
======
smt88
It is well-known. uBlock blocks anything ending in ".com.com" by default. It's
on most badware block lists.

It's not a hole in the web any more than people accidentally typing
"fcaebook.com" is a hole in the web. It's just someone exploiting user error,
not unlike domain squatting. If you hit "CTRL+ENTER" in most browsers' address
bars, they used to blindly append ".com" onto the domain name. If you typed
"facebook.com" and then hit CTRL+ENTER, you'd get to facebook.com.com. As far
as I know, all browsers have fixed that.

This isn't actually phishing (as far as I know) because it's not trying to
trick you into thinking you've gone to the correct website. It's just a
malware distribution page.

I believe OpenDNS also blocks this, for the record.

~~~
code_Whisperer
One of the (many different) pages I received wanted me to call a toll-free
number (screenshot in URL, and which looks like a real Facebook page) for help
in overcoming my 'facebook compromise'. I feel quite certain that if I had
dialed that number they would have tried to get facebook login info, perhaps a
credit card to pay for their 'service', etc.

My characterization of it being a 'hole' was more on the order of 'how could a
typo-squat on such a valuable domain name be allowed to continue?'

------
detaro
uBlock's Badware list blocks it, and via its documentation page I found these
two links:

[https://isc.sans.edu/diary/.COM.COM+Used+For+Malicious+Typo+...](https://isc.sans.edu/diary/.COM.COM+Used+For+Malicious+Typo+Squatting/20019)

[https://www.whitehatsec.com/blog/why-com-com-should-scare-
yo...](https://www.whitehatsec.com/blog/why-com-com-should-scare-you/)

Seems like this has been going on for a while...

~~~
code_Whisperer
Thanks! I figured it was related to the domain com.com, but still shocked that
such a prominent domain name could be running such an obviously damaging ploy.

