
Scammers registering date-based domain names - edent
https://shkspr.mobi/blog/2020/01/scammers-registering-date-based-domain-names/
======
badrabbit
> And that's the price we pay for anyone being able to buy their own domain
> and run their own secure site.

No, that's the price we pay for using a name resolution system from the 80's
(70's?) that was not built with trust validation in mind,decoupled from the
infrastructure we use to establish domain ownership and authority. And also
without user friendliness or of a layman's ability to independently validate
authority in mind. e.g.: reverse order of hierarchy where in english you read
left to right but dns has least authoritative/lowest level on the left and
most authoritative on the right,why would I evaluate trust worthiness of
site.com if 'secure' is evaluated first in secure.site.com (another
example:google.com.site.info).

Cracked foundations make shaky buildings.

~~~
acvny
yes, very wrong conclusion. the author blames cheap domains and easy to get
https. You could as well blame cheap computers, cheap internet access, cheap
electricity.

Since that looked like an SMS, I would report it to your mobile provider, let
them track who sent the message.

~~~
edent
I'm the author. I'm not blaming cheap domains. I'm saying that spam like this
is a consequence of cheap domains.

The blame lies at the feet of the spammers.

And, I've worked for a couple of mobile providers. This spam was likely sent
from a disposable pre-paid SIM. There's no realistic way to check who sent it.

~~~
bostik
So the phone/device IMEI is not recorded for the session?

Not that it would tell who sent it, but would allow to track if the same
devices were used as part of ongoing campaign.

~~~
edent
The sending network may have a record of the IMEI, but I don't think the
receiving one gets it.

But SMS sending devices are cheap and disposable. Sure, it's illegal to alter
your IMEI in the UK - but if they're already committing one crime, I don't
think that'll stop them.

------
LyalinDotCom
On the topic of trusting domains, big companies are not helping themselves.
Lets use a big financial company as an example.

I recently got an email from them to check on a transaction that settled, the
domain was:

[https://click.SOMECOMPANYNAMEHEREinvestments.com/](https://click.SOMECOMPANYNAMEHEREinvestments.com/)?
...

Their real domain is SOMECOMPANYNAMEHERE.COM but as you see they made a
special domain just for email clicks. I thought at first this was a scam
email, but then tried clicking and sorted out that it redirects to the real
site and login.

But man you can't even easily trust real emails if you're paying attention, i
dont know how regular people will defend against stuff like this.

~~~
enonevets
This likely happens to prevent the primary domain from being blacklisted. Many
companies including key ESPs will register multiple domains to combat
potential spam listings and blacklists. It's possible they rotate through a
number of similar domains to ensure if any are blocked they have backups
available for use until those get unblocked.

------
multidim
There's been a lot of talk about the benefits of browsers showing URLs in a
stylized way that makes it more obvious to the user what is the domain and
what is not the domain.

I should have realized this earlier but: it's also important to have anything
that displays clickable URLs (like a messaging app) to also style the URL to
help it be more obvious what domain is being linked to.

The problem of better stylized URLs is so much bigger than browser URL bars
that show where you are right now; it's also everywhere that _displays_
clickable URLs.

~~~
yellow_lead
Does hacker news even do this?

[https://example.randomsite.phishyourbank.com/Jan3](https://example.randomsite.phishyourbank.com/Jan3)

~~~
gpm
Hacker news is probably one of the least important places to do this.

It has a high concentration of technical users, only supports public posts
(where technical users will notice and comment on such urls), and has very
active moderation.

Texting apps seem like the most important place to implement it... judging by
the spam that I get.

~~~
yellow_lead
That kind of attitude will put people off guard though. These things pop up in
places where you least expect them. I agree it's less important than other
places, but also would be nice for us to practice what we preach.

------
Ragnarork
> Money and technical expertise used to be strong barriers to prevent people
> from registering scam domains

That should not be, and should never have been considered the main line of
defense against that.

This guy has it backwards. The problem is not that it's affordable or
accessible. It's that there's no clear alternative to user vigilance to truly
avoid these scams.

------
thexa4
Too bad domain names are generally written in the 'wrong' order. These issues
would have been preventable if domain names were written the following way:
[https://org.example.www/index.html](https://org.example.www/index.html)

The domain referenced would have been: [https://info.billing-update-
jan02.uk.co.ee/](https://info.billing-update-jan02.uk.co.ee/) vs
[https://uk.co.ee/billing-update-jan-02](https://uk.co.ee/billing-update-
jan-02)

~~~
SmellyGeekBoy
I don't see how this is any more informative to your average layman?

~~~
Buge
Look at these 2:

    
    
        https://ee.co.uk.billing-update-jan02.info
        https://ee.co.uk/billing-update-jan02.info
    

There's just a single character difference. The layperson will think they mean
the same thing. Now look at these 2:

    
    
        https://info.billing-update-jan02.uk.co.ee
        https://uk.co.ee/billing-update-jan02.info
    

There's a big difference there. People can easily see something is abnormal.

~~~
thexa4
The attacker wouldn't use that one in that case though.

    
    
        https://uk.co.ee/billing-update-jan02.info
        https://uk.co.ee-billing-update-jan02/info
    

Would be more likely.

Perhaps an animation showing both would help.

~~~
Buge
You're right, the benefit isn't really about character differences. In both
cases users need to be taught that '-' isn't a divider and '.' is a divider.
The benefit is that it would be easier to teach people to start on the left
then search right than it is to teach people to start at the leftmost / (but
not the ones in the scheme) then search left.

------
heipei
Web-based phishing has become a game of speed. Domains are not expected to
survive more than an hour (and few do), even with all kinds of countermeasures
in place (browser / geo detection, destroy-after-first-use links, etc). Yet
it's still economically viable to do. Companies offering blocking products
like Google Safe Browsing have been forced to increase the frequency of their
blacklist, up to the point where Google had to resort to checking suspicious
URLs against their online database rather than a cached local index.

This is a classical arms-race and will only intensify. With domains that look
generic enough and only serve malicious traffic when hit with the right URL,
parameters, user-agent and geographical location, blocking will have to rely
on sourcing these URLs directly from the targeted endpoints (e.g.
SMS/WhatsApp/Email), rather than "crawling" or relying on users to report
these. Another approach is to do some of the blocking locally, which of course
means pushing the detection logic to the client and thus exposing the
classification mechanism. Neither approach is sustainable long-term in my
opinion.

~~~
solarkraft
It seems to me that a list of known good domains provided by a large browser
vendor (Google) with extra treatment in the browser might be the most
effective against phishing and other scams.

This could be sold as an add-on for a certificate, or something like that,
with a just high enough barrier for proving authenticity. Known-good domains
could then additional treatment, like a blue padlock or one with a star (ok,
I'm not an icon designer).

Of course you can argue against it on a freedom basis, but I think for
protecting vulnerable web users it'd be pretty useful.

~~~
lonelappde
Security measures like that becomes "Google abuses its monopoly to suppress
competition" complaints that are frontpaged here every week.

------
squarefoot
Wouldn't a soundex-like algorithm catch the similarity between the legit
domain and a substring of the malicious one? An alert could be fired upon
reception from any address resembling domains where online transactions or any
other sensitive activities are involved.

------
layoutIfNeeded
Looks like your typical Microsoft domain, e.g.
[https://www.microsoftedgeinsider.com/](https://www.microsoftedgeinsider.com/)

~~~
giancarlostoro
I hate that companies do this. I get why they might do this to avoid red tape
but it just piles on the phishing / scamming possibilities for people who dont
know better.

~~~
saagarjha
I hate that Microsoft does it but I have heard that it enables cookie
partitioning and other similar domain-based isolation.

~~~
giancarlostoro
Would subdomains not achieve this though?

~~~
saagarjha
I’m not completely sure, but I think some things are shared by eTLD+1.

~~~
Thorrez
You can make your domain effectively an eTLD by putting it on the Public
Suffix List. This is what Google did with withgoogle.com . This means no
cookies can be set on withgoogle.com . So hire.withgoogle.com is completely
isolated from games.withgoogle.com (they are separate eTLD+1s).

[https://publicsuffix.org/list/public_suffix_list.dat](https://publicsuffix.org/list/public_suffix_list.dat)

~~~
giancarlostoro
Looks like they have hotmail, azure, and microsoft on there, and probably
others.

> // Microsoft Corporation : [http://microsoft.com](http://microsoft.com) > //
> Submitted by Justin Luk <juluk@microsoft.com> > azurecontainer.io >
> azurewebsites.net > azure-mobile.net > cloudapp.net

------
MrGilbert
> Money and technical expertise used to be strong barriers to prevent people
> from registering scam domains.

Cannot confirm. I registered my .de-Domain in 2005. That was 15 years ago. It
wasn't that difficult, and quite cheap (imho 12€ for a year). So the tech
barriers vanished a long time ago.

~~~
edent
.info domains can now be bought for around €1. If, like the scammers I
mentioned, you're buying one for every day of the year, that's a several
thousand Euro difference.

Spammers are in business. When certain costs fall, it makes their enterprise
more profitable.

~~~
ailideex
Why do they need date specific domain names?

~~~
penagwin
They don't have to be date specific but they need fresh ones constantly. They
get flagged as malicious quickly (within a day or so for large spam campaigns)
so they need fresh ones that aren't flagged.

The date is sometimes used to confuse people when they're reading it so they
think it's part of the URL and not the actual domain name.

------
scarmig
I think the most practical solution here is to train users not to use domain
names and de-emphasize them in the UI (and URLs more generally). Which I hate
as much as anyone here, but if I'm going to give my parents advice on how not
to fall for a scam, telling them "Google the name of the bank [or whatever]
and click on that link" seems like the most secure path.

Once security keys become ubiquitous, they should also provide some
protection. But right now setting up 2FA for every site they use is
impractical.

------
unexaminedlife
"By the time I'd fired up a VM to inspect it, major browsers were already
blocking the site as suspicious."

The system sounds pretty safe to me, even with its warts.

------
ryandrake
A lot of replies here are pointing at DNS being not trust-able, but let's back
up a bit. This is only a problem because people are still clicking on
unsolicited links they get in their E-mail. When you get an unsolicited phone
call and the guy on the other end claims to be from your bank, do you give him
your personal information and conduct whatever business he wants to conduct?
Of course not! So why would you click through some random link you get in
E-mail or text, regardless of how official it looks?

Users need to stop clicking on links they get out of the blue over E-mail, and
legitimate companies need to stop sending links they expect customers to
click, which encourages this risky behavior. Easy to say, but behavior is hard
to change.

~~~
capableweb
> Users need to stop clicking on links they get out of the blue over E-mail,
> and legitimate companies need to stop sending links they expect customers to
> click

I agree with the first part, but how is the second part supposed to work?
We're using links to easier guide people in the "right" direction (depending
on who "you" are, changes what "right" means), what could an alternative be?

So, a X just finished, and the user can now use it. In my notification to the
user, how to guide them to that specific X?

~~~
ryandrake
I think the key is whether the E-mail is unsolicited. Request a password
reset? The E-mail is solicited and expected. Just bought something from an
online store? The receipt E-mail is solicited and expected. In these cases,
users should not feel it's particularly risky to click the links, because they
are currently interacting with the site.

On the other hand, "Hi! We noticed there is a scary-sounding problem with your
account, please click here to fix it!" No legitimate company should be sending
users something like this out of the blue, and users should be trained to
immediately think fraud/scam when they receive this.

~~~
capableweb
So you bring up a good example. Imagine something scary happened to the
account, and the user needs to provide some additional details or fix
something. How can I as a company inform the user about this and get them to
fix this?

The incentive from the senders side is to get the person receiving it to do
something. If that's good or bad, it's harder to say than draw a line in the
middle. Currently, bunch of companies and other entities are finding the whole
clickbait super useful, and it's only natural that bad actors take advantage
of this. But who is the bad actor? Turns out a lot of them, but on different
levels.

~~~
ryandrake
How would you do it if, instead of the E-mail address, you had the customer's
phone number? You probably wouldn't call them out of the blue and ask them to
do something, since that seems scammy. So why should a security-minded user
treat an identical conversation over E-mail differently?

Is this need real though? I can't think of a legit example where out of
nowhere (i.e. not in the context of some transaction I'm currently doing with
them), a company would suddenly need me to fix something, do something for
them, or provide them information.

------
ttul
Apple could do some basic spam filtering on SMS messages directly on the
device (ditto for Google on Android). Querying a domain reputation service
will very quickly tell you whether a URL is a risky click.

At a bare minimum, show me a warning when an SMS comes through containing a
risky URL. I just don’t see why these giant companies with billions in profit
can’t connect the dots here.

~~~
Spivak
Those giant companies already have connected the dots and have super
aggressive spam filters for links. It’s a testament to the volume of spam
that’s out there that so much still gets through.

SMS has the problem that since you don’t have a spam folder filters have to be
lenient because it’s more of a problem when they get a false positive.

~~~
ttul
I’m not seeing the SMS filtering market being super lively these days. There
was a burst back a decade ago when Cloudmark and AdaptiveMobile were selling
solutions that bolted onto the SMSC infrastructure. But that investment
petered out.

I am not aware of any device side filtering, which IMHO is where it should
live.

------
meehow
Quick fix for SMS app creators: when you highlight a link, accent the domain
part of it, just like Firefox is doing in URL bar.

------
RcouF1uZ4gsC
This is a situation where EV certificates would be helpful. The cost and the
fact that it generates somewhat of a paper trail would discourage scammers
from getting them.

------
cpach
This is probably a case where MFA with a Yubikey would help. AFAIK it would
choke on the invalid hostname.

~~~
jrockway
The site would just say "for added security, we are requesting your backup
code this time."

~~~
potatoz2
That may be true, but it's an added opportunity to notice something is wrong.
If and when people are used to U2F/Webauthn security, it'll feel very wrong to
have to manually enter a code.

Although routing information isn't protected either way and is probably
fundamentally unsafe.

------
acvny
And by the way, what's with this cracked smartphone screen phenomenon?

~~~
TeMPOraL
Nothing. Smartphones are still very fragile. Eventually, pretty much everyone
will crack their screen. Because usually the phone is perfectly usable with
cracked glass, and because most smartphone designs are user-hostile, repairing
the damage ranges from not economical to not possible in practice - so you see
a lot of regular people walking around with cracked phones.

~~~
overcast
I've abused every single iPhone since the first one, only recently in the last
couple of years putting a case on because they are too slippery now. Never had
a single cracked screen, even dropping on pavement. You have to be quite
unlucky to hit things just right.

~~~
Izkata
Likewise here with a Samsung Galaxy S that lasted 8 years, without a case or
cover. Plenty of dropping on all sorts of hard surfaces, no cracked screen.
Some of the finish started smudging off on the back though. I have no idea
what people are doing to cause such damage.

(Only ended up replacing that phone because it started just not picking up
calls and texts for days at a time)

~~~
TeMPOraL
Well, my friend's S7 cracked itself overnight. My S4 cracked twice due to
dropping it on the floor, both times I had the screen replacement. My current
S7 fell frequently, but is still mostly intact. As far as I can tell, everyone
in my immediate family cracked their smartphone at least once over past few
years.

Beyond dropping, as far as I can tell, there are two other common causes of
screen breakage. One, sitting on it (a lot of people carry their phones in
their back pockets, which is something I cannot understand; beyond accidents,
this makes them vulnerable to pickpocketing). Two, women sometimes crush their
phones in their purses (especially when they are in hard covers that act as
levers when an item gets between it and the cover).

------
hartator
> Luckily, she's not with EE - because it's a pretty convincing text.

Not it’s not. billing-jan-2020.info looks suspicious as hell. Recognizing
domain names from url is very 101 Internet security.

~~~
edent
I suggest you go and talk to people outside your normal tech bubble.
Recognising which parts of a URl mean what is tricky for most people.

Here's some examples I've collected of people clicking on links in suspicious
texts:

[https://twitter.com/edent/status/1193147685370552322](https://twitter.com/edent/status/1193147685370552322)
[https://twitter.com/edent/status/780317797855395841](https://twitter.com/edent/status/780317797855395841)

~~~
Nextgrid
Just because it happens doesn't mean there's something wrong with the
technology. This is the real-life equivalent of walking into a shop that's
branded "AyeAye" when paying your "EE" bill.

There is nothing being exploited here like a display bug in the URL bar, TLS
vulnerability, etc - it is completely obvious that you are not connecting to
EE.co.uk and instead to some weird domain.

There's only so much we can do to fix stupid and natural selection (or in this
case financial selection) can take care of the rest. Banks refunding every
instance of fraud (even when the user is obviously at fault and failed for an
obvious scam) don't help either as it means people still don't understand the
importance of being vigilant and actually taking the time to learn some basics
in order not to fall for these very obvious scams.

~~~
FDSGSG
>Just because it happens doesn't mean there's something wrong with the
technology. This is the real-life equivalent of walking into a shop that's
branded "AyeAye" when paying your "EE" bill.

I would guess that if this scam was performed over snail mail it would have
vastly higher success rates than SMS spam.

------
jrockway
More interesting than these obvious scams are when your phone company sends
you legitimate texts that look like scams. I got what I thought was something
super scammy from Verizon and did a lot of investigation and eventually found
out that it was them.

The TLDR is that apparently they send all their marketing texts from "+90
(007) 000 38 64". You can opt out on their website and now I don't get these
anymore. It's nice. But sad that my $120 a month isn't enough money for them,
and they have to text me at 3AM to get me to buy a new phone. (And sell my
browsing data.)

------
acvny
so what do you propose / want?

~~~
wongarsu
I think the article covers that in detail:

> Is there any way to stop this? No, not really. [...] There are no technical
> gatekeepers to keep us safe. We have to rely on our own wits

He is pointing out that this a danger to be aware of, and that the only thing
we can do is be careful not to fall for it

~~~
acvny
Yes, but that's obvious.

------
ailideex
I actually don't see how the date in the domain name is integral to this scam?
Maybe someone can clarify it for me.

~~~
Hnrobert42
It is supposed to look like the path. It is supposed to look like
[https://ee](https://ee)[.]co[.]uk/billing-jan-02.info

~~~
ailideex
Is this what the URls look like normally? (not from UK so I would not know)

Why not just
[https://ee.co.uk.billing.info/jan-02](https://ee.co.uk.billing.info/jan-02) ?
I mean if someone does not notice it is a domain name and not path would they
really notice where the info part is?

~~~
function_seven
In addition to the sibling comments, there's also the problem of having an
actual slash in your example, which may cause the mark to notice it and
therefore notice the "missing" slash after the 'co.uk' part.

------
Kenji
_If you 're stood up on a crowded train, with your phone screen cracked, would
you notice that a . is where a / should be?_

If you do your payments in a crowded train while standing and using an
outdated, broken Android phone, you're a dumbass who deserves to get ripped
off.

------
codegeek
Domains are one area where I support more regulation. It should be harder to
buy a domain in my opinion. Right now, it is way too easy. I am not even
talking about domain hoarders.

The price can remain the same but whenever someone wants to purchase a domain,
they need to go through an additional audit of some sort. Add more entry to
barrier. Legit folks will be a little inconvenienced but it will help weed out
the scammers a bit more. Yes I know dedicated scammers will still bypass at
times but it will surely deter them. Thoughts ?

~~~
save_ferris
What would you audit to prevent scammers?

~~~
codegeek
Haven't thought that far but I really think we need more controls over domain
purchases.

------
toohotatopic
>It starts with [https://](https://) \- that means it's secure, right? Is
.info even recognisable as Top Level Domain?

It's not his wife, it's him who needs to be protected.

~~~
Hnrobert42
He is speaking in the voice of a less tech savvy user to help the reader
understand how this attack my fool people.

