WhiteHat Security founder Jeremiah Grossman has published details that could help victims of domain hijacking.
The penetration tester writes how he helped an unnamed video production house to fight a scammer who had opened a mimic website to defraud customers.
He says the company had more than a dozen published TV shows under its belt, such that the scam was causing “real brand damage” and the business impact was “severe”.
The company had been hit by the so-called bit-squatting or URL hijacking attacks who registered a copycat domain name that bore a clone of the company’s website.
Staff names and photos were altered along with contact information such that customers would contact the criminal instead of the film company.
Grossman grabbed WHOIS data, and used the dig command and the American Registry for Internet Numbers to find the IP address and connected hosting provider, GoDaddy, which directed the hacker to report the fraud to ICANN.
This allowed the number of visitors to the scam site and their IP addresses to be revealed, along with that used by the scammer.
The scammer cottoned on and changed his code to kill the redirect, and was soon defeated after GoDaddy took the fraudulent site down.
The scammer has since set up another replica fraud site.
“After all, this is the security of the web we’re talking about, and plainly said, it’s fundamentally broken,” Grossman says.
He says the scammer and others like them could establish a myriad of replica sites faster than any hosting provider could act.
This forces organisations to constantly monitor illegitimate domain names.
The largest and most vigilant brands pre-register copycat domains, and typosquatting domains where a common mistyped key would lead to another website.
Others can use NCC Group’s TypoFinder to help discover online copycats. ®
Rise of the machines