Information Theft via Domain Squatting
I was reading some random thread about buying .edu domains for SEO purposes, and it suddenly occurred to me that the opposite was an issue at one point. When I was in college one of my friends bought the .com equivalent of the school’s .edu address. He set up a mail server but no web-server. In doing so, he suddenly started getting tons of mis-typed email bound to the school. All sorts of things (mostly annoying email conversations) but at one point he started getting some really interesting stuff around the school’s new facility including the plans for the new building. Granted, he eventually gave it back but it got me thinking about it again.
If you own a sensitive domain’s typo URL, you could easily turn it into a CGI proxy. If someone typos the domain they are probably unlikely to notice it isn’t the real page, especially if it looks and acts like the real domain (if not slightly slower). It could be a way to effectively pharm data from users. It’s not super interesting, it’s just something I thought about from my early college years.
March 30th, 2007 at 9:50 pm
yes, that will be a huge disaster. But the chances of typing wrong a domain name is quite minimal, even so, typing a wrong domain will result in a different images and settings. So lets say if i type a domain wrongly, i will see on the output that the site looks strange, i will definitely check on the url and re-type it again.
March 30th, 2007 at 10:03 pm
There was actually a thread on a university security admin mailing list not too long ago about domain squaters getting a bunch of .eu domains similar to universities. At first folks were worried that that was exactly what was planned. It looked like in the end they’re mostly just domain squatters sitting on them for the mis-typed url page impression, but they certainly /could/ use them for that purpose too. Scary.
Speaking of domain name fun, I now need to introduce a new term into the IT industry: “malscript”
Mainly because I thought it sounded good and registered the malscript.com domain name, so now I need to get it to become common usage so the url will look cooler.
March 30th, 2007 at 11:45 pm
Any business that cares about the security of their customers will buy up closely related domain names, and common typos. eg: capitalone.com and capitolone.com. I’m sure they could be taken from a squatter if it was obviously being used in a scam.
March 31st, 2007 at 12:09 am
I loved that above comment. Anyway, any time you have a set of domains with a typographical likeness you run the risk of accidentally disclosing some form of information (realistically who hasn’t accidentally misspelled a domain before and ended up somewhere else while going online?) about yourself in some manner. It could be very easy to capitalize on this before the cease and desist orders begin flowing in.
I remember learning a long time ago that a certain free hosting service allowed for “.” characters in the domain, and while I used the multiple accounts to create the illusion of sub-subdomains for different purposes I’m sure a majority of MySpace users seeing a “You must be logged in to do that!” message on a “http://myspace-cdn.INSERTSHORTDOMAIN.com” or similar phishing URL wouldn’t hesitate to attempt logging in. I’m quite positive most people would feel safe at a spoofed page with all of the same content as the actual page as long as it’s realistic. Then again certain companies purchase the misspelle
March 31st, 2007 at 12:13 am
d versions of their own domain, put all the same content on it, and don’t care to mention the fact users aren’t on the site they normally visit. It’s not really a new concept, but depending on the site owner’s demeanor it could be a world of difference.
Also the above reference to loving the message was directed toward “Malscript”, but took forever to type on this Wii.
March 31st, 2007 at 2:23 am
how about hackers.org and ha.cker.org? Do you think most of the users will remember that there is a dot?
March 31st, 2007 at 5:44 am
Domain Squatting for web pages it is not so interesting this days (because all anti-phishing tools in browsers) but I like this idea with emails. It is very promiesorily, and I will test it.
Btw, are there any interesting texts or researchs about this ?
March 31st, 2007 at 3:02 pm
I’m researching this a bit. I actually own hushmail.org
- zeno
March 31st, 2007 at 3:06 pm
I actually asked someone working for an uber-huge corp about buying all possible variants of their domain and some international domains can be 10k or more a year, making all typos variants extremely expensive even for your uber-large enterprises. I was surprised too.
March 31st, 2007 at 4:09 pm
$10,000 or more a year is a simple Operating Expense to large corporations, and is trivial enough (to them atleast) to possibly be written off as an allowance for debt expenses.
March 31st, 2007 at 4:10 pm
@zeno, I think it would be most effective if you owned the .com address for something that was typically a .net .edu .org or something similar. It’s tougher to do, but I think it would yield better results.
March 31st, 2007 at 4:16 pm
Well if I could aquire any domain at will I’d be doing it
March 31st, 2007 at 4:40 pm
I checked all the domains for my college, a few were left, but not .eu or any good typos… Interesting concept though.