2 sept 2015

Phishing: What Othello knew, Godaddy does not

Phishing is a growing problem and criminals are using smarter and sophisticated ways to get victims to click. Even Shakespeare's Othello knew that. ¿What are doing big companies like Godaddy to avoid it? According to our experience: just a bit or nothing.

Since last May, an Argentine thief has set up a new phishing strategy, which is not new but generally not put in practice because of the risks it can mean for the offender, for the phisher: this is register .COM domains names similar to businesses which he simulates. In the present case registered domains are mostly similar to VISA domains.

How is the process of the fake site registration

The process conducted by the offender is very simple and is also very easy to determine that a site is registered to commit a crime.
  1. On Monday, the phisher with a false name register a .COM domain at a domain registrar -like Godaddy- a domain name similar to the institution concerned, such as "vissahomeclave.com".
  2. On Tuesday, the offender uploads to the previously bought server, the fake web site; and points it to the newly created domain. Plus, this site generally is hosted in Godaddy too.
  3. Once the site is operational, the criminal sends emails to potential victims.
  4. The offender pays for these services with previously stolen credit cards, and the operation can be difficult to track.

Cases registered by Segu-Info

In order to understand the problem, a list of phisher's .COM domains registered at GoDaddy follows:
  • Domain: vissahomeclave.com
    Registrar: GODADDY.COM, LLC
    Date: 2015-08-29
  • Domain: homeviseeclave.com
    Registrar: GODADDY.COM, LLC
    Date: 2015-08-25
  • Domain: cuentas-verificaciones.com
    Registrar: GODADDY.COM, LLC
    Redirector: hxxp://mailwing.net/news/000007897516091143995905315221/942cbc37cee2c9b02325f74661d7b7aa
    Date: 19-aug-2015
  • Domain: cuentasreativar.com
    Registrar: GODADDY.COM, LLC
    Date: 14-aug-2015
  • Domain: inetservvisa.com
    Registrar: GODADDY.COM, LLC
    Date: 2015-08-10
  • Domain seguridad-cuentas.com
    Registrar: GODADDY.COM, LLC
    Date: 2015-08-27
  • Domain: premiosvisa.com
    Registrar: GODADDY.COM, LLC
    Date: 2015-07-30
  • Domain: formularioclave.com
    Registrar: GODADDY.COM, LLC
    Date: 23-jul-2015
  • Domain: clientespersonalescambio.com
    Registrar: GODADDY.COM, LLC
    Date: 21-may-2015
  • Domain: formulariovvihome.com
    Registrar: GODADDY.COM, LLC
    Date: 29-may-2015
  • Domain: visacuentas.com
    Registrar: ENOM, INC.
    Date: 07-may-2015
  • Domain: vencimientosclave.com
    Registrar: GODADDY.COM, LLC
    Date: 15-may-2015
  • Domain: altascambio.com
    Registrar: GODADDY.COM, LLC
    Date: 05-may-2015
As can be seen, the phisher has a very simple and easy to determine modus operandi. Unfortunately complaints to Godaddy have no result or domains -and websites- are blocked too late, after several days -5 or more- which facilitates the work of criminal and extends the window of time in which most victims can be deceived. In phishing scams, time is the most important factor. For every hour it takes to take down a fake site, the number of people affected grows exponentially.

What Godaddy is doing wrong?

Godaddy receives spam, phishing and malware complaints with this web form to subsequently carry out the withdrawal process. This is a reactive process and the first problem is that if there are no one report a fraudulent domain, no automatic detection process is performed and, if done, the problem of response time arises.

As in the case that you see in the image is of little use claim, it seems that you can not change Godaddy response times, have little interest in user's security, their business is register domains, regardless of the number of users affected by them.

We can point out the irresponsibility of Godaddy for several reasons:
  • After being notified of the problem, they clearly becomes responsible for the crime in progress abusing their resources. In these activities, as explained before, the key is to disable the mechanism mounted by criminals as soon as possible. The more the delay, the more victims.
  • Our experience with other ISPs that react properly in a short time, 2 hours or even immediately, within 10 minutes.
  • Some ISPs, given the repeated abuses seem to have taken proactive measures to detect and block this kind of abuse and no longer being permeable to these repetitive abuse.
On the internet, abuses like phishing and others, are deactivated, blocked and deleted daily because of the active and voluntary participation of the various actors who are part of the network.

We from Segu-Info denounce cases we receive to browsers, Phishtank, ISPs and abused resource owners . ISPs should not pretend being distracted. They are required to take responsibility and cooperate in this fight.

Cristian Borghello & Raul Batista

Suscríbete a nuestro Boletín


Publicar un comentario

Gracias por dejar un comentario en Segu-Info.

Gracias por comentar!