Edelman was kind enough to answer a few questions about their research.

Cyveillance: Your paper is premised on the idea that typosquatting unethically diverts traffic from legitimate online destinations. You open one of your paragraphs with the line, “Most large domain registrants present themselves as ‘domain parkers’ or domainers.” Some readers may be confused about your position on domaining as an industry. Can you clarify your stance on domaining in general?

Ben Edelman: I don’t see much genuine value coming from the domaining business. Yes, some users guess domain names, and domainers can cause results to be shown to users who might otherwise receive error messages. But most web browsers already show results that are at least as useful as domainers’ placeholders – often better, with genuine organic results rather than merely advertisements.

Meanwhile, domainers cause some important harms: For one, as detailed in my article, domainers deplete advertisers’ budgets. Domainers also make it more costly for entrepreneurs to obtain the domains required to run actual substantive businesses: A domain might truly be unclaimed, in the sense that no one has ever used it for anything interesting, but a domainer would nonetheless be able to withhold that domain from a would-be user until they agree on a price. Combine these harms with the remarkably widespread ongoing problem of typosquatting, as presented in my article, and the net value-add of domainers is far from clear.

Domainers will vigorously defend their right to advance-register large numbers of domains, as if this is some kind of moral entitlement. I’m not so sure. In many areas, landowners are (and, historically, have been) required to improve their property lest they be a blight or eyesore to others. The analogy here is less direct: Which domains are “near” an unimproved domainer domain? But certainly unimproved domains harm others, by impeding what could be direct navigations, and by driving up costs to others. Indeed, limits on domain purchases have ample precedent – dating back to Jon Postel’s early restrictions on how many domains a single person or entity could request, and similar restrictions in certain ccTLDs. At least as against domainers with thousands, tens of thousands, or even hundreds of thousands of domains, these ideas do ring true to me.

Cyveillance: In your attempts to collect information about the behavior of typosquatting domains, some websites prevented your systems from gathering information about them. Can you discuss which servers attempted to prevent your analysis? Are you aware of any direct or indirect response to your investigation on their part?

Ben Edelman: Google has pointed out that it will disable typosquatting domains in response to a trademark holder’s specific request. Indeed, but what about infractions that come to Google’s attention some other way, such as in my article or in a complaint from the general public? What about infractions that are readily apparent to Google, thanks to Google’s excellent semantic analysis software? Google does as little as it can – letting Google and its partners continue to profit as widely as they can. Once Google is on actual knowledge that a domain is a variation of a trademark – either because a member of the public says so, or because Google’s own software figured it out – I’d like to see Google avoid targeting ads to that domain. And there’s a strong case that that’s exactly the behavior that the ACPA requires.

Meanwhile, trademark holders have ample grounds to be angry. And reading my article, I believe a new set of trademark holders is remembering that there’s more they could do here.

Cyveillance: Many merchants make use of affiliates to promote their products and services on the internet. You mentioned that “Few affiliate merchants affirmatively allow typosquatting, and most disallow it when it comes to their attention.” What recommendations, if any, do you have for merchants in this situation? Why do you believe most do not prohibit typosquatting among their affiliates to begin with?

Ben Edelman: An easy first step is a specific contractual prohibition on affiliates registering or using typosquatting domains. But merchants then need to follow through on this prohibition by implementing effective, robust enforcement. And merchants would do well to penalize violators, including through litigation. Recall Lands End v. Remy, wherein Lands End sued several LinkShare affiliates who had used typosquatting domains to claim affiliate commissions they had never properly earned.

Cyveillance: Your article states that there are “two main uses for traffic diverted to typo domains: placing pay-per-click ads and redirecting to other (often competing) domains.” Both situations cost brand owners money. This may seem obvious, but just to be sure: which is worse for a brand owner in your opinion?

Ben Edelman: They’re both unlawful, and they’re both unacceptable.

Cyveillance: You conclude by offering that the parties with the most ability to reduce typosquatting are the ad platforms of Google and Yahoo. Do you expect to see either company modify its practices based data like that found in your investigation?

Ben Edelman: I see the two main ways to compel ad platforms to change their practices: litigation and public outcry. Both are underway.

Cyveillance: Based on your research what advice do you have for brand owners when faced with the problem of typosquatting?

Ben Edelman: Trademark owners need not write off typosquatting as an unavoidable cost of doing business. Perpetrators are identifiable, and legal remedies are clear. In few other contexts do sophisticated companies sit back and let themselves get cheated. I don’t see why they’d want to do that here.

Example of a Blippy transaction. Click the image to see a larger version or see the original here.

CNN reporter John D. Sutter asks Blippy cofounder Philip Kaplan whether there are any dangers in posting this sort of information:

CNN: Is there any potential that this would expose someone to an attack on their financial information, or that it could be used against them?

Kaplan: I don’t — we’ve all been taught that this is just something you don’t do. As an aside, when I was a kid, we weren’t allowed to tell anybody we were going out of town, and we had timers in the house that would turn the lights on and off so it would look like we were home. But now you tweet when you’re at dinner. … You put your whole schedule on Facebook so people can like plan their robberies ahead of time. And I think the pros far outweigh the cons in that scenario. … I think the risks in actuality are very small. Similarly, I think we have this engrained thing that we’re taught, which is to not share this [financial] information, and we don’t really know why.

That’s not the right answer to the question. Information found in Blippy postings (“blips”?) can be used against them. Let’s go back to the example in the image above.

We find:

• a user’s name
• the name of a business with whom they had a financial transaction
• how much they spent
• for certain retailers, what they bought

Great. Now let’s examine what is presented to someone when they receive an email in a traditional phishing attack, which we know to be a very profitable endeavor for bad guys. (A recent study by Cyveillance found that average attacks can cost millions of dollars in losses). It really comes down to two things:

• The email is made to look like it comes from one’s bank or other business institution.
• A call to action, where the recipient is asked to follow a link to a website online.

Spear phishing takes things a step further by personalizing the email sent to the potential victim. The attack may address the victim by name or phone number (see example), lending credibility to the attack and greatly increasing the likelihood that the recipient becomes a victim.

From a cyber criminal’s point of view, Blippy currently offers great information to construct a highly targeted spear phishing attack. After examining the types of purchases Blippy shows for Best Buy, consider the spear phishing attack one could construct for a hypothetical Blippy user named Johann Gonzales:

Dear Johann Gonzales,

Thank you for your recent purchase of $52.99 at Best Buy. To receive credit for your purchase in our Best Buy Reward Zone program and receive valuable discounts on future purchases, click here…

Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like jgonzales@gmail.com, jgonzales@hotmail.com, johanngonzales@gmail.com, johanngonzales@hotmail.com, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are.

Conclusion

Currently banks reimburse users when they become victims of phishing attacks, but the financial industry often wonders at what point it becomes the victim’s responsibility for losses incurred during phishing attacks. The information that Blippy users currently provide to would-be cyber criminals gives businesses more leverage to say that they will not reimburse losses incurred in spear phishing attacks. After all, if the Blippy user practically hands the bad guys all the information they need to carry out an attack, how is it the bank’s fault?

Blippy does hold promise as a way for consumers to gain information about the prices of goods and services. But it also currently provides a literal wealth of information for spear phishers. Luckily Blippy can take the simple measure of hiding usernames or otherwise referring any link to users’ real names.

As always, if you think you have received a phishing email, please send it to:

reportphishing@cyveillance.com

reportphishing@cyveillance.com

Cyveillance will analyze the suspected phishing attack and take the necessary action the minimize the number of victims of the attack.

Background: What Are Phishing Attacks?

Phishing is a method online criminals use to try to gain access to the username and password you use for important online activities like banking and paying bills. The attackers will send an email that looks like it comes from places like your bank or financial institution. The email can look very real, and will provide a link for you to access your account online.

Unfortunately when you log in to your account using the link in that email (don’t!), you will have provided your username and password to criminals who will then use it to access your account and likely remove funds from your account.

Some types of companies that cyber criminals commonly try to impersonate to gain access to your account information:

• Banks
• Credit unions
• Online payment services like Paypal
• Hosting companies (see example)
• Software vendors (see example)
• Utilities, like your gas, electric, or internet service provider (ISP)

Further Reading

For a detailed analysis of the economics behind phishing attacks, please see Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks.

Registration:

• 8:30AM – 12:30AM session
• 1:00PM – 5:00PM session

Description: Too often, “Cyber security” is seen as a technical matter and the purview solely of IT professionals. Unfortunately, it is both the machines and the users which are under attack. In Cyber Safety 101: An Introduction to Cyber Threats and Internet Risk, students are exposed in friendly, non-technical terms to the basic workings of the Internet and how criminals, scammers, adversaries, hackers and spies exploit those technologies, systems and, most of all, the users themselves in the insecure Cyber universe.

Learning from professionals with years of experience tracking and monitoring the “dark underbelly” of Cyberspace, you will learn how bad actors use the Internet to steal, impersonate, compromise and hijack not just funds and identities but entire networks and sensitive data.

From the teenage “script kiddy” draining Paypal accounts to the state-sponsored adversaries threatening our national security, you will see the scope, breadth, variety and sophistication of today’s online enemies, and learn how to protect yourself, your agency or enterprise, its data and its mission from the dark forces at work on the Internet.

When students leave this course they will:

• Have a solid understanding of how the Internet actually works, and the inherent vulnerabilities and weaknesses in the system we all rely on every day

• Understand the sophistication of today’s online threats, and be much more adept at recognizing, stopping and avoiding those

• Be better equipped to protect themselves, their hardware, and the data, systems and mission of the agencies and enterprises for which they work

Who Should Take This Course?

This course is invaluable education for every federal or commercial knowledge worker whose PC, laptop, PDA or cell phone is connected to the Internet. As more and more systems and devices are permanently online, and as more agencies and enterprises incorporate Internet technologies into critical systems, the risks to these systems and the agencies and enterprises commensurately increase.

Today, every employee working online is a potential target. Every connected device is a potential entry point for a criminal, adversary or enemy of the country. And the risks are so new, so numerous and so sophisticated that education is absolutely vital to helping your staff safeguard your systems, data and business or mission.

In their role as protectors of private and public sector infrastructure, companies in the information security industry bear witness to intimate details of the attacks against critical resources we all rely on. Appropriately sharing such knowledge and data about these attacks is an important step in preventing future attacks.

The United States Secret Service’s Electronic Crimes Task Forces were created to facilitate opportunities for such information sharing. Mandated by federal law signed by President Bush in 2001, the Electronic Crimes Task Force Initiative originally created ECTFs in eight metropolitan regions but has now grown to twenty-four task forces.

The Electronic Crimes Task Forces hold meetings on a quarterly basis where law enforcement of all levels, academia and the private sector gather to discuss trends and share information about recent threats and attacks.

As President Obama stated in his remarks in May, “This status quo is no longer acceptable — not when there’s so much at stake. We can and we must do better.” Cyveillance encourages its colleagues, customers, and partners in the information security industries to participate in initiatives like the ECTF.

As you can see, the email asks the user to “confirm your FTP details”. The user is instructed to click on the link in the email that routes him or her to the fake administrator’s Website below:

On the fake Website, the user is asked to provide login credentials. If the credentials are entered, then the user would basically hand over access to every Website controlled by that specific login. Users can avoid falling victim to this attack by never clicking on the link within the emails and only accessing online applications directly through known Web sites and pages.

Less than three weeks ago, Cyveillance shared its discovery of Google search results that lead users directly to malware. In that exploit, cyber criminals infected websites and placed blog software on them that automatically posted pages that Google would later find, index, and include in its search results. Users that clicked the links in Google’s search results were redirected to other sites that attempted to install malware on users’ computers.

Cyveillance has now observed the same tactic being used to drive traffic to illegal online pharmacies. Similar to before, cyber criminals have inserted blogging software on compromised pre-existing websites. The blog software automatically generates content like that found in the following image.

The rogue blog posts content laden with references to the erectile dysfunction drug Cialis.

The rogue blog software notifies Google that new content is available, and Google’s crawlers visit the new content for inclusion in the search results it presents to users.

Sites that are unknowingly hosting this version of the rogue blog software can be found with the Google search allinurl:.store/cialis-online/index.

If a user were to click on any of the results shown above or any other search results from the directory where the rogue blog is found on the compromised sites, they would be redirected to a site like traffic-analytics.net, which in turn would redirect them to an online pharmacy like the one below.

Those who click on the poisoned results will be ultimately delivered to ultimatepharmsgather.com.

Enter Glavmed, the Notorious Illegal Pharmacy Ring

The site where these search results lead, ultimatepharmsgather.com, is part of the long-standing illegal online pharmacy network called Glavmed. Believed to be related to the Russian Business Network (RBN), Glavmed is a long-standing Russia-based organization that relies on affiliates to market counterfeit pharmaceuticals.

While Glavmed is perhaps best known for spam related to erectile dysfunction drugs like Viagra, Cialis, and Levitra, their sites sell medications for body-building and heavy duty painkillers.

What’s New This Time?

In our earlier report a user could avoid being redirected to the malware drop site by not clicking on the link in the Google search results and simply typing in the address of the link into their browser’s navigation bar. This time, typing in the link will still result in the user being redirected to the online pharmacy. This makes it harder for users to avoid being hijacked by the cyber criminals.

Further, last time it appeared that the middleman site that would perform the initial redirect to the malware drop site would change on a regular basis, almost daily. Since discovering the Google search results that lead to the online pharmacy, Cyveillance has observed the same redirector middleman site (traffic-analytics.net) and the same final destination (ultimatepharmsgather.com). Overall, this is a simpler scheme than before and should be easier to remove for the safety of internet users.

Closing Thoughts

The number of websites found that are unknowingly hosting these rogue blogs is relatively low at the moment. However, as described in our original post a few weeks ago, it would be naive to believe that those presented here are the only sites where this tactic is used by cyber criminals. Internet users should remember to exercise extreme caution when ordering medications online. The US Food and Drug Administration lists steps consumers should take when considering purchasing drugs online. Additionally, never order medications online from Glavmed.

The trend of phishers launching increased number attacks around Thanksgiving Day or Weekend is in line with trends of previous years. During the holiday season, users should practice extra caution when shopping and conducting business online. The potential for falling victim to phishing attacks can be minimized by never clicking on links within emails and only accessing online applications through known Web sites and pages.

The article begins relaying a close encounter that FBI Director Robert S. Mueller III had with a phishing attack. Although Mueller reportedly did not fall victim to the attack, Mueller emphasizes the lengths criminals go to gain access to one’s bank funds through email-based phishing attacks. Unfortunately, the crux of the article boils down to this:

I’m not convinced, however, that online banking carries the high risk that Mr. Mueller implies. I know that as ordinary computer users, we are offered unlimited bait from phishers. But I’m not particularly worried: I’m not on the hook for losses from fraud — my bank is.

The article concludes  emphasizing that banking customers need not worry about falling victim to phishing attacks because virtually all financial institutions offer full remuneration in cases where unauthorized individuals access and remove funds from an online account.

At a very narrow and superficial level this premise is true and provides some comfort to victims of an attack. However, the reality of this situation is that every time a phishing attack succeeds, it has very negative side effects for all who use online banking. Yes, the bank whose user fell prey to the phishing attack is on the hook for the stolen funds, but we have learned all too well in the past eighteen months that even the largest financial institutions do not have infinite resources. Banks do not simply create money to compensate the victims of phishing attacks – those reimbursements come from insurance policies or income the bank generates from fees levied on its customers. When the banks’ insurance premiums increase or overall costs rise – as they do when their customers get phished – the increases are passed onto consumers.

Further, many victims of successful phishing attacks who have had their money stolen probably would not agree that there is “zero liability” to online banking. The time lost while reporting the attack to their banking institutions is time without access to funds they count on to be there. While banks make an effort to minimize the time phishing victims go without their funds, the process is not immediate and the customers may be left without money needed for critical expenses like food and housing.

The New York Times is to be commended for raising general awareness about the dangers of phishing attacks . But minimizing the impact of phishing is a dangerous message that only helps online criminals.