Report claims domain jacking is growing threat - FUD or new attack vector?by Steve Ragan - May 18 2009, 21:10
Research from Web security vendor Websense says “domain-name cloning,” which is better known in some circles as domain jacking, Cybersquatting, etc., is a growing trend. Legitimate research on the part of Websense, for sure, but is it something new and dangerous, or is this a case of hype overshadowing real problems?
Domain-name cloning is a unique name for a site that simply hijacks the brand of an authentic site for nefarious means, such as seen in recent Phishing-related attacks on Facebook.
There are several ways to do this: using the target's name in the URL is one, taking advantage of typos (Facebok anyone?) is another. Websense lists other examples, such as unblock.facebookproxy.com, buy.viagra.twitter.1234.com, or hotbabesofmyspace999.com.
In the end, the results are the same. The attackers will either capture legitimate domain information such as log-ins, passwords, and other personal information, or they will spread Malware using the site's reputation as a platform of trust.
"These new threats illustrate that attackers will continue to target Facebook, MySpace and Twitter, along with other social networking sites, for three reasons," said Charles Renert, senior director of advanced content research at Websense.
"First, these Web sites are popular so fraudsters are able to target lots of victims; second, people trust the content on it because they think it's from other people in their network; and third, they are easy to compromise because they allow anybody to create and post content," he added.
So here’s the question, is domain-name cloning a new threat? If it is, what can be done about it? As it just so happens, Websense has a solution:
"Traditional Web filtering is not enough to protect users from threats on trusted sites, and isn't enough to keep up with fraudsters generating new URLs almost instantaneously to avoid detection. Only real-time analysis of Web content can prevent users from being exploited by these attacks," commented Renert.
This is why, sometimes, marketing and hype will overshadow a larger problem. Websense is an awesome company when you want to implement gateway protection and Web filtering on your network. As an IT consultant, I’ve helped manage Websense installs and filters for several clients. What it does works; no one will argue that -- aside from competitors of course. Yet, Websense alone will not fix the problem of Phishing, and this domain-name cloning threat is nothing new at all.
The larger problem is uneducated users. You can filter and monitor your network as an admin until you turn blue in the face, but it will not stop your end users from exposing their personal social networking accounts. Phishing attacks are successful because end users are uneducated when it comes to knowing how Phishing attacks work, and why they work. They do not understand the level of expertise that goes into some of the Phishing kits used by criminals, nor do they care. Yet, none of the end users wants to be a victim.
So, what can be done about this? How do you educate a person who does not want an education on the risks? You can’t and, because of that, IT security has shifted away from training and moved towards an automatic level of defense. One that is often circumvented because of a fundamental flaw in the technology, they overlook the human element of security.
A human will need to manage the Web filter’s policy, such as keyword or content-based filtering. A human will administrator any exemptions to the filter’s rules, such as allowing executives the right to use social-based portals, and a human will leak information via these portals. When this happens, personal information, and perhaps company information, is exposed.
Phishing can lead to more problems than someone hijacking your Facebook or Twitter account. Consider that most users will have the same password for several accounts, then couple that with the fact you can use Google to dig up information on pretty much anyone. If the same password on Facebook is used on a company VPN or front-facing company Intranet (as is often the case with SharePoint sites), now what level of security problems are you faced with?
None of these potential risks is solved with automatic security. The only way to prevent risks associated with Phishing is to educate those who are targeted. If you allow Facebook or Twitter to be used within the company network, then train the users on the ups and downs of this 'new' form of social interaction.
Since Phishing has information gathering as its goal, teach the users what kind of information is gathered and how it can be combined with what is already available online to create a profile on them. When faced with a dossier, comprised of a Phishing attack and all the information they willingly give up online, most users will change their habits. When you add in the fact that some of the information could lead to violation of company policy, thus leading to loss of employment or the company suffering greatly, they will pay attention.
However, no two people are alike, and no two companies will have the same policy, so these types of training initiatives need to be tailored to the business itself and to the individual employee or group.
The only problem is that this is easier said than done, so IT tends to rely on automatic solutions for security. One that is often circumvented because of a fundamental flaw in the technology... they overlook the human element...
Is there a pattern here?
The Tech Herald: Phishing and Facebook: Two things that go together
The Tech Herald: Phishing kits steal from customers
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group.