Thousands of Internet users are being scammed out of their hard-earned money and private information on a daily basis due to a sharp rise in look-alike domains. Missing, replacing, or adding one single letter in a domain name can now lead you to a fake website that can install malware or viruses to steal money and personal data.
E-commerce websites are the most affected by such scams. Since fake sites mimic the entire design of the popular shopping website right to the smallest detail, a regular user can easily get fooled into believing that they are on the intended site, eventually ending up in sharing personal and financial information.
Only by carefully checking the URL can you detect whether the website is fake or not. For instance, a fraudulent website of amazon.com may have the URL as amason.com. If the user does not check the URL, they will definitely be scammed.
In an interview with NBC News, Nicolas Christin from the Carnegie Mellon University’s School of Computer Science said: “People suck at typing… You don’t pay attention to what you’re doing, and you wind up on one of these websites that’s impersonating the website you really wanted to go to,” while also adding that the reason such scams are popular is that “it’s low cost and high reward. And it does not require any technical expertise whatsoever… All you need to do is register the domain name that you’re targeting. For any given domain name, there are a number of typos that are easy to derive from it.”
To make matters worse, many of the fraudulent websites use Transport Layer Security (TLS) certificates that indicate that they are secure. And for an average shopper, the presence of the security certificate looks good enough. Many firms feel that the organizations that issue TLS certificates must be made responsible for checking the authenticity of a website and catching the fraudulent ones. However, this may not be possible.
A look-alike domain for the U.S. shopping website NewEgg was successful in stealing credit card information of the company’s users for up to one month before it was caught and shut down. So, what can businesses do to catch fraudulent websites before they do any damage? Monitor certificate transparency logs.
“In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs. This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates,” HelpNet Security quotes Jing Xie, senior threat intelligence analyst for Venafi.
Protecting data and money
As an Internet user, you need to practice caution when sharing any information about yourself, whether it’s something as simple as your first name or an email ID. Always double-check the URL address before you type in sensitive information. If you are visiting paypal.com, then read each letter of the URL and make sure that it is ‘paypal.com’ and not ‘paypak.com’ or something similar.
Remember to bookmark your most-used websites. This way, you simply have to click the bookmark to visit the genuine websites rather than typing in the URL, which eliminates the chances of typos and the possibility of visiting a fraudulent website.