Security Sentinel: Website Spoofing 101

By Toni McConnel, Contributing Editor
iApplianceWeb
(10/28/03, 12:24:08 PM EDT)

This is the second in a series of columns on “spoofing.” 

A spoofed website is one that is designed to look like the site of alegitimate bank, credit card company, or other business, but in actuality it has been created by a scammer to collect personal information from visitors lured to the site, usually through an e-mail that is also spoofed to look like it comes from the legitimate institution.  Once this information is collected, the scammer can use it to buy things with the victims' credit cards, access their bank accounts, and establish false identities. 

Website spoofing is a growing phenomenon, and puts consumers at considerable risk for identity theft and credit card fraud.

This summer PayPal, a company that offers online payment services, was the victim of a such a scheme. E-mails were sent to an unknown number of people (probably a spam mailing list) advising that due to a “recent system flush”, customers' billing and personal information were temporarily unavailable. Then they were told that they must verify their identities by visiting the site or risk having their accounts canceled.

The spoof site was designed to look exactly like PayPal's real site. Visitors were presented with a form that asked for information such as Social Security number, driver's license number, date of birth, and credit card information. This is a typical setup for a spoof site.

In my last column I suggested that all it takes to spot these bogus emails is to look at the return address, since the slew of such emails I have received over the last few months were easily identified in that way. But the return address on the PayPal scam emails was paypal-billingnetwork.net, close enough to the real thing to lure gullible people into responding. And of course the URL of the spoof site was the same. (By the way, the paypal-billingnetwork.net domain name is now for sale by DomainDeluxe.com.   Want it?)

Identity theft cost consumers and businesses $53 billion in 2002, according to the Federal Trade Commission. That's about a third of the federal deficit for that year!  Only about 20% of that figure is attributed to Internet fraud and computer invasion, but the percentage is likely to grow quickly as criminals find out how easy it is to set up a bogus site and lure people to it.  So easy, in fact, that you and I could do it.

To prove how easy it is, here's an experiment I did as I wrote this column.  I went to a domain name registrar's site and discovered that for $15 each I can own the domain names Wellsfargo-customerservice.com, BankofAmerica-customerservice.com, and Citibank-customerservice.com.  Also available are AmericanExpress-customerservice.com and CapitalOne-customerservice.com. 

If I register the sites, I have to provide personal information such as name, street address, and contact information.  As a purported security measure, any domain registrar will not complete a transaction until they have verified your e-mail address by sending you a message with a link you must click to return to a special page on their site.  At that point, you are validated, from their point of view.  It doesn't matter if your name and address are false; they don't check those.

However, this procedure offers no security whatsoever against fraudulent registration.  Here's why: the next thing I did was sign up with Runbox for a 30-day free trial of their email service.  I used the name "Trudy Hacker" and gave my address as 123 Main Street, Anywhere USA; I was not asked for my email address.  It's possible that behind the wall they collected my IP address (always visible to the sites you visit) and will keep it with my account, but I doubt it.  As double protection, though, I could guarantee that my identity would be hidden by using a public library computer to sign up.

In sum, I can register the domain name [anybankorcreditcard]-customerservice.com using the Runbox email address, wait for the confirmation message from the domain registrar, verify the purchase, and I would not be traceable.

Aha! you say, I have to pay for the registration using a credit card-that's traceable.  But not if I use a credit card I have already stolen!  I didn't carry my experiment that far, but all I'd have to do is spend a few hours raiding dumpsters until I found a credit card receipt and I'd have my bogus cc account.  (Have you ever noticed that some restaurants print your entire credit card number on the copy of the charge ticket you sign?  Do you keep those, or throw them away?  If you throw them away, do you bother to shred them first? Dumpsters and trash cans are a major resource for identify stealers.)

All I need to do now is purchase anywhere from 50 to 200 million email addresses for $100 to $150 (depending on the source) and I'm in the indentity theft business.  I have to know how to create a web page, of course, and copy the design of the legitimate site I am spoofing, and create a form for people to fill in, but these are minimal skills for people who have web sites.  Total cost: $165 tops and a few hours of my time.  Total potential profit: incalculable, depending on how many of those 50-200 million people are gullible enough to buy the story in my spoof email.

Which raises the question, how many people are that gullible?  One security professional I talked to believes that the public has become more savvy, especially about spam emails.  But I am not so confident.  Remember when a class-action suit was brought against Publisher's Clearing House for misleading people about the sweepstakes?  The lawsuit got a lot of publicity, and those who had bought into the sweepstakes dream had plenty of information that should have disenchanted them.  Yet I saw story after story in the media of people who knew about the lawsuit but were still buying thousands of dollars worth of subscriptions every year in the hope of winning. 

If your spoof email is going to 50 million people and only one person in every 10,000 is naive or gullible, that's still 5,000 potential victims!  But you and I know the percentage is much, much higher than that.  If there weren't hordes of people who are easily taken in, Las Vegas would dry up and blow away.

You have to be pretty gullible to respond to an email that purports to be from Citibank when the return address is (the actual return address on one of the recent Citibank spoof emails), but be honest with yourself - if the scammer had been intelligent enough to register and use Citibank-customerservice.com, wouldn't you have been more likely to take the email seriously?

Much of the problem lies in the fact that Internet services and businesses are not regulated and held accountable to the degree that other businesses are.  For example, you can't get a p.o. box unless you prove your identity and even then, your street address has to verified by the post office.  My private mailbox service has the same requirements. 

I am sure that domain registrars are quite aware that the email verification system they use is easy to get around.  And email services such as Runbox don't even bother to pretend to check identity.  So part of the problem is lack of moral responsibility on the part of the services that are exploited by scammers.  Many of these services actually cater to such people.

One solution I envision is a new system of personal identification where everyone is registered for an encrypted digital signature the day they enter school, since kindergarteners are now using computers.  All businesses selling goods or services over the Web would have to require this signature, making it much harder, if not impossible, for people to pull off the kind of scams I am talking about. 

But I don't expect to see this anytime soon - our government is peculiarly reluctant to take action to regulate the Web.  The Internet is still a virtual frontier territory with a frontier mentality.  Lawlessness is as pervasive as it was in the Old West, and for the same reason - so far there are no regulatory agencies in place that are adequate to deal with it.  In this case, the territory is so vast that imposing "law and order" is a task so huge that no one can quite figure out how to deal with it, especially since on the Internet it is often impossible to know where on the planet any individual may be located.  We are living in a world that in important ways no longer has any national boundaries, but our government still clings to the idea that it can act as if we are separate nations.  Until this situation changes, the first line of defense against Internet scams is a wary and educated consumer.

In addition to being a contributing editor for iAppliance Web, Toni McConnel is a freelance writer specializing in ghosting contributed articles for high-tech magazines. You can contact her at . Comments on this column are welcome.