Have you ever entered in the wrong URL and get that lovely browser message saying that it cannot find what you are looking for? Lucky for you, that was all you got. Lets say that you accidentally typed in the name of your bank incorrectly but this time a page loaded that looks just like you bank. Would you have noticed that the URL is incorrect? Might you have thought that the bank just bought the mis-typed URL so that they can redirect you and make it easier on you? What if that incorrect URL was actually not your bank at all?
The case of a URL being squatted on with a fake website is a real security threat. It is also a very hard threat to protect against. While it may be easy to say bankone.com is allowed and bnakone.com is not allowed, it can be a bit harder to say that bank1.com is or is not allowed. A lot of this can be taken care of my making sure that users are educated and the HTTPS portion of the URL is looked for when loading a page. Really the best answer would be to have the end user educated. If something doesn’t look right, then STOP. Make a phone call to the financial institution or an email to the company saying you want to verify if the URL you loaded is right for the company.
A big question at this point is if the invalid site, the copy, is easily recognized as a fake website. Sometimes yes and sometimes no depending on the level of complexity by the bad guy. The site may be setup with a simple splash page mimicking the original and that is all. It could also be setup with all links working correctly and takes you to more fake pages. The most simple way to verify real or fake is the URL at the top and every financial institution would have the ‘lock’ for secured with SSL. The reality of it is that this impacts most people that are not security savvy. They simply want to load their supposedly secure website and then move on.
One more item of concern here is the hosts file on your computer. A little story here is some fun I had with a co-worker. Playing a trick on them, we changed their hosts file to point google.com, yahoo.com, etc etc to another server in our network that made it look like their system was hijacked. Based on the way the system was reacting, with only specific websites doing this, it was obvious that the hosts file was modified. He was one hundred percent convinced that his system had a major virus and he had wiped the system within the hour. Long story short I got called away for a bit and was not there to let him in on the prank and thus not able to prevent him from wiping his system. Lets break this down though. I could have used the exact same method to re-route his URL requests to a server of my own. The major difference here is that the URL WOULD BE CORRECT. It wouldn’t have the lock for being secured with SSL but everything else would LOOK ok. This method for a remote bad guy is not quite as ideal though as their method can be easily identified. They lose access to your system, then their fake website goes offline, you immediately see the page no longer loads and start investigating. Plus you have a record of the fake servers IP address to block moving forward.
No comments:
Post a Comment