The Coming Internet Sting: Counterfeit Ecommerce Sites

By Jim Reavis | Dec 5, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/625141/The-Coming-Internet-Sting-Counterfeit-Ecommerce-Sites.htm

The multitude of high profile virus outbreaks that have occurred since the "Big Bang" of Melissa over a year ago seem to prove that either users are not getting any more careful or that virus authors are getting even better at promoting their "warez." While these viruses undeniably cause tremendous financial damage in terms of lost productivity and downtime, there has not been any monetary benefit to any sort of criminal group. These have been widespread acts of vandalism.

The major spate of distributed denial of service attacks in February 2000 also demonstrated the ability of a small group or even a single person to control significant portions of Internet traffic for the purpose of creating havoc and nothing else. What seems inevitable is for more profit-oriented hackers to enter the fray, and combine the inherent weaknesses in both the Internet infrastructure and the people that use it to find lightning-quick swindling opportunities.

A likely candidate vulnerability that we have already seen a few examples of is the Counterfeit Ecommerce Site Scam.

"If you are a bad guy, you can try to break into a bank or an ecommerce site via the Net ... [but] from the criminal's perspective, there is always the risk of tripping an intrusion detection system's "silent alarm.""

Of course, several types of criminal and fraudulent activities have been taking place since the commercialization of the Internet began taking place several years ago. If you are a bad guy, you can try to break into a bank or an ecommerce site via the Net, looking for a database of credit card numbers or savings accounts, or if you are extremely lucky (or good), you can gain access to an internal host program to authorize transactions, transfers, etc. These will always be good targets - that's where the money is, and even though these businesses will continually strengthen their defenses, there will always be weaknesses to exploit.

However, from the criminal's perspective, there is always the risk of tripping an intrusion detection system's "silent alarm," and the time it takes to successfully "crack" a site may leave a large amount of incriminating log file data for a forensics expert to use in tracking the perpetrator down.

Another common Internet scheme is to simply set up a fraudulent Web site. Maybe the site purports to be a legitimate ecommerce site, taking orders from naïve consumers for widgets that will never be delivered. Or perhaps it is some sort of a pyramid scheme, appealing to a person's own greed as a way to separate them from their cash.

These are scams that will have a longevity that matches the number of gullible users out there. They will always be with us, but from the criminal's perspective there are downsides - the longer the duration with which the site is operational and promoted will increase the returns, but also the risk of being caught.

It is really pretty natural for traditional criminal activities to find their way online in one way or another. Counterfeiting is one such activity that can take many forms on the Internet. Counterfeiting a popular Web site and finding ways to drive large volumes of traffic to it in a very short timeframe is a quite feasible method to embezzle huge sums of money in literally minutes. We have seen some attempts at this already, and awareness should be raised into understanding how to prevent or trace this type of activity.

First, the bad guy needs to pick a target Web site to counterfeit. The basic criterion is that the site should be some type of an ecommerce site where people are used to entering credit cards, passwords or similar information. The more popular the site is, the easier it will be to gain the user's trust in a cloned site. Popularity will also give the criminal more options for driving traffic to their "knockoff."

Next, the bad guy needs to create the copy of the real site. Any time you access a Web site, you are downloading that page's contents. There are a wealth of tools available to automate the process of copying a Web site. While many Web site operators try to filter out and prevent robotic tools from copying their site, it is fairly impractical to stop a determined individual from disguising their requests and getting the data they are after.

If you think it would be impossible to create a perfect counterfeit of a highly complex ecommerce site that sells over 100,000 unique items, you would probably be right. However, a clone does not have to be perfect to fool some of the people some of the time. Perhaps the site you think you can trust is asking for credit card numbers up front today, for a special prize drawing, or to issue gift certificates. If the bad guy can accomplish this, there is little need to duplicate the rest of the site.

Of course, a phony Web site will have its own telltale signs: the web address will probably be incorrect in the browser's address bar; the server certificate will most definitely have the incorrect name (obtained by double-clicking on the lock when accessing secured pages). However, if you are diligent about checking these things on every site you visit, you are the member of a distinct minority.

The next challenge for the criminal is to find a way to drive substantial traffic to the counterfeit Web site in a short period of time. This can be done through both technical and social engineering means.

"However a DNS server is compromised, once this is accomplished, it can be configured to translate addresses many different ways."

From a technical perspective, corrupting a few domain name service (DNS) servers is one method to send users in the wrong direction. DNS, the system used to translate addresses like www.somestore.com to machine-usable IP addresses, has been found to have numerous vulnerabilities over the years that could be exploited to hand out incorrect addresses. In fact, in the summer of 1997, a gentleman named Eugene Kashpureff redirected all of the traffic destined to Network Solutions' InterNIC, the keeper of master DNS servers, to his own Alternic.net service.

While DNS software is continually improved and updated, no one is claiming that it is defect-free - it is only free of known defects. Furthermore, the compatibility required to make the Internet the pervasive medium it is means that these upgrades are voluntary, not mandatory. If the DNS software is robust on a particular system, it may be that there are other vulnerabilities on the system lending itself to being "rooted."

However a DNS server is compromised, once this is accomplished, it can be configured to translate addresses many different ways. Rather than referring requests to the proper DNS server for somestore.com, it could be programmed to think it is the somestore.com DNS server. It could then be telling the user's computer to go to the fake site when they type www.somestore.com. These are only a few examples, but there are really a lot of possibilities when it comes to finding a way to exploit the technology to corrupt DNS.

Of course, beyond finding a way to corrupt DNS servers via hacking, it is always a possibility to "corrupt" the administrator of a DNS server via social engineering. (Disclaimer: all the DNS administrators I know personally are good people who pay their taxes, obey traffic signals and love their mothers). However it is done, if a criminal targets a few heavily used DNS servers at large ISPs, or several medium-sized DNS servers, they have the capability to send a spike of traffic to their own counterfeit Web site. Ideally, from the bad guy's perspective, they would like these servers to be set up as "DNS Zombies," controlled by a central computer which tells them when to start spewing out the incorrect addresses - much like the Zombies that were unwitting agents in the denial of service attacks against Yahoo and eBay.

Another method to drive traffic to a counterfeit Web site is via unsolicited commercial email. By sending out spam disguised as a legitimate message from a popular ecommerce site, it is possible to lure the careless user into going to the fake site. In July, this tactic was used to snare users of PayPal, the popular Internet payment service. The spam message lured users to a deceptively similarly-named site with the promise of a big payment coming their way. The idea was that the scam artist could then use the stolen passwords to clean out the users' accounts. There isn't any evidence of innocent people losing money in this case, but many people admitted being tricked into giving up their passwords. A trick the scammer used to lend credibility in this case was to register PayPai.com, then capitalize the "i" to make the URL look virtually indistinguishable from the real thing.

"While a counterfeit ecommerce site sting can take quite a while to plan, it can be executed, start to finish, in minutes."

While a counterfeit ecommerce site sting can take quite a while to plan, it can be executed, start to finish, in minutes. From redirecting traffic to capturing personal data to laundering that data into hard currency, the speed of this type of crime is frightening from an investigative standpoint. What is more, no alarm bells go off at the real Web site that is being impersonated.

There you have it. The state of the Internet is such that the ability to counterfeit Web sites for fun and profit is within reach. While there are certainly imperfections in counterfeiting Web sites, which an alert user will detect, that still leaves plenty of room for a lot of people who are either too inexperienced or hurried to catch a fake. Common sense says that the presence and publicity of the Melissa virus would have made the ensuing "LoveLetter" virus less likely to be successful, but that was not the case. I am actually waiting for these two ideas to intersect, and instead of getting a "LoveLetter" from my co-worker, I get a message from someone I know with a hyperlink to a gift for me to pick up at www.somest0re.com. Hopefully, in the future people will be more careful about how they shop online than they have been opening email attachments.


SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
http://www.SecurityPortal.com
The Focal Point for Security on the Net (tm)