The Coming Internet Sting: Counterfeit Ecommerce Sites - Page 2

 By Jim Reavis
Page 2 of 2   |  Back to Page 1
Print Article

Next, the bad guy needs to create the copy of the real site. Any time you access a Web site, you are downloading that page's contents. There are a wealth of tools available to automate the process of copying a Web site. While many Web site operators try to filter out and prevent robotic tools from copying their site, it is fairly impractical to stop a determined individual from disguising their requests and getting the data they are after.

If you think it would be impossible to create a perfect counterfeit of a highly complex ecommerce site that sells over 100,000 unique items, you would probably be right. However, a clone does not have to be perfect to fool some of the people some of the time. Perhaps the site you think you can trust is asking for credit card numbers up front today, for a special prize drawing, or to issue gift certificates. If the bad guy can accomplish this, there is little need to duplicate the rest of the site.

Of course, a phony Web site will have its own telltale signs: the web address will probably be incorrect in the browser's address bar; the server certificate will most definitely have the incorrect name (obtained by double-clicking on the lock when accessing secured pages). However, if you are diligent about checking these things on every site you visit, you are the member of a distinct minority.

The next challenge for the criminal is to find a way to drive substantial traffic to the counterfeit Web site in a short period of time. This can be done through both technical and social engineering means.

"However a DNS server is compromised, once this is accomplished, it can be configured to translate addresses many different ways."

From a technical perspective, corrupting a few domain name service (DNS) servers is one method to send users in the wrong direction. DNS, the system used to translate addresses like www.somestore.com to machine-usable IP addresses, has been found to have numerous vulnerabilities over the years that could be exploited to hand out incorrect addresses. In fact, in the summer of 1997, a gentleman named Eugene Kashpureff redirected all of the traffic destined to Network Solutions' InterNIC, the keeper of master DNS servers, to his own Alternic.net service.

While DNS software is continually improved and updated, no one is claiming that it is defect-free - it is only free of known defects. Furthermore, the compatibility required to make the Internet the pervasive medium it is means that these upgrades are voluntary, not mandatory. If the DNS software is robust on a particular system, it may be that there are other vulnerabilities on the system lending itself to being "rooted."

However a DNS server is compromised, once this is accomplished, it can be configured to translate addresses many different ways. Rather than referring requests to the proper DNS server for somestore.com, it could be programmed to think it is the somestore.com DNS server. It could then be telling the user's computer to go to the fake site when they type www.somestore.com. These are only a few examples, but there are really a lot of possibilities when it comes to finding a way to exploit the technology to corrupt DNS.

Of course, beyond finding a way to corrupt DNS servers via hacking, it is always a possibility to "corrupt" the administrator of a DNS server via social engineering. (Disclaimer: all the DNS administrators I know personally are good people who pay their taxes, obey traffic signals and love their mothers). However it is done, if a criminal targets a few heavily used DNS servers at large ISPs, or several medium-sized DNS servers, they have the capability to send a spike of traffic to their own counterfeit Web site. Ideally, from the bad guy's perspective, they would like these servers to be set up as "DNS Zombies," controlled by a central computer which tells them when to start spewing out the incorrect addresses - much like the Zombies that were unwitting agents in the denial of service attacks against Yahoo and eBay.

Another method to drive traffic to a counterfeit Web site is via unsolicited commercial email. By sending out spam disguised as a legitimate message from a popular ecommerce site, it is possible to lure the careless user into going to the fake site. In July, this tactic was used to snare users of PayPal, the popular Internet payment service. The spam message lured users to a deceptively similarly-named site with the promise of a big payment coming their way. The idea was that the scam artist could then use the stolen passwords to clean out the users' accounts. There isn't any evidence of innocent people losing money in this case, but many people admitted being tricked into giving up their passwords. A trick the scammer used to lend credibility in this case was to register PayPai.com, then capitalize the "i" to make the URL look virtually indistinguishable from the real thing.

"While a counterfeit ecommerce site sting can take quite a while to plan, it can be executed, start to finish, in minutes."

While a counterfeit ecommerce site sting can take quite a while to plan, it can be executed, start to finish, in minutes. From redirecting traffic to capturing personal data to laundering that data into hard currency, the speed of this type of crime is frightening from an investigative standpoint. What is more, no alarm bells go off at the real Web site that is being impersonated.

There you have it. The state of the Internet is such that the ability to counterfeit Web sites for fun and profit is within reach. While there are certainly imperfections in counterfeiting Web sites, which an alert user will detect, that still leaves plenty of room for a lot of people who are either too inexperienced or hurried to catch a fake. Common sense says that the presence and publicity of the Melissa virus would have made the ensuing "LoveLetter" virus less likely to be successful, but that was not the case. I am actually waiting for these two ideas to intersect, and instead of getting a "LoveLetter" from my co-worker, I get a message from someone I know with a hyperlink to a gift for me to pick up at www.somest0re.com. Hopefully, in the future people will be more careful about how they shop online than they have been opening email attachments.

SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)

This article was originally published on Dec 5, 2000
Get the Latest Scoop with Networking Update Newsletter