Terence Eden published a blog post yesterday pointing out a new variant of fake domain attacks. You receive an email or SMS from your bank or other service you use. Within that message is a seemingly legitimate looking URL, encouraging you to change your password or update your information, but the URL points to a fake page that is used to “phish” your login information by sending it to the attacker instead of the website it’s posing as.
The new variant of this attack seems to be using date-based domain names. Eden posted a screenshot showing a text message his wife received supposedly from British telecom provider EE. The message reads “EE: We were unable to process your latest bill. In order to avoid fees, update your billing information via https://ee.co.uk.billing-update-jan02.info“
According to Eden and the comments, this message looks very standard and convincing. What’s particularly eerie about the URL is that the first part looks perfectly legitimate, since https://ee.co.uk does indeed point to the ISP’s website, making the rest of the URL look like a page hosted under the official website. Of course, the domain in question here is actually billing-update-jan02.info and ee.co.uk is only a subdomain. The domain even includes the current date, making it look even more convincing on first glance.
Eden said that they caught on because his wife does not in fact use EE’s services. “By the time I [went] to inspect it, major browsers were already blocking the site as suspicious,” he said.
He pointed out that this is caused not only by the extremely low cost of purchasing a throwaway domain name like this one, but also the existence of Let’sEncrypt which provides free SSL certificates, allowing the website to use an encrypted connection over HTTPS and show “the lock” in the address bar of the browser.
The purpose of SSL certificates is not to verify the identity of the website, but the security of the connection to it. This makes it meaningless in this case, but likely useful in convincing unsavvy visitors that the site is legitimate.