Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:


Scammer’s Internet Domain Uses the Date to Mask Phishing Attack

Post a Fraud Alert:

Here’s two internet domains: ee.co.uk and ee.co.uk.billing-update-jan02[.]info. They look alike, don’t they? You might even think they belong to the same domain.

However, the second URL is actually an alarming example of a new way to phish unsuspecting victims: Scammers have been incorporating the date into their malicious internet domains to help them spoof legitimate websites.

On Friday, UK-based computer expert Terence Eden blogged about the malicious domain after a scammer sent his wife a phishing attack in the form of a text message. The text pretended to come from local mobile carrier EE and said: “We were unable to process your latest bill. In order to avoid fees, update your billing information via https://ee.co.uk.billing-update-jan02[.]info domain.”

Malicious Domain

(The spoofed domain contains a look-alike login page for EE.)

Fortunately, Eden’s wife has no account with EE, so she wasn’t fooled. Nevertheless, he was surprised that the URL contained the letters “jan02,” or the same date the text message was sent to his wife. This helped the message look even more convincing when EE’s official domain is ee.co.uk.

“If you’re stood up on a crowded train, with your phone screen cracked, would you notice that a . is where a / should be? A quick look at the (URL) shows a trusted domain at the start— followed by today’s date,” he wrote in his blog post.

But in reality, ee.co.uk.billing-update-jan02[.]info is an entirely separate domain. The telltale sign is the “.info” at the end of the URL. However, an unsuspecting victim could have easily overlooked it and instead paid attention to the “ee.co.uk” at the start of the URL, and assumed the domain to be legit.

Not helping the matter is how the malicious domain obtained an SSL certificate from Let’s Encrypt, a non-profit certificate authority. As a result, the domain will show a https:// encrypted connection, which can also fool users into thinking it’s a scam-free site.

“Money and technical expertise used to be strong barriers to prevent people from registering scam domains. But those days are long gone. There are no technical gatekeepers to keep us safe. We have to rely on our own wits,” Eden added.

The good news is that browsers have already flagged ee.co.uk.billing-update-jan02[.]info as a malicious domain, and will warn users from visiting it. However, the domain itself is still up. If you do visit it, you’ll see a look-alike, but fake login page to EE, which is likely designed to steal your email address and password. Let’s Encrypt didn’t immediately respond to a request for comment on why an SSL certificate was given to the domain.

Article source: https://www.pcmag.com/news/372831/scammers-internet-domain-uses-the-date-to-mask-phishing-att