Something Wicked This Way .coms: this sure seems like a big hole in the web

1 points by code_Whisperer ↗ HN
Here's the TL;DR of an earlier post: I accidentally mistyped a domain name configuration value while updating a website and found what I feel is a phishing op. If you take any .com domain, and add a second.com to the end (I do NOT recommend actually trying this unless you know what you are doing) you will see what appears to be a typo phishing operation.

My question: is this well known? Because I've never seen it written up before when I peruse web security stuff. For the full write-up of my experience and an associated screenshot check out: http://www.oldirtyhacker.com/something-wicked-this-way-coms

4 comments

[ 4.2 ms ] story [ 15.0 ms ] thread
It is well-known. uBlock blocks anything ending in ".com.com" by default. It's on most badware block lists.

It's not a hole in the web any more than people accidentally typing "fcaebook.com" is a hole in the web. It's just someone exploiting user error, not unlike domain squatting. If you hit "CTRL+ENTER" in most browsers' address bars, they used to blindly append ".com" onto the domain name. If you typed "facebook.com" and then hit CTRL+ENTER, you'd get to facebook.com.com. As far as I know, all browsers have fixed that.

This isn't actually phishing (as far as I know) because it's not trying to trick you into thinking you've gone to the correct website. It's just a malware distribution page.

I believe OpenDNS also blocks this, for the record.

One of the (many different) pages I received wanted me to call a toll-free number (screenshot in URL, and which looks like a real Facebook page) for help in overcoming my 'facebook compromise'. I feel quite certain that if I had dialed that number they would have tried to get facebook login info, perhaps a credit card to pay for their 'service', etc.

My characterization of it being a 'hole' was more on the order of 'how could a typo-squat on such a valuable domain name be allowed to continue?'