> "Also, (2) if you want to protect other people from falling victims to scams like these: tell them to always look at the url bar. Always."
This is good advice, as things stand right now, it is in fact the best advice we can give.
In absolute terms it is borderline useless advice. Many companies still communicate from and operate from domains other than their well-known main domain.
How is anybody supposed to know that windowsupdate.com is a legit Microsoft domain? What about windowsazure.com? How do you know that fbcdn.net belongs to Facebook, but fbabc.com does not. Why isn't gdynamic.com a Google asset like gstatic.com. lufthansa.com, lufthansa.de, lufthansa.at, lufthansa.ch are all legit, why are lufthansa.li and lufthansa.lu not?
Sure, you can check WHOIS, but that just shifts the issue one level lower.
"[..] always look at the url bar." - Please do, but don't expect it to be enough to be 100% safe. In the world we live in anyone can be phished.
There has also been a push by Google and others lately to "dumb down" the url bar to hide the full address from users. Not sure why but I assume the justification would be some misguided attempt at making it look nicer while the real reason is somehow ad related.
One of the justifications is that showing only the hostname will make it easier to recognize malicious hostnames; as it is, the typical non-technical user just sees a bunch of stuff, doesn't really know how to distinguish hostname from path.
They would see nothing becaue they do not look there anymore at all. Average person would think:"it's some bug with showing the name of the site" and would ignore it because users get used to the 'barely working everything' with computers these days.
The idea is not to make phishing look nice to the victim, it's to make it more obvious that it's phishing to the attempted victim. The path component is irrelevant to detecting phishing, but the host component is very relevant.
I don't know if there's any research on users to confirm that this works. It would be good to do such research before making such a change, if that's the motivation for the change. But it seems plausible to me.
>... The path component is irrelevant to detecting phishing ...
What become irrelevant is the AddressBar itself for the user.
User simply doesn't look at it at all because usually it is not changing with each click. So it appears irrelevant and disconnected from the actions user takes.
It looks for non-technical person as "some name of the web site which doesn't always shows the right name, but it's ok because hey nothing works perfectly on computer anyway ... so it doesn't matter". This is how it looks to the average person. They do not even understand why it's there. "Just takes the space ... Why it's there? Site shows name anyway on the page ... " They just have no idea what is going on thanks to this wonderful idea of removing the real address bar ...
Not that they were too much aware before but at least you could explain them ... not anymore.
According to my experience non-technical people just lost the concept of url completely and do not even know where it is. Even when one asks them about it specifically. These are the 'real' results of this idiotic idea which I observe in practice and I unfortunately I observe it too frequently to ignore it. But hey .. downvoters of my previous sarcastic post seems to be very happy to ignore the reality. They would rather stick to their wise decision and downvote reality if they do not like it. Good luck with that.
It isn't just Google. Multiple browsers have flirted with hiding it.
There are various mindsets that lead to want to do that - one designer I know calls it a debugging tool that should never have been released in the first place.
For others, it is clearly about controlling the user with various justifications.
(I consider it a canary. Its removal will be a signal that the HugeCos are comfortable relegating the non-corporate web to the fringe, Usenet-style. It will be there, and you can get to it if you go way out of your way, but what it there will mostly be automated spam and weirdness, tons of examples of specific use cases, and a few folks who have been arguing with each other since 1992.)
> one designer I know calls it a debugging tool that should never have been released in the first place
I've heard similar comments but I don't understand how people would be expected to navigate around the internet? Is the idea that Google's search input should replace it? So if I want to go to sec.gov I should search SEC and click the link (hopefully) provided at the top of the results rather than just go there directly? It just doesn't make sense to me.
In my limited experience, most browsers do what you describe already. Unless you type a 100% correct URL (and sometimes even if you do), a normal browser will send your URL string to Google (or similar entity), who will send back a redirect. The process is fast enought for you not to notice.
It is often possible (if hard) to configure browsers to do traditional URL resolving, but I wouldn’t bet on it always being possible. Google certainly has every reason to disallow reconfiguring their own browser to not send data to Google.
The url you type is 100% correct. Sure, maybe you made a typo, but the browser didn't know that. It isn't sending your url to Google and waiting for a redirect. A redirect to what? A different url?
This and the proliferation of gold-rush TLDs like the .icu mentioned in the article make me feel like we're pretty well all the way there. For all my fighting the good fight, I'm just one more voice in the wilderness, though, and everyone wants their magic boxes without caring what's going on inside them - until they get bitten.
> There has also been a push by Google and others lately to "dumb down" the url bar to hide the full address from users. Not sure why but I assume the justification would be some misguided attempt at making it look nicer while the real reason is somehow ad related.
Suggesting Google might do anything without ad-related motives is probably too generous, but I've always thought that this was an optimisation in the sense that it's built on optimism: when everything's working well, most of what's in the URL bar is irrelevant. So the bar is built towards working well in the best case, at the expense of becoming much less useful in the worse (and probably more common) case.
Hiding/obscuring details from the URL bar seems like much less of a big deal if the goal is to rehost someone else's content. The value statement of the URL goes down a lot in that case, and the push to drive users away from it starts to make sense.
Either which way, I still hate it - The only non-work related ticket I've put in for chromium was a request for an option to disable this behavior entirely.
Safari has been doing this for years. The justification is partly because it makes the domain more obvious, especially on a mobile device where you have limited screen width. https://www.netflix.com.evilcorp.com would simply show up as evilcorp.com if only the domain is shown.
Plus the redirect shenanigans some companies pull is pretty ridiculous too. It seems like logging into an intranet protected by MS login it flashes through about 15 different domains that I can't even make out.
Two days back I searched for Indian Govt. Tax website in Google(It had changed the website recently) after DDG did not produce desired result and logged into one of the top results.
The password manager didn't suggest my password, I attributed it to recently changed website domain or site quirk and quickly copied my password from the manager to the site only to get SSL certificate revoked notification.
I have logged into a phishing site mimicking the old url of Indian Govt.'s tax website. I quickly tweeted out to some journalists[1], The website went down soon enough.
I've never been phished before AFAIK(This wasn't targeted, I've protected myself from couple of targeted attacks & helped several others in the past) and even though this is embarrassing I want to state couple of reasons why my usual rationale didn't work this time.
1. The new tax website being quirky(to say the least) was on news constantly and my CA kept complaining about it for past several days. I expected a quirky website even before I logged in. Even our Finance Minister had complained publicly to the Chairman of Infosys(Who developed it) on Twitter about the issues with the site days earlier.
2. I made couple of prior searches in Google as I didn't get the website where there was login, So I think Google produced less trustworthy results on my final attempt. I've noticed this happen in the past as well in the Google i.e. When you enter the same search term couple of times, 3rd or 4th results are not same as 1st in the front page.
3. The muscle memory to check https and URL didn't help much as the site had SSL and the URL was close enough to old IT website's unmemorable subdomain URL. The 'filing' was 'filling', Domain was co.in instead of gov.in. (Which of course I didn't notice).
4. Password manager not working should've caused me to check the domain again, But (1).
I presume this was intended sequence of the events for the scammer, Especially since many are searching for old Income Tax website. But I never expected the phishing site to make it to Google front page this soon.
Plus, many companies outsource many services to some SaaS third party, like payments, order tracking, even inventory and other stuff. They come with funny domain names and it's borderline impossible to tell what's legit and what's not.
And now I should tell my 70+ year old mom to "always look at the url bar"? That's entirely useless.
For myself, I tend to avoid pissing off scammers. I just let the relationship wither on the vine.
I had a friend that attacked a forum hacker, and the hacker responded by completely destroying a years-old online community. They probably used a bot to register a scammer login, but the attack got their attention.
My friend would have been far better served by deleting the login, and fixing the holes in his forum.
This morning at 5:30AM I got a call from a random HVAC service company. "Hi, [function_seven], this is Paul with ACME Heating and Cooling. You're requesting someone look at your system?"
I was barely awake, so I stammered, "huh? No I don't think so..."
Paul (Helpfully): "You filled a form out requesting this on our site?"
"No...?".
Then I started to wake up more and realize it was happening again. I must've pissed someone off somewhere a couple years ago, because I'm getting a lot of this. A hater is filling out online forms with my info. Every month I get a random call from a legitimate company responding to what I only assume is an item in their lead-gen pipeline. This morning was no different. The call came from a legit number for the HVAC company. I looked them up and they're highly-rated. But they're in Florida, I'm in California, so the 5:30am call time made sense.
Last month it was a therapist referral service in Ohio. They had my name, phone number, and email.
Elsewhere I'm constantly getting emails at an old gmail address for various shopping site "newsletters." From all over the world. A Spanish job search site in the UK. A sporting goods site in Colombia. Athletic wear from Ireland. In each case, the sites themselves are legit, but they don't do an email confirmation loop.
Should I keep Unsubscribing from these? Is there anything I can do to figure out who is doing this? I used to mess with scammers; I think I might regret that :)
You will not be able to know who did this. It is similar to the dumb teen idea of a prank where they would put your phone number in an ad for a cheap pizza delivery service.
My wife had a similar problem and she changed her phone number.
Scammers really have stepped up their game in recent years. I keep getting spam emails that say "we have your data, click here to see the list..."
Of course, the link wants to authorize against my (nonexistent) gmail. Nice try.
The people I feel bad for are the elderly: I know two that have been taken in by these things. They really aren't mentally equipped for the complexities of the modern Internet.
Lots of scams want your bank details. Unlike with SMS 2FA where the phone company never offered their service as a magic universal authenticator, the scammers want your bank account because it's a bank account. To the extent such scams work, we should be pretty unequivocal that it is your bank's fault. Banks are always reluctant to put their hands in their pockets when it comes to meaningful security. Whereas merchants and customers must upgrade to satisfy PCI DSS rules the banks gave themselves an unlimited free pass to just do whatever they wanted under PCI DSS because hey, those upgrades look expensive, we'd rather not bother.
My good bank actually has security. I'm fairly confident that I couldn't sleepwalk into giving bad guys access to the funds in that account by whatever means. I have a physical authenticator device to get into their online banking site, for example, so your scam would need to persuade me that I need to go get the authenticator and use that to sign in, all more chances for me to realise it's a scam.
But I have two other bank accounts, which both still think passwords are a pretty good level of security in 2021. One of them even lets me sign in using a numeric PIN, presumably they feel they've done enough to protect against brute force and so this is fine.
My bank thinks banning right click on their site and disabling default inspect element is security. I'm sure making it annoying for me to copy the routing numbers is really going to help out.
That's weird. I'm pretty sure routing numbers (the bank portion) in the U.S. are all public anyways. I've been routinely looking-up my bank's routing number via Google for a while!
However I live in the United Kingdom, so this recommendation won't be much use to people who live elsewhere. My recommendation certainly does not stretch to their parent, HSBC, once the Hongkong and Shanghai Banking Corporation which likely does operate other banks where you live.
Here's an innovative one. I got an sms impersonating my cell phone provider telling me they're going to change my plan.
They'd decided which one is the best for me but I have until next month to chose one 'of the new plans' clicking on a bit.ly link. That links points to an Amazon affiliated link, and it's totally unrelated to my provider.
I remember reading about a scam where the URL seemed legit, and the suspicious part was pushed after so much white space that it was no longer visible in the URL bar. I don't remember the details and I'd be curious to know if anyone remembers it. I remember even sophisticated users saying they might have fallen for it.
Scam works well since it is assisted by HN truncating the link. Then assisted by Apple because when i long press to see URL on iPhone it loads the website preview before i can see if it’s safe to click.
The problem with that (at least in what I've sold online), is that older/elderly people tend to copy and paste into their messages or type it out verbatim.
Again, maybe that's specific to woodworking tools and supplies, because those people tend to skew older, but I have legit asked 4 or 5 buyers, this year alone, if they were bots because that is literally their first line.
I wonder if there is any causality here and if so, what the chicken and egg is here... Do old people mimic the scammers who text them or did scammers start mimicking old people?
I think I do that, on the off chance that a person might have multiple listings, and my general preference for precision. I probably also figured it'd be easier for them to know what I was referencing if I used the exact same text.
Prominently featuring the exact text of my listing title has, so far, been a 100% perfect match for scams, for craigslist ads. Doesn't quite catch all of them, but the ones that do that have always been attempted scams.
Also, more simply perhaps, if the OP was using Python, their User-Agent would indicate it, and that too could be filtered out easily. I'd have at least taken the small additional step of using a real User-Agent cloned from their actual browser.
> In an attempt to add some confusion to his operation, I decided to create a little script. This little script would send him about 5000 different combinations of the above parameters in a completely random fashion. Fun.
I've done this with college scammers requesting email + passwords, loads of fun. Would highly recommend as it turns an O(1) operation (db full of valid stolen credentials) back into O(n) (randomly guess which credentials you stole are valid).
You’re assuming they don’t store a time stamp with the DB entries. It would be fairly trivial to filter out the 5000 fake entries that all arrived within a minute of each other.
>This little script would send him about 5000 different combinations of the above parameters in a completely random fashion.
More work, but with potential to waste more of the scammer’s time, would be to fake up requests corrupted in a way that suggests your browser config exposes some subtle bug, say a race condition, in his scripts. Might keep him busy for days …
Since most card transactions these days require strong authentication and this is done in Denmark via NemId, which requires second factor (either an app or a key card sent to individual's officially registered address), I wonder what their game plan is. They could use up all your codes and steal the key card from your mailbox, but otherwise I'm not sure... Maybe they wanted victims to pay for 'shipping' the item, but AFAIK NemId asks you to confirm a specific payment amount, so seems it would be quite small amount of money.
That being said, I fell for another shipping scam in DK, seems it's quite common these days. Bank cancelled the card and transactions easily, though.
Spamming them with fake info, is already a good idea, but that kind of spam is alsoa good occasion to check whether scammers know how to sanitize their database inputs
From HN threads about registrars, they seem to be a preferred registrar in general - it's not hugely surprising that scammers share similar preferences.
people who set up websites that they don't want tracked back to them - historically speaking gay people might want to be anonymous in all sorts of scenarios and for all sorts of reasons.
I'm working helping out an artistic collective in which the various members are anonymous to various degrees. There may need to be anonymity in paying for services - this is an obvious necessity nowadays - for example the whole recent situation over the 'I sexually identify as an attack Helicopter' story https://en.wikipedia.org/wiki/I_Sexually_Identify_as_an_Atta...
so - off the top of my head:
often abused or oppressed minorities.
artists.
on edit: obv. slow to takedown is important for artists or controversial people as well.
Historical gay people aren't buying websites today. And plenty of registrars already allow private registration. Artists who remain anonymous typically solve the problem through having a trusted representative. E.g., someone like yourself.
>Historical gay people aren't buying websites today.
it's hard for me to take that statement as having been made in good faith but at any rate when I say historically I do not mean if someone was building a website in 1950 they sure would want to be anonymous I mean that throughout history, up until the present day there are people who want to remain anonymous who are not scammers and used gay people as an example - which gay people sometimes want to remain anonymously gay but express themselves even today!
And then I linked the description of a story published last year in which the anonymous author was harassed over sexual issues.
Given the example I linked to then
>Artists who remain anonymous typically solve the problem through having a trusted representative. E.g., someone like yourself.
It might be that representatives of controversial artists or the technical help for such might like some level of anonymity themselves, given that anonymous writers can receive death threats it seems that public representatives of such can receive them as well.
I asked you for examples. It was entirely in good faith for me to point out that your first example was not actually an example.
Fall was already anonymous, and her anonymity was protected by the editor, just as I described. So anonymous payment for a web presence, one that she didn't have, wouldn't have helped here. And as you point out, the anonymity didn't prevent her from getting criticism (not harassment as far as I know); indeed, one of the lessons of the Fall incident seems to be that poorly managed anonymity breeds unnecessary suspicion.
As to your last "might be", anything might be. What I'm looking for is an example of where the social harm that can come through anonymity, specifically anonymous payment, is worth putting up with to provide some social good. So far I'm still looking.
As it is, I'll note that even your well-performed outrage over fears of harassment doesn't is out of place here, as harassers often make vigorous use of anonymity. E.g., look at Near, the latest addition to the KiwiFarms kill count.
>I asked you for examples. It was entirely in good faith for me to point out that your first example was not actually an example.
well, I used the phrase historically speaking which normally when I see it used in the manner in which I used it the meaning is "this has happened in the past therefore we should be wary of it happening in the future" but you seemed to take it to mean "this has happened in the past but the past is a foreign country and thus we don't need to worry about it happening again." So yes, if you assume that similar things to things that have happened in the past cannot happen today then my example wouldn't be one. But otherwise you didn't really point out my first example wasn't one.
>So anonymous payment for a web presence, one that she didn't have, wouldn't have helped here.
I guess we must think in very different ways because I was just making an example of how artists might want to be anonymous because otherwise they can have bad effects from releasing their art. I chose the most recent example I could think of, and also I chose this one because the attacks were generally from the left while I tend to think of retaliation for homosexuality as stemming from the right.
>As to your last "might be", anything might be.
ok so we're in agreement then that there might be people who are not scammers who want to be anonymous. And since you bring it up also not harassers.
>What I'm looking for is an example of where the social harm that can come through anonymity, specifically anonymous payment, is worth putting up with to provide some social good.
Ok well I don't know if I can provide that, as I don't know how to calculate the social harm and how to calculate the social good. I just know some people who would like to be anonymous for non-scamming purposes.
>I'll note that even your well-performed outrage
whatever.
on edit: obviously I believe in order to have an anonymous identity one has to be able to pay anonymously, so despite my not writing anonymous payment each time I wrote anonymous I assume the ability to pay anonymously is wrapped up in the ability to be anonymous on the internet.
I appreciate you clarifying you have no examples of non-scammer people who need anonymous payment for websites. That was my question, and you have answered it. Maybe next time you could skip the drama and just say so?
I have plenty of good faith here. What I don't have is time for people who when asked reasonable questions give drama instead of answers.
Is online harassment a big problem? Yes, and it's one I spend my days working to solve. Is the inability to anonymously pay for a domain name a significant part of that problem? No, it isn't.
I see your argument, and after having browsed around on your homepage and such, I see that you are a reasonable guy.
Is it really so hard to believe that there are legitimate reasons for wanting to anonymously acquire a domain name? One of the selling points of crypto currencies is the ability to do anonymous payments. That's multi-billion dollars big (even if one considers most of that somewhere between "scam" and "bubble"). All sorts of people desire anonymity in what they do, not just criminals. The GP may not have made the case very well, but minorities are certainly weary of being tracked, so are one example of a group that may desire an extra layer of protection.
It's not hard to imagine other groups. Dissidents, folks who want to keep focus on message instead of messenger, whistleblowers, .. It may be hard to see this from a privileged point of view (mine certainly is), but that doesn't mean it's not real or that only criminals want anonymity.
I'm not very interested in imagining the reasons. And I'm not interested at all in things other people imagine and then use to justify real-world policy. If we're weighing against actual harm, what I want is other actualities.
in what world is that the only possible thing a provider could do against abuse? Scam domains always are on a timer, a big part of it is if a registrar is responsive to abuse reports or not.
They're surprisingly lax with verification, even on ccTLDs with requires actual verification of details they just rubber-stamp what you've said is your contact details.
Probably because you're only registering domains within lax TLDs.
Certain TLDs (like those under .uk, .cn, .jp, or .sg for example) requires more documents in theory - and at least with other domain name providers like Gandi, they asked for my ID and a letter from my company stating that I indeed was authorised to be a representative for that company, plus proof that the company exists (it's easy in the UK because it's already in a public database anyway, so we just send our company number and proof that we're that company), to verify that it is indeed me, authorised by my company, when registering at .uk (and similar arrangements for ccTLDs with similar requirements).
Namecheap on the other hand... well, they just trust you, period.
Even if they were to verify such details, that doesn’t preclude the purchaser from committing fraud or scamming others. There’s no way for a seller (namecheap) to ensure their product (domain) is not associated with misuse, just like any other real world sales.
It's not that sales slip through, it's that they refuse takedowns even when provided with legal cases and police reports against dead obvious scam sites.
99% of the phishing domains that target my company's site come from Namecheap. I don't know why they can't get their act together when it comes to fraudulent domain registration.
I wonder if browser manufacturers and the companies behind them will work with this - "this site looks like x, but the url does not match with our records".
I just had an app idea. I am super busy right now, but maybe someone can run with it - You could build a website verification service+app.
Produce a mobile app which uses the camera to scan QR codes, or even watermarked/"invisible" elements placed in reasonable locations on the user interface.
Release an API/SDK which allows for any network participant to quickly wire up a security verification front on their webapp (this would be a bit of js).
App and API obviously both talk to your back-end, wherein the network participants have submitted substantial business/entity verification documentation prior to being added to the network. The service is pretty damn simple - just cryptographic signatures that rotate every few seconds or something. Keep track of last ~100 to account for clock drift. No need to make it hard.
Provide application as free service to users. Monetization possible via a few routes. Ads on the user app itself, B2B contracts with network participants, etc.
Use case A: Get to final payment screen on https://www.bhphotovideo.com. User wants to be 200% sure they are not about to bank wire five figures to Putin due to some UTF8 technicalities. User takes their iPhone out, taps "my magic verification app", points at payment screen, app dings with big green check mark, post verification ad experience, et. al.
yeah but this guy was already counting 80000+ domains, that is at least the same amount of money, or is there some deal if you buy a large number of domains?
This is good advice, as things stand right now, it is in fact the best advice we can give.
In absolute terms it is borderline useless advice. Many companies still communicate from and operate from domains other than their well-known main domain.
How is anybody supposed to know that windowsupdate.com is a legit Microsoft domain? What about windowsazure.com? How do you know that fbcdn.net belongs to Facebook, but fbabc.com does not. Why isn't gdynamic.com a Google asset like gstatic.com. lufthansa.com, lufthansa.de, lufthansa.at, lufthansa.ch are all legit, why are lufthansa.li and lufthansa.lu not?
Sure, you can check WHOIS, but that just shifts the issue one level lower.
"[..] always look at the url bar." - Please do, but don't expect it to be enough to be 100% safe. In the world we live in anyone can be phished.