Wednesday, May 18, 2016

Millions experience serious computer security problems and have no one to call for help

A couple times a week, people I may or may not know reach out to me for help because they’re experiencing some kind of computer security catastrophe. Sometimes the situation is serious, other times not. They might be dealing with an online bank account takeover, online scam, data breach, malware infection, identity theft, and the list goes on and on from there. Whatever the circumstance, a great many people often find themselves thrust into the deep end of this technology driven world, without the know-how to solve the problem on their own, and no one to call for help. These experiences are especially painful for the elderly and small-business owners, whose livelihood are disrupted, and the stress takes a toll on them. Personally, I hate it when good people get taken advantage of.

In the most recent case, I was introduced to the founder of a TV and movie production company through a mutual friend. They explained that someone is messing with their website and actively using their company name to scam their business contacts. They said ‘hacked,’ but that could mean anything these days. The situation was causing them real brand damage, and with over a dozen show titles to their credit, the business impact is severe. Even over the impersonal medium of email, you could sense a deep feeling of helplessness and desperation. As you might expect, I tend to keep myself happily occupied with family, work, and martial arts and don’t have a lot of time to spare for things like this. But, this plea originated from a good friend, the victim didn’t have anyone else to turn to, and helping out felt like the right thing to do.

After taking a call and exchanging a few emails, I got the real story. Someone, a scammer, registered an incredibly similar domain name to the legitimate one used by the production company. The fake domain name was being used to create a clone of the real website. The scammer then subtly changed the names and photos of the staff and updated the contact information so that any incoming communication would instead go to them. Through email, phone calls, or search results visitors would be contacted by the scammer, who pretended to be with the production company, and would proceed to con their victims out of money. This is a simple, inexpensive, and effective scam that could happen to basically anyone – and it does.

The near-term plan was to get the scam website taken down. Long-term, try to take ownership over the look-a-like domain name.

To start, the first thing I needed to know is who owns the offending domain name. A quick WHOIS lookup revealed the registrar is GoDaddy, but the domain owner itself was masked by Domains By Proxy, a popular service for those wishing to preserve their online privacy. I often use this service myself! This means without going through a legal process, obtaining the real domain owner information isn’t going to happen. Still, in the event the production company would like to try and get ownership over the domain using ICANN’s and trademark law, they have the registrar info to further that process. Next, I needed to identify where the website is being hosted. The ‘dig’ command easily gets me the IP address of the cloned website and an ARIN lookup tells me who the IP address belongs to — the name of the hosting provider. For those curious, collectively performing these tasks took me far less time than writing this paragraph.

Let’s pause our story for a moment to consider the technical knowledge required to get this far, which includes a set of skills many techies take for granted and forget that the vast majority of people simply don’t have. Few people can explain what a domain name is, have any idea what a domain registrar or an IP address is, what’s WHOIS, or even ICANN. They’ve certainly never heard of ARIN, and only a vague familiarity with hosting providers for that matter. And thus far, we’ve only collected purely public information and in doing so reached a point where most can’t get to on their own. Techies should empathize and exercise patience with those not nearly as literate in how the Internet works as we are. Anyway, back to our story.

Now that we’ve learned who the hosting provider is, I helped the production company founder draft an email to send that concisely explains the problem and what we’d like the action to be. Take down the website! Their website nicely listed the abuse@ email address and I pressed send on the message. I figured it could be a while for them to get back to us, and in the meantime decided to take a close look at the scammer’s website.

Using every web hackers best friend, view-source, I skimmed the underlying code of the website. Maybe the scammer left clues as to their identity, tools they used to clone the website, or whatever. In less than 60 seconds, I immediately spotted something very interesting. While the HTML of the page is hosted locally, all the CSS, images, and most importantly, the Javascript is being SRC’ed in from the real website! As you’ll see if a moment, this was a major oversight on the scammer’s part. Are you thinking what I’m thinking? We’ll see. :)

1)    In the logs of the real website, we should be able to ascertain who and how many people visited the scammers website. Because every time someone visits one of his web pages, their browser automatically pulls in the aforementioned third-party content from something we control. This means the visitors IP address is logged, as is what web page they are currently looking at — called the referer. And yes, this is intentionally misspelled and a throwback to Internet antiquity.

2)    If we have the visitors IP address information, it’s quite likely we also have the scammer’s too! Provided they didn’t mask that as well. And if they are, that’s useful bit of information as well. Either way, their IP address is probably the first one we see the in the logs when the referer of the fake website appeared. If we decide to go after the bad guy directly, we at least have something to begin tracking them down with. Subpoenaing the hosting provider or Domains By Proxy is of course another possible course of action, but we’ll see about that path later.

3)    This is the big one. Any web hacker would have quickly theorized that we can probably modify the javascript on the real website, which again is called by the fake website, to at least temporarily redirect it’s visitors. And, that’s exactly what we did! A quick 3-line block of code did just the trick!

if ( != ‘<>') {
        window.location = ‘<>’;
At this moment, we got the production company and visitors of the scammer’s website some immediate relief. That is until the bad guy notices what we did and updates their website code, which is trivial to do. Next I ask the domain registrar (GoDaddy) about the process for taking ownership over domain names that are designed for abuse. They point us towards an ICANN’s trademark dispute policy and suggested we consult with a lawyer experienced in such legal measures. I then advise the founder to seriously consider going down his route.

A couple days go by, and while we wait for the hosting provider to respond, we notice the aforementioned redirect stopped working. As expected, the scammer caught on and fixed their code so that all the web page files now point locally. Drat! What we did learn is the scammer is sentient, responsive, and persistent. He didn’t care so much that were we onto his little game. Interesting. Such brazenness indicated that the scammer is probably outside the US jurisdiction – or optionally just stupid. Then like magic on the same exact day, and the timing could not have been better, the hosting provider informs us that they completed their investigation and disable the scammers website. Success!

For now, my work is done and the production company founder profusely express their thankfulness. This was a good feeling. However, that doesn’t necessarily mean this is the end of our little story, or that it will be a happy one. After all, this is the security of the web we’re talking about, and plainly said, it’s fundamentally broken.

You see, the scammer can easily set up shop with a new hosting provider and start the identical scam all over again and there is absolutely nothing anyone can do to prevent that. There is no good way to help visitors tell the difference between the real website from the fake one. And even if we use ICANN’s process to take ownership over the domain name, the scammer could easily just register another suitable look-a-like domain in no time flat and we’re back at it all over again. This problem is never ending and there really is no good way to solve it once and for all. A website owner’s only option is to wait for something bad to happen, give me or someone else with the right skills a call for help, and proceed similarly.

What I can do is actively monitoring the illegitimate domain name to see when and if it’s IP address changes. If it does, this would indicate that the scammer is moving hosting providers. It took a couple weeks, and that’s exactly what appears to be happening right now. Grr. This is kind of thing happens every day, to who knows how many people, and honestly I’m not sure what the answer is. One thing I do know, the world needs the help of a lot more good computer security people. Join in!


Unknown said...

Great post, Jeremiah! Totally agree with your conclusion :)

Jeremiah Grossman said...

Thanks @Branden! Thanks Congrats on the acquisition too! :)

Ray Pompon said...

Excellent post. I've been in the same boat myself for years. I'm always aghast at what few options folks outside the industry have for solving security problems. It's led to me spending more than a few hours cleaning up malware off people's machines only because there are no good options.

Jeremiah Grossman said...

@Ray Thanks! And the cost to pay directly for these skills (market rate) often far exceeds the financial means of the victims. And as you say, they're unfortunately stuck. This also seems like good business opportunity to me. Finding ways of reworking high-end enterprise products & services for the low-end market. So much opportunity out there!

Mauiwind said...

Yes, it is a business opportunity. I need to come see you, Jer.

AndroidThinker said...

Perhaps working with an industry group and charging a retainer to monitor websites for that group. Smaller businesses, the "low end market" often join industry groups. When an event occurs your less experienced, hence lower paid, security techs could investigate and call in the more experienced professionals when needed. Good way to train and gain experience in the profession and possibly lower cost. Hope all is well, Jeremiah!

Jeremiah Grossman said...

@mauiwind Coincidentally, maybe I come see you! I'm highly likely to be on Oahu on the weekend of June 11. Tournament!

@AndroidThinker. That's a really interesting idea / model. Like coop or something, almost insurance 'AAA' like in a way. Would still need to pair it with a suitable technology products to build up an attractive portfolio of offering and in order drive down costs down extremely low, not to mention the necessary skills. Profitability would be all about huge scale in such an area of the market.

AndroidThinker said...

I'd equate it to insurance as well, but wouldn't want to get into that industry regulation. More like "home security systems and monitoring." And, yes, you'd have to build out the monitoring platform, but WHS would be the foundation I'm sure. Good way to promote usage and benefits. Also a good way to employ your military veterans just getting into the industry as you desired. "Your soldiers were once physically on the front lines protecting you, now they're doing it virtually too." Scale would be key, and I think building automated scripts against website log files would be key to identifying high-risk or questionable activities...but you already have that I'm sure.

Jeremiah Grossman said...

@AndroidThinker You make a very valid and compelling point. Quick update, I'm no longer active with WHS. Right now, plotting my next moves. ;) So much opportunity out there. Just have to focus and key in on 1 or maybe 2 areas and make a go at it.

Nilay Sangani said...

Great one, Jeremiah.
A very simple way to highlight the problem. And I must say a never-ending one :)
It's a reality that not much can be done apart from monitoring every now and then. I kind of feel for the small and medium size companies who do not have much budget for the same. However, things will change when we approach 2050 :)
Keep it rolling!

Comanche said...

Good story Jeremiah, I am in the middle of a very similar situation where a bad actor has hijacked a domain, and is responding to emails, attempting to open bank accounts. etc. The ICANN process is helpful but SLOW - as this bad actor transferred the GOOD to a registrar in Russia and then locked it. Painfully slow, but there is hope we will get the domain back.

For anyone wanting to know how the domain was hijacked, it was the usual weakest link. The company admin kept passwords in a spreadsheet and their photo ID scanned in on an insecure file share. ( Think cloud here ).

Looking forward to catching up to you again Jer.

Anonymous said...

What about adding an X-Frame-Option header?