Real or fake?

  • Article

The other day, security writer/worker (what doesn’t that guy work on these days?) developed a handy-dandy little game called “Phish or Fake.”  He wrote about it in his blog post here.

In the game, he shows you a domain like BANCOFAMERICAN.COM and asks you whether or not the domain really belongs to Bank of America?  The game then shows you lots of domains, asking you Yes or No.  There are a lot of domains out there that you would never think belong to BofA:

  • ATLANTAMORTGAGEADVISORS.COM
  • CREDITCARDINVITE.COM
  • MERRILLNETACCESS.COM
  • AFFILIATEDHOMELENDING.COM
  • DERIVDEALER.COM
  • COUNTRYWIDEREVERSEMORTGAGE.COM
  • BACMERRILLLYNCH.COM
  • XN--FIQZ9S5N9AK3P.COM

Looking at these domains above, you’d never be able to distinguish them from phishing domains:

  • COMBANKOFAMERICA.COM
  • MAXAMVBANKOFAMERICA.COM
  • BANKUFAMERICA.COM
  • BANKOFAMERICAPRIVACYASSIST.COM
  • BANKERSLIFEINSURANCECOMPANYOFAMERICA.COM
  • BANKOFAMERICA-LOAN-MODIFICATIONS.COM
  • BANK-OF-AMERICA-INCORPORATED-CO-OPERATIVE-BANK.COM
  • BANKOFAMERICA-LOAN-MODIFICATIONS.COM

When I first played this game, my score sucked.  I tried to tell the difference between them by visual inspection alone.  It cannot be done, there’s no rhyme or reason to it.  If I, as a security professional, can’t tell the difference, how do we expect the average user to do it?

One way is to do a WHOIS lookup on all of the links. Of course, 0% of people on the Internet even know what a WHOIS lookup is (figure rounded down).  If you get a message in your email from Bank of America and it contains a link that doesn’t point to something you recognize, how would you ever know that it’s legitimate simply by visual inspection?

You can’t.

However, it’s not as bad as it sounds.  While Bank of America does have a lot of domains registered to them, it doesn’t mean they use all of them.  They may buy them up in advance to avoid somebody else purchasing them, squatting on them and forcing them to pay up a lot more money later on. 

Or, they may buy up whatever combinations they can think of so phishers cannot use them later on.  That, of course, is a game they will never win because phishers can come up with an almost infinite number of domains that sound legitimate that BofA never thought to pre-acquire.  They can also use HTML tricks to conceal the real URL direction (many users do not hover their mouse over the link to see where it actually goes).

I don’t know who BofA sends mail as; but going by the number of domains they have registered there is a lot they could send as.

Let’s hope they never do.