EFF seizes deceptive website used for high-level phishing attacks

Electronic Frontier Foundation wins control of fake .org website which may have been under the control of the Russian APT28 group.

Electronic Frontier Foundation
Electronic Frontier Foundation

The domain name of a website created to spread malware to computers has been handed over to an organisation following a complain to UN agency WIPO.

In a judgement by the UN agency, WIPO has allowed the Electronic Frontier Foundation to take control of a domain called ElectronicFrontierFoundation.org. The EFF's real website is at EFF.org. 

The judgement came about after the EFF launched an official uniform dispute resolution process (UDRP) against the registrant of the false domain, named as Shawanda Kirlin of Bali, Indonesia. The organisation has assumed the name is false and in reality was under the control of cyber-criminals.

The registrant failed to respond to the complain that the website breached the organisation's trademark and did not respond to allegations that the site was spreading malware through a zero-day Java vulnerability. When visiting the site using Chrome, the browser still flags the site as dangerous.

The domain was used as part of a spear-phishing campaign called Pawn Storm. The hackers have been linked to a hacker group known as APT28, which is said to be backed by the Russian government.

This marks the first time that the EFF has used a UDRP to take down a domain name. Following the victory, the domain will be transferred to the EFF, by which time the website will no longer be a threat to the internet.

Kevin Bocek, chief security strategist for Venafi, told SCMagazineUK.com that a few weeks ago Netcraft flagged that certain certificate authorities had issued hundreds of SSL certificates for deceptive domain names used in phishing attacks.

“The use of valid certificates with fake domains is one of the most powerful cyber-weapons. These included names that resembled leading financial services providers – such as PayPal and NatWest – creating a clear and present danger for customers. So it's more common than you'd think, and the problem is becoming increasingly prevalent,” he said.

Bocek added that Certificate Authorities (CAs) – particularly the ‘free' CA offerings we have seen emerge over the past twelve months – are issuing these certificates with little thought to the potential misuse.

“It is unacceptable, yet increasingly common. As digital certificates have started being handed out for free, the value is being chipped away, resulting in lack of trust and easy targets for hackers. So this isn't a problem that is going away any time soon.”

Bocek said it was unfortunate that, by no fault of their own, brands can have their reputation damaged by the poor deeds of others. There are over 200 CAs in operation, all are afforded the same level of trust but the reality is that they are often very different in terms of the level of fraud and security controls they have in place, he said.

“Businesses have no way of telling which CAs are better or worse, yet they also face a huge risk that they're not responsible for creating. They are helpless to protect themselves since certificates are being issued in their names without their control. This is why Certificate Reputation – finding and knowing good certificates from bad – is so important,” he said.

Stefano Maruzzi, vice president EMEA of GoDaddy, told SC that the problem of registering fake domains is directly related to phishing scams and other kinds of online fraud, therefore it is part of the larger issue of malicious behaviour online.

“I think every one of us has at least once received a spam or scam email that is clearly from an unknown or fraudulent source, and that is why we have spam filters and similar software in place to help protect us. Really it comes down to common sense and being aware online,” he said.

He said that diligence in creating and maintaining your digital presence is crucial to keeping your brand reputation intact.

“There are a wealth of online security tools you can purchase which will help you protect your brand online, ranging from the more common and widespread antivirus software to malware removal, code signing certificates and SSL,” he said.

“Your choice of tools will depend on your business needs, but keeping whatever software you use updated and doing your checks regularly, whether this is checking for problems and fixing immediately or running security scans before you launch new sections of your website, will make it easier to keep you on top of things.”

Gavin Reid, vice president of threat intelligence at Lancope, told SC that large organisations have people tasked with looking for similar sites that could be used in a phishing or waterhole attack.

“It's a numbers game where the attackers have the advantage of being able to automate domain generation and registration and then use the domains for minutes only before switching over to a new one,” he said.

“Once found – depending on the registrar – it could be a lengthy process to have it shut down.  Another similar tactic the bad guys use is to steal credentials to a real domain then register sub-domains (called domain shadowing), creating very authentic looking domains that can be hard to detect and unravel."