W3C home > Mailing lists > Public > public-iri@w3.org > November 2009

RE: phishing in IRIs

From: Shawn Steele <Shawn.Steele@microsoft.com>
Date: Tue, 24 Nov 2009 19:44:27 +0000
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
CC: Larry Masinter <masinter@adobe.com>, "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Message-ID: <E14011F8737B524BB564B05FF748464A0445678D@TK5EX14MBXC139.redmond.corp.microsoft.com>
We're getting WAY off topic.  Is there a BCP for IRI security?

> So trying to spoof the path is indeed another technique, but in most 
> cases, it doesn't work because there is a single authority in control of 
> all the paths on the same domain. So that's why I'm saying that the main 
> place where spoofing can happen in IRIs is the IDN part.

But that only works for you because you know how paths work!

It's been pretty well demonstrated that the average user doesn't know those things, and, indeed, LEGITIMATE businesses even (mis?)use the system for their convenience or to outsource ads or mail lists or whatnot.

Those of us with kids in this country are likely to know about a place called "Check E Cheese's".  And it's a lot cheaper with a coupon.  If I visit http://www.chuckecheese.com/, then I'll have the opportunity to subscribe to an email list and get spammed with coupons periodically.  Those coupons are sent from "Chuck E. Cheese's [cecmail@replies.cecentertainment.com]".  There's absolutely no way to verify that these are connected.  Ruby's is worse.  Rubys.com sends mail from rubys.fbmta.com with links to the same (rubys.fbmta.com).  Toysrus.com gets you to toyrus.shoplocal.com.   I've also seen them in the form client.adfirm.com or adfirm.com/client, no clue if the client/adfirm relationship is legitimate.  Lots of online stores use a 3rd party for checkout.  At least I can recognize yahoo or paypal, but for others I'd have to make a leap of faith.

Heck, I got an internal survey about Microsoft which some team had contracted out to an external vendor.  No clue if it was a legitimate internal survey or someone phishing for intelligence about Microsoft.  The mail didn't even come from an internal address.  (Yea, I contacted the group to find out if it was legit, but they were surprised I even bothered).

Do you ever follow those links?  I often do.  Of course if it's a bank or its going to end up asking for payment or other info I usually end up retyping the original URL (toysrus.com instead of toysrus.shoplocal.com) and follow links from there, but would the average person bother?

When users are trained that any sort of weird variation in the URL is OK, so long as it says my vendor in their somewhere, then there's not much we can do about it, and IDN is completely irrelevant so far as changing security goes.

I used to try to contact marketing departments when I noticed that they sent customers to URLs that weren't obviously in their control, but they don't seem to care.  Until that's fixed IDN homographs don't even come close to being interesting.  I don't even think we can fix it because clearly they don't seem to care enough to follow a BCP for IRIs even if one existed.  If I can't even get Microsoft security to be interested in this problem, how do we expect every retailer to bother?

Note that in every one of these cases the domain could've been fixed.  Instead of toysrus.shoplocal.com, there's no reason they couldn't have pointed shoplocal.toysus.com to their vendor's server and used that instead.  Similarly the mail could be from vendor.client.com.  My internal survey could've redirected from a trusted internal server to the external one.

-Shawn
Received on Tuesday, 24 November 2009 19:45:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 April 2012 19:51:55 GMT