Facebook is giving legitimate website owners a way to fish out phishing scams.
The social network announced at its F8 annual developer conference in San Jose, Calif., Wednesday that it is extending the capabilities of its Certificate Transparency Monitoring tool to alert website owners when their sites are spoofed.
Security engineer David Huang and software engineers Bartosz Niemczura and Amy Xu said in a blog post that Certificate Transparency Logs keep records of all valid security certificates issued by publicly trusted authorities, and the social network’s Certificate Transparency Monitoring tool will now send alerts when new certificates are issued for potential phishing domains.
They added, “Every time a new certificate appears in any public Certificate Transparency Log, our tool analyzes the domains specified by the certificate for phishing attempts by taking into consideration the most common spoofing techniques. If it suspects that the domain is likely associated with phishing, it can notify subscribers of the tool for the legitimate domain by sending email, push or on-site notifications, depending on their preference.”
The three engineers also outlined the ways scammers make their phishing sites appear legitimate, using Facebook.com as an example:
Homograph attacks, or using different characters to create malicious domains that resemble legitimate domains:
- faceb00k.com: The letter “o”s in “facebook” are replaced by the number “zero.”
- facebook.com: The letter “о” is actually the Cyrillic small letter “o” (0x43E), not the Latin “o” (0x6F).
Combining recognizable brand names with other keywords to create fake domains (also known as combo squatting):
- helpdesk-facebook.com
- facebook.com-legit.com
Taking advantage of mobile devices’ smaller screens that cannot display full domains:
- facebook.com.long.subdomain.that.will.not.be.fully.shown.on.mobile.devices.com
Typo-squatting, or common misspellings and typos:
- faecbook.com
- faceboook.com
Huang, Niemczura and Xu cautioned, “To make their malicious domains look more credible, attackers nowadays even obtain valid TLS certificates for them. Due to the presence of a valid security certificate, browsers may display a “secure” indicator—a green padlock and/or the word “secure”—for a phishing website. These browser security indicators correctly indicate a secure, encrypted connection, but that doesn’t stop the phishing website from tricking people into sharing their information.”
Finally, they shared these steps that legitimate website owners should take to protect their websites and domains if they receive notifications that someone is trying to impersonate their sites:
- Reach out to domain registrars to suspend bad domains in case of intellectual property infringement.
- Reach out to browser vendors to blacklist bad domains and display user interface warnings indicating deceptive websites.
- Reach out to the relevant certificate authority to revoke certificates for the phishing domain, if possible.
- Educate people who use your service in case of an attack to increase their vigilance.