Cutesy Domain Names Make Online Fraud Easier

[izopod]

http://boston.internet.com/news/article.php/2225461

June 20, 2003
By Susan Kuchinskas

The sting that hit electronics retailer Best Buy (Quote, Company Info) on Wednesday hinged on a simple trick: e-mailing a link that seemed to go to the electronics retailer's site.

Instead, the click-through went to a phony look-alike where users were asked for vital personal information including credit card and social security numbers.

The debacle now has some concerned that online merchants make it even easier for fraudsters to hustle people with the redirect dodge by using odd domain names or using more than one. Best Buy's plight already has the sector rethinking their strategies.

"Businesses should stick with their key brand domain names," says Internet security expert Dave Nielsen, who operates the consumer information Website fightidentitytheft.com. "It's a bad idea to use cute domains for a promotion."

For example, Citibank uses the perfectly straightforward Citibank.com; however, its online marketing uses citicards.com - even though the user is automatically taken to Citibank.com.

Unfortunately, making changes is not so easy. A business may use an unfamiliar domain name because the most logical one is already taken, or because an outside company is handling registration or promotions, says content security consultant James Sinclair of Adhaero Technologies. He cites the example of United Airlines' Web site: www.ual.com. The airline owns United.com, but not united.biz nor united.net.

"They can't buy up every possible permutation," Sinclair told internetnews.com.

Still, Sinclair asks, does it have to redirect people who click on promotional offers to the very spammy-looking www.ua2go.com?

There's a similar dilemma with Sunnyvale, Calif.-based Internet media giant Yahoo! (Quote, Company Info). Sinclair says Yahoo!'s practice of using naming conventions such as dailynews.yahoo.com and biz.yahoo.com is confusing enough that for the most part, users have easily accepted it as legitimate. While keeping domain name usage consistent may help, Sinclair says there are plenty of other tactics that can be used to deceive users. That is especially true when tricksters put the real business domain name in front of the @, followed by the IP address of the crooked site. When they see http://News.yahoo.com_:_daily_news@66.39.52.192, for example, Sinclair says many users assume they must be going to Yahoo's servers.

While there are hordes of vendors consulting on network security, merchants have few resources when it comes to finding the best practices for organizing their e-commerce, e-mail and online customer support operations.

The , which lets victims file complaints electronically, has a single page of tips for consumers but no info at all for businesses. An FBI spokesperson did not return repeated calls, and a staffer at the FBI's press center could not identify any other resources available for merchants.

The non-profit Merchant Risk Council, established in 2000, (Its website whose URL doesn't match the organization's name) shows no evidence of activity by the group since early 2002, and it could not provide a spokesperson.

The leisurely pace of these organizations is no match for the speed of Internet hucksters, according to Nielsen and the response of businesses when they've been hit is often not much better.

"Something like [the Best Buy scam] only needs a day for the damage to be done," says Nielsen. "The old methods don't hit the mark."

Best Buy's e-mail warning to customers arrived in his inbox this morning, nearly two days after the company became aware of the problem. Nielsen calls that "weak."

[izopod]

Generic Names vs "Spammy" looking names.... I'll click on the one-word "Generic" name everybody "knows" every time.

Is the "keyword" strategy I've been harping on the last few weeks starting to make sense?

www.StartYourRetirement.com

or

www.Retirement.ws


There's more!

www.GetCreditProtection.com

or

www.Protection.biz

However

www.Banking.com

vs

www.Banking.biz

(If the two words are exactly the same, then the emphasis on whether i'd click on the domain would shift to the TLD===Believe or not I'd click on the Generic.com first...Old habits are hard to break!! However I would also go to the .biz as it does "look" legitimate)

[dtobias]

I've been saying for quite a while that companies would be better off using logical subdomains rather than cutesy marketing gimmick domains, with protection against fraud being one big reason... I'm glad somebody in the mainstream press is finally realizing it.

See my comments at:
http://domains.dan.info/structure/subdomains.html

[izopod]

From your Dan.info site:

>>>>Note: It actually would be very much to the advantage of companies and organizations doing business on the Internet for them to use the hierarchical structure of domains and to educate the public in the meaning of this structure. That would help "immunize" people to scams in which people mislead others into thinking they represent a trusted organization by registering domain names that look like they might belong to that organization.<<<<

Nice to see someone advocating a solution even before the mainstream press picks up on it. Way to go Dan!

Originally posted by dtobias
I've been saying for quite a while that companies would be better off using logical subdomains rather than cutesy marketing gimmick domains, with protection against fraud being one big reason... I'm glad somebody in the mainstream press is finally realizing it.

See my comments at:
http://domains.dan.info/structure/subdomains.html