Phisher-Friendly

The impending addition of new alphabets to Internet domain names may be a boon for phishers, The Times of London reported last week.

Today domain names are written in Roman characters regardless of the language used on a Web site. The planned addition of non-Roman character sets could be exploited by scammers putting up spoof Web sites, the article said.

Spoof sites aim to steal financial data by impersonating a legitimate bank or retail Web site. If the ruse is convincing enough, visitors may be tricked into typing in their credentials. Though banks have gotten more aggressive about registering domain names that are similar to their own (a practice that a 2005 "Jeopardy!" contestant named Morgan Chase said prompted JPMorgan Chase & Co. to ask to take over his personal Web site), in the early days of phishing scammers commonly tried to deceive people by using domain names that closely resembled established names. PayPal Inc. executives have said that scammers once used the Web site paypa1.com (that's with a numeral "1" at the end) because it looked identical to PayPal's actual domain name in browsers' address bars.

According to the Times article, PayPal could again be a victim if someone were to use the Russian alphabet to spell out a domain that resembles "paypal.com" but uses Russian characters.

Charlie Abrahams, a vice president with the San Francisco brand-protection firm MarkMonitor Inc., told the Times that "the risk for general brand abuse is going to increase exponentially" once these new character sets are allowed by the Internet Corporation for Assigned Names and Numbers.

Put It to the Test

There's a growing business in helping programmers determine if their password-stealing programs can fly under the radar of standard antivirus applications.

Virus-testing Web sites come in two flavors, Brian Krebs wrote on his KrebsonSecurity.com blog last week. One kind, meant to protect users who suspect they've discovered a new virus, sends its results to the antivirus community to protect the Internet from infected files; the other kind, aimed at virus developers, promises the exact opposite.

Sites like av-check.com and virtest.com "bank on the guarantee that they won't share your results with the antivirus community," Krebs wrote.

For $40 a month, or $1 per file, av-check.com says it will determine whether a file can be detected by 22 popular antivirus products — and keep its findings private.

Virtest.com promises to prevent the antivirus programs from reporting their findings to the companies that wrote them, ensuring the scans are not even communicated by accident.

"The proprietors of these services don't even try to hide the fact that they have built it for malware writers," Krebs wrote.

The Password Is No

"Star Trek" may be a great movie franchise, but it is not a great password.

It is one of several hundred phrases that Twitter Inc. has banned as passwords. An exhaustive list of banned passwords — including some movie references, like "startrek" or "matrix," as well as references to sports or sex — is coded into the sign-up page for Twitter accounts. And yes, "twitter" is also a password the company deemed too obvious for use.

Several Internet sites, including TechCrunch.com and Consumers Union's "The Consumerist" blog, have uploaded parts of the list. TechCrunch said last week that "it's helpful to distribute the list so you can check if your favorite password that you use for other services might not be as fail-proof as you'd like to think."

Other weak passwords on the list include the word "password," various proper names and movie references like "starwars" and "topgun."

Oddly, "Enterprise" did not make the list, but the fictional starship's registry number, "ncc1701," did. And it seems few Marx Brothers fans use Twitter — "swordfish" is also absent from the list.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.