CarderPlanet
Professional
When analyzing fraudulent sites, you sometimes marvel at the ingenuity of crooks. Either they offer you free pizza, or morgencoins ... There are also resources that you can't say right off the bat that they are fraudulent: these sites simply collect contacts so that later, having formed a database, they can dissolve everyone at once. However, before you thoroughly study a site created by Internet crooks, you first need to find it. We will now talk about search methods and how scammers hide their resources on the network.
It happens that a company or bank service that deals with Internet security receives a complaint about a particular site, which becomes a reason for investigation. This case will not be considered, but let us assume that the IB-Schnick
The easiest way involves the following simple steps:
- download the list of domains registered over the past few months in the .ru zone from the Domains.ihead.ru website (the list contains domains registered over the last three months);
- looking for domains similar to the official domains of large companies and banks;
- go to the site and see what is there;
- if a fraudulent resource is detected, we submit an application to block the domain to the registrar, complain to the hoster, or set up a firewall to block such resources in our own perimeter.
SIMILAR WRITING
If, for example, you select domains with the word gaz from the list of all domains, then you will not find the gaazprom.ru domain, but the Dnstwist utility from Kali will help you find it. You can also use the online services Dnstwist or Dnstwister.report.Dnstwist generates six different main domain spellings and checks which ones are registered. For example, 2270 variants were generated and tested for the official gazprom.ru. 38 domains were registered.
Results of checking the gazprom.ru domain in the dnstwist.it service
Now let's check what is still on this very gaazprom.ru.
An example of the content of a fraudulent site. 14 free places, you must take!
SUBDOMAIN
Everything is simple here. If we scan the site openstockinvest.cyou, then we will not see anything. And if you go to the subdomain hxxp: //bussiness.openstockinvest.cyou, we will suddenly find a fraudulent landing page.Fraudulent site on subdomain.
COMFORT ZONE
Often, the search for fraudulent sites is limited to checking domains in the ru zone. If you do this, then you will miss out on sites registered in 1555 more domain zones. The same Dnstwist generates domains not in all possible zones, which takes the potential catch out of our field of vision.You need to get all the domains. For example, at Domains-monitor.com you can download a list of 250 million registered domains. The service costs $ 7 for 24-hour access.
Service with a list of registered domains domains-monitor.com
PARASITES
By analogy with wildlife, a virtual parasite uses other people's resources to live as long as possible and remain unnoticed. Most often, a harmless site is hacked for this and a malicious one is poured into one of the subdirectories.Hacked website of a commercial firm.
NEIGHBORS
By this method, I mean the placement of fraudulent sites on "foreign" resources. For example, hххps: //gatrade.turbo.site - in this case, the web page was created in the site builder from Yandex .Sites created on quiz platforms (these are online survey constructors) can also be classified in this category. An example of a fraudulent survey that I found earlier is no longer working, only traces of it remain on Google.
INNER
Another way to protect fraudulent sites from security scanners. If you follow the link hxxps: //invest-it.live, you will be redirected to Google, and the fraudulent page itself is located “inside” the site, at hxxps: //invest-it.live/russian-platform.CLOAKING
This term denotes the substitution of site content depending on the technical characteristics of the visitor. For example, if you go from the Ukrainian IP to the address hxxp: //gazpromrekl.ru, we will see a fraudulent site.And if you go from any other IP, we will be shown a store that sells houses for cats.
An example of substitution of content depending on the visitor's IP.
By the way, this very gazpromrekl.ru sometimes glitches, and when entering from a Russian IP it shows the site of some web studio. Looks like the guys are additionally monetizing their skills. Cloaking is also used on social networks, including to bypass moderation (and we wonder why the moderators are letting in obviously fraudulent content. They were simply deceived by technical means).
When a moderator switches from his European (or Indian) IP to 5000-privitum-podarok.ru, one site is shown to him, and if you go from the IP of one of the CIS countries, the content is completely different.
Different content depending on the visitor's IP.
CONCLUSIONS
The listed methods of placing fraudulent sites do not exhaust the entire arsenal of methods used by crooks. There is a whole business of selling ready-made landing pages, copying the sites of well-known companies and banks, as well as affiliate programs aimed at organizing scams.
Different content depending on the visitor's IP
Therefore, there are only two methods of combating fraud that are most effective: technical blocking of what you could find (if you are an information security / IT specialist), and training employees, relatives and friends in information security rules. It will enable the user's "brainfirewall", which works much better than all the technical tools combined.
