Attackers abusing trusted domain names

Researchers from Finjan Inc.'s Malicious Code Research Center (MCRC) say hackers are using a loophole in the domain name registration process to circumvent Web site blockers and prolong the duration of their attacks.

Hackers are buying domain names made to look as though they belong to legitimate companies but contain hard-to-notice spelling errors. Users who miss the misspellings could find themselves on a Web page designed to infect their machines with malware, Finjan CTO Yuval Ben-Itzhak said in an interview Thursday. The MCRC came across the trick in October when searching for popular services with a slight change of the top-level domain.

Such spoofing tactics are popular among phishers, and the increased abuse of domain names lead to the creation of an organization to fight it earlier this year.

In one case, the researchers found a site taking advantage of a domain name similar to a legitimate popular service, laced with malicious code designed to download and execute a Trojan on the victim's machine. The malicious code itself is located on the abused domain name, Ben-Itzhak noted. The malicious site was still active as of Oct. 28, he said.