Phishing seems like a problem that will be here for the long haul, so I welcome any tools to combat it with open arms. Today Facebook announced one: a service for domain owners or concerned users that watches for sketchy versions of web addresses that might indicate a phishing attempt in the offing.
The developer only needs to specify the domain name they care about and our tool will take care of the rest,” explained Facebook security engineer David Huang. “For example, if you subscribe to phishing alerts for a legitimate domain ‘facebook.com,’ we’ll alert you when we detect a potential phishing domain like ‘facebook.com.evil.com’ and other malicious variations as we see them.”
Hosting your phishing website as a subdomain of evil.com seems like kind of a giveaway. But there are subtler ways to fool people. If someone wanted to make you think that an email was coming from this website, for instance, they might register something like techcrunch-support.com or techcrunch.official.site and send it from there.
Small variations in spelling work, too: would you notice that an email came from techcruhch.com or techcrunoh.com if you were on your phone, walking down the street and trying not to be hit by people riding electric scooters? I think not. Back in the day even CrouchGear might have worked.
And lookalike characters that render differently inline are a strange new threat: whɑtsɑpp.com has an alpha (or something) instead of an a, and helpfully renders as xn—whtspp-cxcc.com. Look, I didn’t design the system. I just use it.
The tool looks for all these variations in domains it encounters by watching the stream of certificates being issued to new domains. “We have been using these logs to monitor certificates issued for domains owned by Facebook and have created tools to help developers take advantage of the same approach,” reads the Facebook blog post. Nice of them!
Developers can sign up here and submit domains they’d like to monitor. Facebook won’t do anything but alert you that it detected something weird, so if there’s a false positive you don’t need to worry about getting kicked off your domain. On the other hand, if scammers are setting up shop at a doppelgänger web address, you’ll have to do the legwork yourself to get it shut down and warn your own users to be on the lookout.