Here are two internet domains: ee.co.uk and ee.co.uk.billing-update-jan02[.]info. They look alike, don’t they? You might even think they belong to the same domain.
However, the second URL is actually an alarming example of a new way to phish unsuspecting victims: Scammers have been incorporating the date into their malicious internet domains to help them spoof legitimate websites.
On Friday, UK-based computer expert Terence Eden blogged about the malicious domain after a scammer sent his wife a phishing attack in the form of a text message. The text pretended to come from local mobile carrier EE and said: “We were unable to process your latest bill. In order to avoid fees, update your billing information via https://ee.co.uk.billing-update-jan02[.]info domain.”
(The spoofed domain contains a lookalike login page for EE.)
Fortunately, Eden’s wife does not have an EE account, so she wasn’t fooled. Nevertheless, he was surprised that the URL contained the letters “jan02,” or the same date the text message was sent to his wife. This helped the message look even more convincing when EE’s official domain is ee.co.uk.
“If you’re stood up on a crowded train, with your phone screen cracked, would you notice that a . is where a / should be? A quick look at the (URL) shows a trusted domain at the start—followed by today’s date,” he wrote in his blog post.
But in reality, ee.co.uk.billing-update-jan02[.]info is an entirely separate domain. The telltale sign is the “.info” at the end of the URL. However, an unsuspecting victim could have easily overlooked it and instead paid attention to the “ee.co.uk” at the start of the URL, and assumed the domain to be legit.
Not helping the matter is how the malicious domain obtained an SSL certificate from Let’s Encrypt, a non-profit certificate authority. As a result, the domain will show an https:// encrypted connection, which can also fool users into thinking it’s a scam-free site.
“Money and technical expertise used to be strong barriers to prevent people from registering scam domains. But those days are long gone. There are no technical gatekeepers to keep us safe. We have to rely on our own wits,” Eden added.
The good news is that browsers have already flagged ee.co.uk.billing-update-jan02[.]info as a malicious domain, and will warn users not to visit it. However, the domain itself is still up. If you do visit it, you’ll see a lookalike, but fake login page for EE, which is likely designed to steal your email address and password. Let’s Encrypt didn’t immediately respond to a request for comment on why the domain was granted an SSL certificate.