Illustrative image. Photo credit: Jason Leung/Unsplash.
But what is this Internet user trying to do? According to civil defense engineer Nicolas Pawlak, on July 20, one person registered nearly a thousand .fr domain names. Addresses that fall under typosquatting, such as c0nforama.fr or ca-centtreloire.fr. That is almost a third of the domain names filed that day.
“What struck me here is the particularly massive nature,” explains Zdnet.fr Nicolas Pawlak, who has been monitoring domain name registrations for about two years in a private capacity. The list of typosquatted domain names, which mixes references to media sites, e-commerce or even institutional sites, has just been revised upwards on Monday, July 25, with 184 new domain names noted.
The mute depositor
The mechanisms of typosquatting, this way of trying to deceive the Internet user with a URL address close to the legitimate address, are now well known. As the French company Tehtris reminds us, this social engineering technique can “seem simple and sometimes harmless”. However, it allows an attacker to recover personal information, it can allow the installation of malicious extensions, cause targeted entities to lose opportunities or even harm their image.
Sign of the concern of the public authorities on this subject, the operating mode had even been mentioned Guillaume Poupard, during the last International Cybersecurity Forum (FIC). The director general of Anssi suggested taking inspiration from the British Active cyber defence, this service of the National cyber security center which offers free tools and services, by developing for example a tool to fight against typosquatting.
Obviously impossible for the moment to know the purpose of these recent deposits. We have not had a response to our email sent to the depositor. “It is highly likely that these mass reserved domains will have a malicious use, such as phishing, in the more or less short term”, underlines however on Linkedin Nicolas Pawlak, a system administrator of the Ministry of the Armed Forces.
But, as another remarked French cybersecurity specialist on Twitter, bulk domain name registration can be used for many other malicious actions, beyond simple phishing. The latter does not necessarily need to be based on a squatted domain name.
Freeze domain names
Be that as it may, it is very likely that this registration of domain names in progress will not really have a future. Contacted, the Afnic (French association for internet naming in cooperation) indeed specifies to Zdnet.fr having identified the maneuver in progress. Thus, the registered domain names have already been frozen – they cannot be assigned or transferred – pending further information. According to the association, the German registrar Key-Systems which was used by the Internet user is also studying the situation.
In concrete terms, Afnic, alerted by third parties, asked the applicant for proof of his identity. If this person does not respond within seven days, the domain name registrations will be deleted. If, on the contrary, the applicant produces the expected supporting documents, this will facilitate subsequent actions.
For example, the Directorate General for Competition, Consumer Affairs and Fraud Prevention could request the deletion of domain names in the event of an infringement. Structures that may consider themselves harmed by these filings could also request the disclosure of the holder’s data to initiate their own formal notices.
“Scammers rarely leave their business card, which allows us to block them and remove domain names,” reports Zdnet.fr Pierre Bonis. “The good news is that there are fewer attempts than at one time,” adds the CEO of Afnic. Even if the game of combinations offers a significant number of possibilities for swindlers. Enough to encourage Internet users to remain vigilant about domain names.