What's in a domain name?

Filed Under: Malware, Microsoft

IE9 logo"It's time," I thought to myself this morning, "to upgrade to Internet Explorer 9."

To find out where to get it from, I Bing!ed "IE9".

As avid readers of Naked Security, we all know that bad guys are experts at search engine optimization. Tailoring page content to appear as highly-ranked results to trending search terms is an often-exploited way to ensnare unsuspecting victims.

So I was immediately wary of the first link on the page:

IE 9 search results on Bing

It rang all the bells for me.

Dong: my search term "IE9" is definitely a high-profile topic right now.

Ding: the link was to a domain that looked like it had been made up in an attempt to look genuine.

Bong: there was a much more official-looking link immediately underneath it.

Bing: it was offering an 'enhanced' IE9 - a blatant tactic to make me click it in preference to the boring, ordinary IE9 link below.

But still, I wondered how something linking to a fake Microsoft product download could have become a sponsored link on Microsoft's own search engine. I resolved to dig deeper.

IE 9 download page

The page immediately required me to download a new version of Flash. This didn't inspire confidence! However, the download link pointed back to a more recognizable Microsoft domain. Maybe it was genuine?

IE 9 download dialog

A whois search revealed that the domain ie9enhanced.com is in fact registered to Microsoft, and that the DNS records point to Microsoft's own DNS server. In short, all the real evidence suggests that this really is a Microsoft microsite, designed to use the launch of IE9 to promote MSN and Bing as well. So no problems, then?

Well, not entirely. If you get a page full of results from a reputable search engine, you can be pretty sure that if you pick a URL from a recognized domain you'll end up on the right site. But domain lookalikes and typo squatting mean that you always have to be on your guard, particularly when links lead to file downloads.

The brief lines of text provided in search engine results make it hard enough for us to identify good sites from bad ones. When special-purpose domains for campaign microsites appear, it becomes even more confusing. At best, people might ignore the microsite domain, keeping themselves safe but making the marketing dollars a waste. At worst, the protection and reputation offered by use of known domains is lost and people end up infected the next time they follow an unknown domain.

Of course, Microsoft aren't alone in this - even Sophos has done it in the past - but maybe it's time marketers thought again about the real value of using cute campaign domain names. They're great when using other media to communicate a memorable web site address. They're not so great when they start to appear in search engine results.

, , , ,

You might like

8 Responses to What's in a domain name?

  1. A good reminder to be wary. My former boss fell for a malicious link to download Firefox. Here's my scoop on that subject. http://404ts.com/8l

    Discussing it with their hosting, they shut the site down. http://404ts.com/b8

  2. johnwbaxter · 1283 days ago

    Another Microsoft site for IE9 is beautyoftheweb.com . It is the site mentioned in the IE9 team's blog post about the release of IE9. (And the registration confirms it is Microsoft.)

    Every time our computer club's Saturday morning Q&A session* goes off to find a product, either one of two others or I insist that people figure out which search result is the real official site and go there (we also accept the real CNet download site as an alternative--sometimes the official site is not at all obvious.

    For Macintosh, whois lookup is (relatively) easy, using the Network Utility utility shipped with every intance of Mac OS X.

    Would you please put up a post pointing to a reliable and consumer-friendly way for Windows users to check registration? Thanks.

  3. Thu Win · 1283 days ago

    Can't the scammers fake the WHOIS when they register for the site? I'm pretty sure anybody can get the Microsoft address from any where.

    • rbaldry · 1282 days ago

      That's certainly possible, but the fact that this domain used Microsoft's DNS servers was what convinced me. The hardcore security guys in SophosLabs may have looked for other evidence of course.

  4. Very interesting. I see how this can definitely cause tech-savvys to be wary if they come across it. However, given the low level of smarts of the majority of web browsers, this definitely could have served as a big issue. Good thing it is in fact legitimate. Thanks for the article.

  5. Slayer · 1283 days ago

    Why would you use a search engine to get a Microsoft update? You've heard of Microsoft Update, right?

    • True, but you can't say 100% of users would use the same method to update stuff. Being a security advocate, you must get used to thinking as a general user (maybe they'll use the automatic updater, maybe they'll try to look for the update online, etc.).

      • rbaldry · 1281 days ago

        I ran Windows Update first to try and update and was not given the option. Rather than mess around with Windows Update settings, I just went for the quick option and searched for a download location.

        But my real point is not to bash IE9 or Microsoft specifically - I just wanted to point out the confusion that can be created when an organization chooses not to use their regular, recognized domain name.

        Domain name reputation takes time to build up. We should always be suspicious of domain names we've never seen before - especially when they claim to represent a high-profile brand.

        I also find the recent proliferation of private short domain names to be a further source of confusion. At least when it was just bit.ly, is.gd or one of the other original names I knew what to expect. In the last 24 hours my Twitter feed has had links to youtu.be, 1.usa.gov, fb.me, ow.ly, gu.com, macrumo.rs, tcm.ch, snd.sc, engt.co and more. I'm just glad I've got a good web security product to hide behind.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Rich is a Senior Product Manager with responsibility for Web Protection across Sophos's product range. He has been with Sophos for so long that his first job involved mailing out anti-virus updates on 5¼" floppies. Feel free to contact him by email.