Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Facebook Social Networks Spam The Internet

Facebook Sues Namecheap For Letting Scammers Register Lookalike Domains (zdnet.com) 87

Facebook filed a lawsuit this week against Namecheap, claiming the domain name registrar has refused to cooperate in an investigation into a series of malicious domains that have been registered through its service and which impersonated the Facebook brand. ZDNet reports: Christen Dubois, Director and Associate General Counsel at Facebook, said today that Facebook engineers tracked down 45 suspicious Facebook lookalike domains registered through Namecheap, which had the owners' details hidden through the company's WhoisGuard side-service. Some of the sample domains included the likes of instagrambusinesshelp.com, facebo0k-login.com, and whatsappdownload.site. Dubois said lookalike domains like these -- which abuse the Facebook brand -- are often used for phishing, fraud, and scams.

"We sent notices to Whoisguard between October 2018 and February 2020, and despite their obligation to provide information about these infringing domain names, they declined to cooperate," Dubois said. "We don't want people to be deceived by these web addresses, so we've taken legal action," the Facebook exec said.

This discussion has been archived. No new comments can be posted.

Facebook Sues Namecheap For Letting Scammers Register Lookalike Domains

Comments Filter:
  • by johnjones ( 14274 ) on Friday March 06, 2020 @05:14AM (#59802520) Homepage Journal

    Facebook.com domain is insecure, because it is not DNSSEC signed.
    they use TLS 1.1 and TLS 1.0 both should be phased out NOW from web servers
    they use ECDHE-RSA-RC4-SHA which should not be used
    they dont use X-Frame-Options, X-Content-Type-Options, X-XSS-Protection value plus web server does not offer Content-Security-Policy (CSP).

    for email domain does not support DKIM records nor do they have DANE TLSA record.

    for the domains they have parked its even worse they have no protection there... maybe just maybe they should get their own house in order at the same time...

    • What would be the point of making it secure?
      That is like cows demanding an electrical fence to secure their path to the meat grinder.

      • It's also securing _every other path_, since the domain squatters sell typo based and sound-alike domains, and many companies deliberately have their security or business emails be slight variants of their primary domain name. ICANN had opportunities to address most of this by avoiding the excess expansion of top-level domain names, and allowing domain squatters to reserve domains for days without ever actually paying for the domains. Many people with DNS expertise were approached and even interviewed by su

      • by dwywit ( 1109409 )

        It's cool everyone, the expert's here.

      • by rant64 ( 1148751 )
        Because Facebook is used as an identity provider for many other services. Being able to impersonate a FB login page is really bad.
      • However going to the meat grinder is probably less stressful and painful. Then getting slowly attacked by wolves.

    • by Antique Geekmeister ( 740220 ) on Friday March 06, 2020 @06:42AM (#59802612)

      Since the fraud domains were not facebook.com domains and did not overlap with Facebook's domain spaces, all of such DNS security has nothing to do with this abuse. These fraudsters weren't using Facebook's registered space, so in every authentication sense these domains were legitimate.

      Perhaps you could review how DNS and domain squatting work, rather than focusing technological security that was not involved in this problem?

      • by dwywit ( 1109409 )

        footbare isn't interested in mature dialogue.

        And the suggestion that the concepts of DNS and domain squatting are even within footbare's meagre intellect is.....hopeful.

      • by DarkOx ( 621550 )

        all of such DNS security has nothing to do with this abuse.

        Disagree, having your house in order takes effort. I have a lot more trust someone who has invested the time time in doing some of that stuff properly is legit. This is why LetsEncrypt is such a terrible thing to have happened.

        These spammer guys are looking to hook a handful of people, take the money and run. If you make it cost them a few hundred dollars a try that is actually a huge barrier to entry; and if they are successful its another money trail to follow, provide the CAs act somewhat responsibly an

        • > because they make it acceptable to be sloppy.

          exactly get your house in order before you go criticising others.
          your DNS name is like ours... well without basic cryptography how am I supposed to trust your domain ?
          I can NOT. period full stop end of.

          get it sorted facebook

          your house of supposed hackers are coffee drinking pretenders

          • > well without basic cryptography how am I supposed to trust your domain ?

            Perhaps you could start by keeping the keeping the technology straight. DNSSEC does not encrypt DNS, it _authenticates_ it with public key encryption and a chain of trust of the keychain.

        • LE may be causing those things to go away in the short term, but there is no reason they can't come back.
          In my opinion, trust factors like extended validation should have never been tied to SSL certificates. It makes me thing how silly it would be to tie port numbers at TCP/IP Layer 4 to VLANs at TCP/IP Layer 2. Both helpful, but they don't have to be glued together.

          I'm all for trust signals being available to users. Let's get them implemented as their own technology.
        • This is why LetsEncrypt is such a terrible thing to have happened.

          Letsencrypt is solving one problem (unencrypted communication). That's not a bad thing. You can still have the best of both worlds.
          You could have the browser bar turn green for extended validation, red for non-ssl and yellow for free or low validation certificates.
          Just because something is encrypted doesn't make it safe if you have an encrypted connection to a criminal but making basic
          encryption more expensive is not the solution, the solution is to have different levels of trust and yes, having those hig

          • by msauve ( 701917 )
            "Letsencrypt is solving one problem (unencrypted communication)."

            No, self-signed certs can do that. LE solves the issue of browser developers insisting that all users are too stupid to make decisions for themselves.
            • Letsencrypt certificates make it easier to detect things like MITM attacks. Even if someone is willing to look at and study a self-signed certificate, without some trusted third party, there is no way to verify that the self-signed certificate was actually signed by the person you are communicating with.

              • by msauve ( 701917 )
                Now you're changing from encryption to authentication. Pick an argument and stick with it.
            • by Pascoea ( 968200 )

              browser developers insisting that all users are too stupid to make decisions for themselves.

              From my experience, that is a fair assumption. 99.9% of web users don't know/don't care what SSL is, how it works, or what it actually does.

            • Letsencrypt is solving one problem (unencrypted communication).

              No, self-signed certs can do that.

              Self-signed certificates do not answer the question "Does this server speak for the owner of the domain name?" This question is needed to rule out an active man in the middle. Domain name validated (DV) certificates are designed to do this and only this, and Let's Encrypt was by far not the first DV CA.

              The featured article is about typosquatting and homoglyph domains, which raise a different question: "Does this domain name belong to the entity that a reasonable person would think it belongs to?" Traditiona

              • This provides no help for the fake domains, which can generate and purchase signed certificates for the _distinct_ but casually valid domai3n na3me. And yes, misspelled the "domain name" to make my point.

            • No, self-signed certs can do that. LE solves the issue of browser developers insisting that all users are too stupid to make decisions for themselves.

              Anyone can create a self signed certificate for any domain. Self signed domains are useless if I want to know whether I'm talking to whoever I wanted to talk to. In that case, I'm not too stupid but too clever to decide for myself. I much prefer to let the browser decide not to accept a self signed certificate when there is no way I can securely accept it.

              • Anyone can create a self signed certificate for any domain. Self signed domains are useless if I want to know whether I'm talking to whoever I wanted to talk to. In that case, I'm not too stupid but too clever to decide for myself. I much prefer to let the browser decide not to accept a self signed certificate when there is no way I can securely accept it.

                Opponents of Let's Encrypt and other DV CAs might use similar wording:
                "Anyone can register a domain name resembling any business name. Domain name validated (DV) certificates are useless if I want to know whether I'm talking to whatever organization I wanted to talk to. In that case, I'm not too stupid but too clever to decide for myself. I much prefer to let the browser decide not to accept a DV certificate when there is no way I can securely accept it."

          • My problem with Let's Encrypt is that it makes trusted SSL certs free and anonymous for typo-squatters and hackers for use in running scams or spreading malware while shielding their activities from inspection, at least partly. Yes, I can run forward SSL inspection at the firewall and in anti-virus applications, but that sort of breaks web browser functionality.

            And, it's not like SSL certs were expensive before LE. I've been buying cheap SSL certs from Name Cheap for under 10 bucks for more than a decade.

            • My problem with Let's Encrypt is that it makes trusted SSL certs free and anonymous for typo-squatters and hackers for use in running scams or spreading malware

              Let's Encrypt is a domain name validating certificate authority (DV CA). If scammers weren't able to buy these domain names, a DV CA wouldn't be able to issue these certificates.

              I've been buying cheap SSL certs from Name Cheap for under 10 bucks for more than a decade. That price is clearly not a deterrent for a bad actor, but providing a credit card (presumably stolen) is.

              With what (presumably stolen) credit card did the scammers register the domain names in the first place? Facebook is attacking the problem at the root.

        • Disagree, having your house in order takes effort.

          One can still not having a working lock on their front door while at the same time asking police to stop criminals mugging your guests in the street outside.

          The two have NOTHING to do with each other and the average use is far less affected by an insecure SSL setup (targeted attack) than a fraudulent domain (widespread phishing attack).

      • trust comes from verification

        can I verify facebook.com... answer NO the domain is not cryptographically signed

        so yeah go tell your story walking

        • Simply put, so what? A fake domain will not be "facebook.com", it may be "facebooo.com", and registered andDNSSEC registered with the fake domain. DNSSEC and the like verify that the owner of a domain is, indeed, the owner of that domain. But it remains quite useless against entirely illegitimate domains.

      • Think about how much impact the green address bar had. And think how much more impact there would be if there was a series of green checkmarks for every web site for different security datapoints. And then most major companies would actually look insecure in the browser because nobody is implementing anything properly.

        • The "real websites", based on DNSSEC and DNS related authentication, have no way to discredit the DNS owned by the fake websites. DNSSEC gives no ability to say for facebook.com to say that faceb000.com is not aits own completely legitimate DNS entry. It's only if the fake site decides to fake facebook.com's DNS that it becomes so useful to use DNSSEC. It's a very distinct problem and has _nothing_ to do witht eh signed SSL certificates.

          Browsers _do not care_ if the DNS is authenticated. DNS servers do, and

    • they use TLS 1.1 and TLS 1.0 both should be phased out NOW from web servers

      Fully phasing out TLS 1.1 and TLS 1.0 requires first solving two practical problems.

      Say someone visits Facebook with a web browser that does not support TLS 1.2. How would Facebook display a message to the effect "to continue using Facebook, please upgrade to a browser compatible with at least TLS 1.2" to a user without sending this message over TLS 1.1 or TLS 1.0?

      So once the message is displayed, which web browser should Facebook recommend switching to? Which web browser that supports at least TLS 1.2 is c

      • Exactly. Even Google, which is a huge proponent of securing everything still accepts TLS 1.0 and 1.1. Everybody knows that these protocols are insecure, but nobody can stop using them until all the old devices are upgraded to newer software. It's not just Windows XP Either, which could use Chrome/Firefox. But other things like old Android devices and even companies using old versions of the JRE for doing API Requests.

        • by tepples ( 727027 )

          After a bit more research, I'd start by recommending Firefox 52 for users of Windows XP.

          Google Chrome dropped Windows 98 after version 18, added TLS 1.2 in version 22, and dropped Windows XP in version 50.
          Mozilla Firefox dropped Windows 98 after version 2, added TLS 1.2 in version 27, and dropped Windows XP after version 52.

          It won't help Windows 98 diehards, such as NO$GBA developer Martin Korth, but it'll solve a chunk of the problem for the user demographics that Facebook's advertisers care about. Faceboo

    • Facebook.com domain is insecure, because it is not DNSSEC signed.

      D.N.SSEC is an Internet wide DDOS amplification risk. Until that changes I actively encourage every D.N.S domain to be "insecure". It's also rather pointless given the network identifiers resolved are equally "insecure" and PKI is bound to domain name.

      It would be awesome to use DNSSEC/TLSA instead of CA's in the future but right now it isn't worth the risk. The UDP D.N.S transport protocol first needs to be removed, replaced or RFC7873 must see see universal adoption.

      they use TLS 1.1 and TLS 1.0 both should be phased out NOW from web servers

      Why? There are no known issues of im

    • by jtara ( 133429 )

      “Mark Zuckerberg is an arrogant asshole who would not take our advice.”

      - speaker redacted

      Zuckerberg could probably guess who said that.

       

  • by BAReFO0t ( 6240524 ) on Friday March 06, 2020 @05:36AM (#59802540)

    So on one hand, you might fall for criminal scammers and data thieves that farm you and abuse you... and on the other hand you might end up on a lookalike.

    I'm kidding ... Is there a Patreon where I can support the lookalike domains? Seems they are doing the world a favor. ;)

  • If Facebook wants to claim control over these domains, it needs to buy them out. What right does it have to leave them dangling out there unsold, only to complain when someone finally takes them? As scammers get terminated, Facebook should be forced to buy the domains it wants to keep from popping back up. If they want whatsappdownload.site then they have to buy it, they can't just put a watch on it and complain when it gets taken. That amounts to an uncontestable shadow ban. If they want control over a dom

    • If Facebook wants to claim control over these domains, it needs to buy them out.

      There exist so many possible homoglyphs, typosquats, and other impersonations of a given service mark that one company is unlikely to be able to buy them all by exhaustion.

      What right does it have to leave them dangling out there unsold, only to complain when someone finally takes them?

      Facebook has rights under trademark law, such as the Lanham Act as amended. The featured article states that Facebook is suing Namecheap for resisting the investigation of these scammers' infringement of the "Facebook" service mark. Namecheap stated that it requires a court order to disclose certain information of WhoisGuard clients, and

  • (Civil) Legal action is pointless in this endeavor. The only way to get to the bottom of it is by pressing criminal charges so the police are involved. We've seen this with other registrars before and it will be the norm for as long as the current registrar system exists.

    There is nothing special about what namecheap is doing in this case either; hundreds of other registrars do the exact same thing, intentionally obfuscating the registration data for domains (to the point where it is of no real value)
    • Facebook is suing Namecheap to find out against whom to press criminal charges in order to build a better case for the police to follow up on.

      • Facebook is suing Namecheap to find out against whom to press criminal charges in order to build a better case for the police to follow up on.

        Except that isn't the order the events are supposed to transpire in. What is supposed to happen is facebook is supposed to report a crime to law enforcement first. Then the police investigate the crime and can get a warrant issued against the registrar to release the information on who owns the domain, and make the appropriate contact.

        A civil suit won't go anywhere. Lawyers will get involved, litigate for an appallingly long time, consume huge amounts of money, and long before anything is done the d

        • Except that isn't the order the events are supposed to transpire in. What is supposed to happen is facebook is supposed to report a crime to law enforcement first. Then the police investigate the crime

          That or they tell Facebook "Feel free to make a report once you've gathered enough evidence to make the investigation worth our time. We're already bogged down as it is with investigating other crime."

          • Except that isn't the order the events are supposed to transpire in. What is supposed to happen is facebook is supposed to report a crime to law enforcement first. Then the police investigate the crime

            That or they tell Facebook "Feel free to make a report once you've gathered enough evidence to make the investigation worth our time. We're already bogged down as it is with investigating other crime."

            I can tell you they aren't likely to get anywhere with a civil suit (and I'd be shocked if their lawyers didn't already know this), it has to go through law enforcement. Besides, there is a very good chance that if they did find the identity of the domain owner(s) they would find that they are not located in the US anyways, which makes a civil suit pretty much a completely pointless effort as the ruling of a judge in the US isn't meaningful for someone who resides in another country. This really isn't mu

      • Maybe FaceBook could buy namecheep.com, steal some of their business, and wait for Namecheap to try suing them?

  • They issuing certificates for these look a likes is JUST as big a deal as the registrars issuing the domains in the first place.

    • The certificates are not, per se, fraudulent. They're being issued to the genuine owners of the domains. There is _nothing_ in the SSL or more modern TLS specs for saying "your domain sounds like someone else's, we must require approval from them to authorize your own domain". Modern DNS and SSL were _designed to be money sources for the top level domain registrars and all the subdomain registrars as their middle-men.

      • by DarkOx ( 621550 )

        By this logic the domains are no fraudulent either. There is nothing saying if for example my name is Jace I can't have Jacebook.com - or if my name isnt Jace for that matter.

        However like the Name Cheap , LE is knowing assisting in identity theft and fraud by issue documents they reasonably should know are intended to be used by crooks to confuse others about what party the represent.

        At some point they are an accessory.

        • LE is knowing assisting in identity theft and fraud

          Their fully-automated system is "knowing"? You want to require them to have an AI try to figure out what people might confuse any given domain with?

          They issue documents that says that the domain is controlled by the same people as the web server that hosts it. And verify that communications are going from you to there securely. Any assumptions you put on top of that may or may not be valid.

          • LE is knowing assisting in identity theft and fraud

            Their fully-automated system is "knowing"?

            The argument among opponents of Let's Encrypt is that LE knows that fraud has been done in the past using their certificates, and LE is being willfully blind [wikipedia.org] to ongoing similar fraud.

            • This is (not precisely) like saying "drive-by shooters use cars, and car manufacturers are being willfully blind to ongoing crimes committed with their vehicles."

              • Domain providers are required to respond to reports of abuse. It is part of the job.

                This is more like a car rental company renting getaway cars for bank robbers, and refusing to stop renting to the same person even after they're warned the car was used in a robbery.

                • by q4Fry ( 1322209 )

                  That's a better analogy, thanks. And now that think about it, perhaps it would be yet better like this:

                  This is more like a car rental company renting getaway cars for bank robbers, and refusing to stop renting to or identify the person even after they're warned the car was used in a robbery.

                  That was helpful.

    • HTTPS does validate your connection to a third-party. HTTPS does not validate the identity of said third-party.

    • by MobyDisk ( 75490 )

      Read-up on the difference between Domain Validated and Extended Validated certificates [digicert.com]. Since you don't like the way that browsers display Domain Validated certificates, then complain to them. But don't blame Let's Encrypt for the internet infrastructure, and certainly don't single them out since they are just one of many registrars offering this type of certificate.

      • by DarkOx ( 621550 )

        ingle them out since they are just one of many registrars offering this type of certificate.

        I am singling them out because they are the ones doing it for free! Free is the problem here. We need some financial 'friction' in the process. You and I can use self signed certs. We don't need LE for anything and the security they are provided would be BETTER delivered by wide adoption of DNSSec

        • by MobyDisk ( 75490 )

          Using a self-signed certificate would be effectively remove it from the web entirely. I would be better off to not support HTTPs at all.

          As for fees: These sites operated before Lets Encrypt. I'm not sure that a nominal cost would significantly deter the scammers, as they are already paying for for the DNS and hosting and such. But it is an interesting idea. It seems like Lets Encrypt ought to charge, at least so the Mozilla Foundation and the EFF have a source of money instead.

  • No obligation (Score:5, Insightful)

    by jmdevince ( 1175647 ) on Friday March 06, 2020 @07:34AM (#59802680)
    Facebook seems to think Namecheap has a legal obligation to FaceBook to hand over information about the people who registered the domains. Namecheap doesn't. Period. Namecheap has fought long and hard for the right to privacy and against stuff like SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act).

    Notices from Facebook alone don't mean jack-shit. The only entity in the United States that can order Namecheap to hand over information about the people who registered the domains is a judge signing a search warrant or subpoena as part of a criminal or civil investigation against the individuals who registered the domains.

    This is purely a smear campaign and I hope Namecheap counter-sues. Fuck Facebook's sense of entitlement.

    They still seem to think they're above the law.
    • You're right, Facebook can't make Namecheap hand anything over. A judge can. So, how does Facebook get a judge to tell Namecheap they have to stop protecting criminals who are infringing on their copyrights and trademarks? THEY SUE!

      They have grounds for a suit. Hell, anyone who fell prey to a scam because Namecheap enabled criminal fraud has grounds for a suit.

      I don't care about Facebook, but they are absolutely entitled to protect their name. Namecheap is not entitled to get away with enabling fra

      • "I don't care about Chase Manhattan, but they are absolutely entitled to protect their banks. Honda is not entitled to get away with enabling bank robbery. They are at fault, and stating facts about their behavior is not a "smear campaign". They took money for cars they KNEW would be used with malicious intent."

      • Yeah - but that's not what they are suing about. They want a blanket subpoena for everything forever. That's not how subpoenas for information works.

        • They want a blanket subpoena for everything forever. That's not how subpoenas for information works.

          Yes it is. When you have cause to know that some property you operate oversight control of was used to commit a crime, and you refuse to cooperate with the victim, you can expect to end up with a blanket subpoena.

          It is something you have to consider if you're thinking about ignoring those sorts of reports. Get good legal advice when you get the letters from Facebook's lawyers, don't wait until they sue you over it.

        • by tlhIngan ( 30335 )

          Yeah - but that's not what they are suing about. They want a blanket subpoena for everything forever. That's not how subpoenas for information works.

          And that's not how you do a case in court. You ask for the world, the court will say no, and give you less. The courts can only award zero to whatever you ask for (only in extremely rare cases do they award more than you ask for), so you always ask for a ton more than you expect or hope to get. It also serves as a starting point for negotiations for a settlemen

    • This is purely a smear campaign and I hope Namecheap counter-sues. Fuck Facebook's sense of entitlement.

      No it's not. They intend to crush NameCheap with the courts.

      They still seem to think they're above the law.

      Of course they are - they have the most money. In the US justice system whoever can produce the most pages of filings wins. That's the litigant with the most money.

      Career judges are most of the problem with US society.

      • No it's not. They intend to crush NameCheap with the courts.

        I doubt that this is the intent. I think the intent is to crush NameCheap, put the people who run it into eternal poverty, and publicise it so that nobody else will dare providing domain names intended to be used as part of a scam.

        I very much dislike Facebook, but I wish them the best luck with these efforts.

  • Namecheap is just the domain register. They don't have any control over web content (unless they web host too here). Where the data is being hosted, is all publicly available because that is how the internet works. Having a domain name that is similar to another sites is absolutely legal. Facebook !== Faceb00k. The issue that CONTENT on the WEB SERVERS is what makes it purposely fraudulent. What happens if someone register's a similar facebook domain name, like faceb00k, for the proposes for a comedic par
    • Should companies be able to take down that domain because it is similar their domain name just in name alone?

      Similarity alone, no. Similarity plus evidence of use for phishing, yes. Facebook would be wise to include such evidence in the lawsuit. I'm trying to dig up the actual legal filings in Facebook Incorporated et al v. Namecheap Incorporated et al, Arizona District Court 2:20-cv-00470, to see whether Facebook included any such evidence, but many of the ways I could find are paywalled.

      • PacerMonitor [pacermonitor.com] charges $49 per month.
      • PacerDash [pacerdash.com] states: "Pay only for what you use."
      • Law360 [law360.com] requires only signing up for its dai
      • I managed to register for a free Law360 account, dig up the complaint as a PDF, and mirror it.

        The complaint in Facebook v. Namecheap [pineight.com]

        Items 85 and 86 on page 17 explain what Facebook claims that WhoisGuard customers ("Licensees" of domain names owned on paper by Whoisguard company) are doing:

        85. The Licensees of the Infringing Domain Names intended to divert consumers to websites using domain names that were identical or confusingly similar to the Facebook Trademarks, the FB Trademarks, the Instagram Tradema

    • Facebook !== Faceb00k. The issue that CONTENT on the WEB SERVERS is what makes it purposely fraudulent

      That's not at all how trademarks work.

  • Funny, doesn't it seem like FB stance on almost everything within their platform is, "who are we to judge how our users act". They don't prevent the flow of information as they stand on the sidelines. Why should other companies try to step in, 'who are they to judge the validity of the site'. For all they know the site could be a white hat person buying up the domains and not using them to ensure nothing malicious would happen with them ;).

  • Facebook seems to think that Namecheap is responsible for policing the honesty of their customers, but Facebook doesn't think Facebook is responsible for policing the honesty of their own customers who place political ads.
  • Facenovel, Faceblog, ... Headbook (obviously, for a "dating site").

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...