Deceptive domain attacks launched against customers of Wells Fargo, Paypal, AOL, … even Red Hat

A second fraudulent electronic mail targeting Red Hat Linux users has emerged, this time using a deceptive domain, fedora-redhat.com The new wrinkle reflects a common trend in phishing scans, in which an initial attack is refined over time, becoming more convincing and plausible with each enhancement.

Detail oriented Red Hat users on /. have had a field day ridiculing the grammar and spelling mistakes in the mail (Red Hat was spelled as one word) and listing numerous inconsistencies between the attack code and standard Red Hat update practices.

However, the Red Hat and /. communities are progressively diverging, and the mail will have reached some people with Red Hat systems who are much less cautious and observant than the traditional Linux community.

The new scam, which follows on a similar attack over the weekend uses a domain fedora-redhat.com which might plausibly belong to Red Hat. While many phishing attacks rely on obfuscated URLs to deceive recipients, a growing number of scams are registering look alike domains to snare users. The fedora-redhat.com domain was registered on Saturday through Yahoo, which offers domains for $9.95.

Similarly, over the weekend Wells Fargo customers were targetted with a mail leading to a site in the domain wellzfargo.com, while other recent attacks have involved the domains my-paypal.com, and errorbillingaol.com.

The trend illustrates the importance of defending domain names with business value, through avoiding using multiple domains for bona fide business, and monitoring the status of derivations of those names. Symmetrically, the registration or deployment of a domain can be a useful early warning of a fraud attack to targets of phishing scams, whereby prompt action can pre-empt such frauds.

Netcraft's fraud detection service can alert on domain registrations such as those used in the four scams above within 24 hours.