marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

http://www.usatoday.com-report.careers/x3/single-mom-makes-7942-per-month/story/?s1=4211&s2=43304752

Let's parse this lovely URL, bit by sneaky bit: the web address certainly looks legit enough because it starts off with "http://www.usatoday.com" (which is a legitimate URL that takes you to a well-known, nationally distributed newspaper's website). But that's not where this URL will take you. Instead it whisks you off to "com-report.careers" (as anything after the final dot in the web address is your actual top-level domain name destination). Picking up with the slash after the word "careers", the rest of the URL simply references a specific page on the com-report.careers website. Clever, is it not?

So, are you visiting usatoday.com when you visit this site? No. Is the http://com-report.careers website dangerous? No. It's simply a scam designed to perpetuate online fraud upon anyone who unwittingly thinks they're visiting USA Today when they visit any one of these links. To check this, I viewed the WOT score for the web page linked to above (which is so bad the page is blocked from viewing unless you click a link within the WOT dialog box that says "Go to site" - the other choice, for those unfamiliar with the WOT web browser add-on, is to "leave site", which any unsuspecting person might want to do in a hurry) which indicates the site is "spam" and has already been reported as "a scam".

Why do I say it's a scam waiting for "anyone who unwittingly thinks they're visiting USA Today when they visit any one of these links"? Because if you scoot up to the website's directory - like so - you see that the entire site is devoted to scamming people by using USA Today's corporate logos and branding on everything (in violation of both trademark and copyright laws, if I am correct). Have I blown your minds yet?

Let's dig a little more, because hey, to me, this kind of sleuthing is fun. It's for exactly this reason - for con artists such as these - that I keep the DT Whois add-on installed in my Firefox at all times! So let's go see what it says. Oh wait, we can't, because the domain apparently discourages such things by redirecting the add-on to the last tab I was on, so I wind up looking up Dreamwidth's domain details, repeatedly.

OK... *regroups*...huh, now my mind is blown (and yes, it takes a lot for that to happen, as I've been tracking down scam websites in exactly the same fashion for the last 9 years).

Jumping off to ICANN for a domain check that com-report.careers can't screw up somehow, we see that the domain is registered privately (which is expected, given the nature of what it exists to do) and that it was created in June and expires next June. Chances are this is as-planned...if the site isn't taken down by next June by USA Today, CDMA-style, then the cowardly owners should count themselves lucky, indeed. Checking Google - which, as usual, does a disservice to the entire Internet by indexing such scam sites at all - we see amongst the first page of 2,830 results that the site's IP address, according to this page, is 45.55.30.110, which indeed resolves directly to com-report.careers, that estimated traffic is over 30,000 visitors per month - which is a lot of potential victims to scam, especially for such an unknown entity - and that most of their traffic comes from the US and Singapore.

Since this site is not well-known and has a PageRank of exactly 0, it's likely it was created, is visited by and is regularly updated from Singapore - unless, for some reason, one or more USians created it and are directing a lot of (perhaps automated) Singapore traffic to it, but given that the site is most commonly seen as a link on scam survey sites such as Panda Research (how I stumbled across it, go me) that are used mostly by USians, this alternate explanation is somewhat unlikely.

With that out of the way, tomorrow (as it is late in the wee hours as I write this) I intend to do two things, which you can also do against this or any website you suspect of scamming: 1) contact Google to ask to have the website de-indexed as a scam/spam site - if indeed it's indexed by Google (this site clearly is) and 2) contact USA Today (or, in the case of any other website's corporate identity being stolen, then the name of whatever website is being similarly abused) to let them know of the scam.

Further reading: the entire damn list of TLDs out there, as of this writing (it is, as I said in the title, an ever-expanding list, which unfortunately only further enables just these kinds of frauds).

(no subject)

Date: Oct. 11th, 2015 10:15 pm (UTC)
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)
From: [personal profile] silveradept
This is part of those things we wish would be part of everyone's training on how to responsibly use the Internet. Which we wish everyone had in the first place.

(no subject)

Date: Oct. 22nd, 2015 10:42 am (UTC)
ideological_cuddle: (Default)
From: [personal profile] ideological_cuddle
To be fair, while the explosion of gTLDs is regrettable it's not like that makes it much easier to run this sort of scam: it could be com-reports.com just as easily as com-reports.career, and it routinely has been done that way for quite a long time.

The usual variant I've seen over the years has been bank phishing rather than simpler scams. Throw something up on bigbank.com-somedomain.rodeo then spam the crap out of world+dog with emails that contain links in the form <a href="bigbank.com-somedomain.rodeo">bigbank.com</a> then rake in the attempts to log in to the faked online banking site...

And yeah, the general public ought not to need to know how to parse a link in fine detail to avoid being scammed. Google and Mozilla both do some scam-blocking stuff but it's a hard problem to solve.

(Incidentally, attempts to hit that URL you found now go to a different site, usatoday.com-specialreport.link, which appears to be hosted at Linode's Dallas facility. They talk an okay game on anti-abuse and the site is presently unavailable so maybe they've already taken it down.

I'm a happy Linode customer but have had no interaction with their abuse department.)