Story image

Malicious Reddit clone fooling users into giving away logins

08 Feb 2018

It recently came to light that cybercriminals have been deceiving ‘Reddit’ users into voluntarily handing over their usernames and passwords.

Why would anyone do that of their own free will you might ask? It all comes down to a simple typo – reddit.co instead of reddit.com

When users accidentally type this address, rather than redirecting to the original website, the browser will take you to a clone site that looks exactly the same but has malicious intent. The site even has a valid SSL Certificate and so shows up as secure in your browser.

“This shows that cybercriminals are now stealing personal details by taking advantage of the one security measure every Internet user has been trained to trust: the padlock in web browsers,” says Venafi chief cyber security officer Kevin Bocek.

“These padlocks are supposed to signify a trusted machine identity – a digital certificate that means the machine is who it says it is. But now cybercriminals can obtain get certificates to look authentic for virtually nothing and often instantly available. This is a high risk, high impact threat that security teams cannot ignore anymore.”

According to Domain Tools, Reddit has never owned the domain despite many attempts to do so since 2010.

“Time is of the essence for Reddit here, and the company needs to warn its users about the site,” says RSA director of advanced cyber defense practice EMEA and APJ Azeem Aleem.

“The company isn’t alone, however, as it is often very hard for an organisation to know if their site has been spoofed until someone has already become a victim. This is why the public need to have greater awareness of spoofing and take care to protect themselves online.”

And unfortunately, Bocek says it’s not just sites like reddit.co, as last year more than 14,000 certificates were used to set up phishing sites spoofing PayPal alone.

“This shows the power of the padlock for cybercriminals, allowing them appear trusted while tricking unsuspecting victims out of their data and damaging brand reputations across the internet,” says Bocek.

“This attack is part of a much larger problem that jeopardises the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed.”

Bocek says the answer lies in certificate reputation scoring. The site previously hosted porn, it’s not a real Reddit owned domain, and the certificate was issued by Comodo whereas the real Reddit uses certificates produced by DigiCert – these are all factors that a certificate reputation score would have flagged for remediation by Reddit a long time ago.

“Free certificates provide little validation, yet users see them as sacred. If people cannot trust that the sites they visit are genuine, our digital world could start to crumble,” says Bocek.

“Action is needed now by security teams of enterprises since no one else will protect you from the bad guys.”

Aleem says what is most worrying is what this stolen data will be used for, as stolen credentials are used to breach the victim’s other accounts, and carry out sophisticated phishing attacks on friends, colleagues and family.

“Our advice would be: firstly, avoid clicking on links to websites from emails, if it is from an unknown source. Instead, look up the website using an established search engine. Secondly, always be sure to check the URL of a site that you are visiting to make sure that the it is correct – often with spoofed sites there will be a few letters in the wrong place that will give clues that it is not official, as in this spoofed Reddit site, the devil is in the detail,” says Aleem.

“Thirdly, check the address bar to ensure you are visiting a secure site and there are no warnings – although as we can see here, there are ways to fake this. Lastly, if you have any doubts, then see if there is a phone number where you can call and get validation before sharing any personal information.”

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Tech community rocked by deaths of Atta Elayyan and Syed Jahandad Ali
Both men were among the 50 killed in the shooting in Christchurch last Friday when a gunman opened fire at two mosques.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.