Confusing .au.com domain threatens Aussie users

A US-based anti-spyware company has registered the ".com.au.com" domain name, which experts fear could be used by cybercriminals to create more convincing phishing attacks.

The download page resembles an Internet Explorer error, and claims "Your computer system may have been compromised by dangerous spyware and/or adware infections.

For example, typing www.google.com.au.com or www.commbank.com.au.com, will redirect to an anti-spyware download page -- as will all other URLs that finish ".com.au.com" or ".org.au.com".

Users who accidentally add .com at the end of an Australian domain will also be redirected to the fake anti-spyware site.

Bradley Anstis, vice president of security firm Marshal, was concerned about the development.

"This one is pretty worrying really; I think it sends a very strong message to domain registrars, how they can allow a top level domain to be registered as a secondary level domain is clearly beyond me."

Currently, it seems the owner of the domain is redirecting all traffic to the fake spyware page but Anstis claims that more specific attacks are possible.

"If you're getting people to fall for this, and I suspect people will, the world is your oyster really," Anstis said.

Anstis warned that the domain could be particularly dangerous if used to mimic financial Web sites: "You could easily put an [fake] ANZ Web site that looks exactly like the original one. I think the big concern with this is it is quite difficult to spot."

The au.com domain is owned by Australian domain name reseller and hosting provider NetRegistry. In an interview with ITRadio's Risky Business podcast, the CEO of NetRegistry, Larry Bloch, argued that registrants should be able to use domains as they liked unless they were breaking the law.

"In the absence of any overriding concern, for example illegal activity or activity that's clearly not satisfying community norms -- and this may be an example of that -- we'll literally let registrants carry on as they see fit," said Bloch.

However, Chris Disspain, CEO of the Australian Domain Name Administrator (auDA), said in this case there may be a legal precedent for taking action.

"I am investigating this, whether this is either a breach of either, the register agreement or the code of practice. The fact that it is not in .au does not necessarily mean that it is outside the register agreement or the code of practice," he said.

Disspain referred to an Australian Federal Court case from June 2004, which put such sites within the auDA's reach. He said, "We could have a go at sites outside [.au domain] if they, to use a football phase, 'brought the game into disrepute'."

Security firm F-Secure analysed the "anti-spyware" program found at the site and confirmed it to be fake. F-Secure's Patrik Runald said, "when you scan your PC it will always find something to complain about ... to clean anything you need to register your e-mail address and then it asks you for your credit card," he said.

A screenshot of the downloaded program courtesy of F-Secure.

Chris Gatford, from penetration testing firm Pure Hacking, said even if people do not fall for the fake anti-spyware application, the misleading domain name is likely to be generating revenue for its owner through a pay-per-click scheme.

Gatford explains that although the site downloads via the domain anti-spyware.com, " before that, it goes through three or four redirections, and some of these are using what is called 'click bank', which is basically counting the clicks that adware-free.com is sending through to anti-spyware.com".