For a while now, some Internet Service Providers have been taking advantage of unused domain names and subdomains in order to make some cash by displaying advertising when someone types in a non-existent web site address.
A recent study by IOActive security researcher Dan Kaminsky proves there’s a security flaw that could let malicious hackers set up authentic-looking web sites in order to fool Web users.
When someone who accesses the web through the US ISP Earthlink types in a web address that doesn’t exist, instead of getting a standard error page from their web browser, instead they’re often taken to a page full of ads and web site suggestions. Earthlink relies on a British ad company called Barefruit, and here lies the problem.
Kaminsky showed that hackers could hijack Barefruit’s servers, and then serve up web pages based on subdomains that look like they come from legitimate web sites such as PayPal or eBay.
I’m not sure how many people type in web addresses with subdomains directly into the address bar of their web browser, but the risk is still there. It’s not how the web is supposed to work, but apparently Barefruit says it’s OK: “Barefruit endeavours to ensure online security while providing an improved internet user interface by replacing unhelpful and confusing error messages with alternatives relevant to what the user was seeking.”
I don’t know of any UK ISPs currently using these techniques, but it’s a good reason to continue being careful when typing in web addresses and using web links found in emails.