ISPs’ Greed to Monetize Mistyped Domains Leads to Barefruit Garden of Delight for Phisher and Hackers

The Internet Patrol default featured image
Share the knowledge

The way in which some of the US’ largest ISPs handle mistyped website names, monetizing them through Barefruit, has opened a vulnerability that if exploited by phishers and hackers could be an open and unfettered conduit for the injection of their malicious payloads onto the Internet. [Page no longer available – we have linked to the archive.org version instead], this particular security hole has been patched. The fundamental danger, though, remains.

To understand how it works you need to know a little about how the glue that holds the Internet together, the Domain Name System (DNS), works. Now don’t worry, we’re not going to walk you through the BIND source code; we’ll be gentle. Let’s start our easy journey with what happens when you enter a URL (say www.google.com) into the navigation toolbar of your Web browser. DNS maps the URL or domain name into an IP number (in the case of our example, 64.233.167.99) which uniquely identifies the computer from which the domain’s content – in this case the iconic search page of Google’s Web site – is served.

Now consider what happens when you enter a non-existent URL, or mistype the URL name. When DNS cannot map to a destination IP number, the browser most usually returns a page telling you “server not found”, so if you’re like me you can see you’ve made a mistake, smack your head, and enter the correct URL. And here’s where the ISPs, notable among them Earthlink, started to get clever. Instead of merely telling you that they couldn’t find the server you requested, they intercepted the returned error message and provided you instead with a Web page originating from Barefruit, one of their ad partners, giving a list of sites for which you may have been looking, a search box and some Yahoo ads. We’re sure they’re just trying to help, and that thoughts of monetizing mistyped domain names never entered into their heads. That Verizon, Qwest, Comcast and AOL Time Warner conduct similar intercepts is, we’re sure, unrelated.

Let’s suppose that you got the domain name correct, but mistyped the sub-domain name. As an example, perhaps you typed maol.google.com instead of mail.google.com. Your browser will be sent, as before, to the Barefruit page containing suggested sites and ads, but with one chilling difference. The browser treats the page contents, code and all, as if it came from a legitimate domain. And because the Barefruit servers were poorly configured and extremely vulnerable to cross-site scripting attacks, you could, were you guided by mali cious intent, have the browser execute your own Javascript code, steal and modify user’s cookies, bypass authorization procedures, or create your own fake sub-domain to a rightful financial institution’s domain, to steal passwords and other data (anyone for fakesite.paypal.com?)

For all our readers who administer domains we recommend a review of your DNS records. If you have wildcarded your A records, all access to unrecognized sub-domains will route to your legitimate top-level domain, and these DNS redirection tricks will not succeed. Alternatively, Earthlink customers can specify DNS servers which do not pass control to the Barefruit servers.

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

While the Barefruit servers have been patched to resolve this particular problem, how long can it be before greedy ISPs, scratching for cents, attempt to “enhance the user experience” and instead open another security hole for the n’er-do-wells to exploit?

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 


Share the knowledge

4 thoughts on “ISPs’ Greed to Monetize Mistyped Domains Leads to Barefruit Garden of Delight for Phisher and Hackers

  1. I just wanted to say that the internet patrol. Has really help educate me on so many pitfalls on the world wide web.

  2. I found the sentence on the Barefruit site “putting ISPs back in control of users’ address bars” most disturbing. I didn’t know my ISP was in control of my address bar. I have no interest in having my ISP control my address bar. I pay for my ISP to connect me to the Internet. Where do they get off thinking they deserve anything more than my monthly payment?

  3. @Jim:

    Excellent idea. www.noscript.net. What you lose (in having to spend a very small amount of time configuring noscript to whitelist sites) is tiny, tiny, tiny, compared to the joy of being protected against cross-site scripting attacks. Two thumbs up!

  4. Just use Firefox with the NoScript extension. You’ll still see the Barefruit page, but it (and other pages like it) won’t be able to do anything unless you allow it to.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.