Unbeknownst to Reddit users, the site that likes to call itself the “front page of the internet” has acquired an unwanted evil twin they’d do well to avoid.
From the Active Directory Server, login to the XG Firewall and go to VPN IPsec (remote access) to download the Sophos Connect client. The downloaded file contains the Sophos Connect client installers (Windows and macOS) and the admin tool (Windows), but we need just the SophosConnect2.0 (IPsecandSSLVPN).msi file to deploy it via GPO. This Video based on the ET15 - Sophos Central Endpoint and Server v2.0 - Engineer course and you might not get the same questions. Note: - Unfortunately, we.
Registered in July 2010 as reddit.co (notice the missing ‘m’), it’s reportedly been used to host Flash games, a porn cam, and has spent a long time parked and for sale to anyone who might want to buy it.
Earlier this week, security engineer Alec Muffett noticed that Reddit.co had turned into something altogether more troubling – a clone of Reddit.com, most likely intended to phish user credentials.
Muffett found the site by accident, which is exactly how anyone would discover a site that is reached by mis-typing the correct domain by a single letter.
This made him wonder aloud:
How on earth the .co registry permitted it to be registered, is beyond me…
In fact, .co is the country code top-level domain (ccTLD) for Colombia – one might have assumed the registrar appointed to manage these would not have allowed it to be combined with such an obvious trademark as Reddit. Trademark holders are usually also careful to register similar-looking domains to protect themselves.
Muffett said he reported the page to Google’s Safe Browsing. Almost 24 hours later and the fake site was still reachable although by the morning of 7 February, Google had started blocking it.
What, if any, precautions can users of sites like Reddit take against this kind of typosquatting?
It sounds like a job for two-factor authentication (2FA) which, by coincidence, Reddit finally implemented late last month using the time-based one-time password (TOTP) protocol.
Anyone who had enabled this and found themselves trying to log in to the Reddit clone would have discovered two benefits. First, the phishing site had no prompt for the six-digit TOTP code, which would hopefully alert users that something is wrong.
Second, even if users had handed over their usernames and passwords to the phishing site their credentials would not be enough to give the crooks access to their 2FA-protected accounts on the real Reddit site.
But might TOTP codes not also be vulnerable to being phished?
TOTP works by combining a secret shared key held by the server with the current time, an operation which is repeated on the device before the output from the two is checked to see they match. Authenticator repeats this cycle every 30 seconds, which means that an attack has considerably less than this on average to conduct any phish of the code entered by the user.
Using a username, password and TOTP straight after they have been harvested is not impossible, but it’s a more complex task to get right than simply storing them for later use.
Attacks of this type seem to be rare, probably because so few people use 2FA in its various forms that attackers see no need to go to these lengths.
Password managers are another possible defence: Reddit users visiting the fake site would immediately have their attention drawn to the fact that the software had no password or username for the imposter domain.
It also pays to inspect the URL of the site you’re visiting, if something looks suspicious – misspelled words or missing letters – retreat!
Reddit’s warrant canary has disappeared, leaving nary a metaphorical feather in its wake after it flew the company’s latest transparency report.
The CEO has said that he can’t comment on the issue: a remark that points straight to the company being under a warrant’s gag order.
CEO Steve Huffman – the user “spez” – had this to say in a Reddit discussion about the issue:
I’ve been advised not to say anything one way or the other.
A warrant canary is a published statement that changes or disappears from the documentation published by ISPs, telecoms and other technology providers when they’ve been gagged by secret court orders.
The way canaries work is that companies inform us, in their transparency reports, when their customers have not been served with a secret government subpoena.
Such secret subpoenas, such as National Security Letters, come with gag orders that keep companies from telling customers they’ve been served.
When a company publishes the dates that it hasn’t received a subpoena, customers can then infer – from the missing information – the dates that the company must have been served with the subpoena.
This all assumes that while the government can compel silence, it can’t compel companies to lie about not having gotten a gag order.
A coalition of legal and civil liberties organizations in February 2015 launched a site – CanaryWatch.org – to monitor known warrant canaries.
After all, their thinking went, unless you’re paying close attention to a particular site’s warrant canary, it can be tough to notice something that’s not there.
This is what Reddit’s canary looked like in last year’s transparency report:
As of January 29, 2015, reddit has never received a National Security Letter (NSL), an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed.
Reddit posted its latest transparency report on Thursday, and the canary’s disappearance was quickly spotted.
Download Sophos Antivirus
Reddit being subpoenaed and gagged isn’t surprising.
Reddit Sophos Home
Its splattery history includes hosting content on gore, torture, racism, executions, stolen nude celebrity photos, and drugs – including links to popular drug markets, tutorials on how to use them, product reviews, and the equivalent of grocery store weekly circulars that let vendors advertise their wares.
In fact, a year ago, the Feds subpoenaed Reddit to try to get the company to rat out five prominent Redditors active in the “Darknet Markets” dark web drug forum subreddit.
Was Reddit served with a gag order as investigators pursue the drug lords and scammers enriched by the abrupt vanishing of Evolution, the top market (and, by some measures, the biggest ever) that disappeared along with up to $12 million worth of Bitcoin?
Reddit Sophos Download
We’ll likely never know.
Reddit Sophos App
Image of yellow canary courtesy of Alandmanson – Own work, CC BY-SA 3.0