Alternate Email Domains, and Why You Should Never Use One

Recently my wife came to me with a problem. She was locked out of her account at a major social media site. She said her password wasn't working. She had just changed it recently but had never logged out and back in again so wasn't sure if she had recorded the new one correctly. 

She had already tried the password recovery and reset options via email but she wasn't getting any messages from the company in her inbox. I searched her inbox for messages from the company and found a previous password reset email. The email came from security@facebookmail.com. 

My blood went cold. A domain name like this is one of the tricks hackers use to get people to trust their emails. 

I immediately ran a search of the WHOIS database which contains a listing of who owns particular domain names. I found the facebookmail.com is in fact owned by Facebook's parent company Meta. 

I have seen this from a number of companies. Instead of using a well-established domain name such Facebook.com they use a separate domain name that should look suspicious to everyone. 

Hackers often use domain names that are close to the original but just different enough not to be noticed, or close enough to be plausible that it is part of the original company. Common tricks include using various characters from other languages to create a domain that is technically different but looks the same (computers are good at seeing minute differences but bad at seeing general patterns, humans are the complete opposite seeing similar characters as likely the same) and adding text to the beginning or end of the domain name. 

Facebookmail.com fits into the latter of those tricks. It looks like a scam or hack domain name which is why it set off alarms in my head. Had they used Facebook.com, possibly with a subdomain such as mail.facebook.com, there would have been no question that the email was legitimate. 

Instead, I had to tell my wife to stop what she was doing and wait for me to confirm this domain name was not from a hacker.

For someone like me, a cyber security professional, this is an annoyance. However not everyone knows how to or even that they can use a WHOIS database to confirm a domain name. They see facebookmail.com and have to roll the dice to see if it works. Granted, the odds that a hacker would send a fake password reset email within minutes of you clicking the real link is rather slim. But if someone has gotten accustomed to email from facebookmail.com it likely they will also accept mailfacebook.com.

There are other ways to mitigate these risks (MFA, passkeys, password managers, etc., out of scope for this post) but for a large and technically competent company to still be using variations on their domain name for mail or other services rather than a sub domain is hard to understand. 

Now I am throwing Facebook under the bus here only because they are latest that I have seen do this, however they are far from the only company, or even tech company, that I have seen do this over the years.  

I understand there are marketing reasons to use alternative domains. Microsoft has Office.com, Google has Android.com, and there are many others. It is hard for me to imagine though the marketing reason for using facebookmail.com. 


* To be thorough, it is possible that someone could hijack a domain name and replace it with their own services, however this would require having complete control of someone's Internet connection, such as an Internet provider company, or to be a nation state that can impose regulations on the Internet providers. Either way these attacks are out of the scope for our conversation.

Comments

Post a Comment

Popular posts from this blog

Identifying Phishing attempts

In modern computer systems the weakest point (from a security perspective) is often times the person sitting at the desk. Tricking the person into opening up their computer can yield the best outcomes for hackers. Remember it is best security practice not to accept something that is offered to you but instead to go through proper channels to get what you may need. Someone coming to you with an offer of help, especially one you may not have known you needed, is much more likely to have nefarious purposes than if you sought them out yourself. Think about in the real world. If someone is too eager to offer help you start to wonder what their angle is. Why are they so keen to offer help? Often it is best to ask for help from a stranger than to accept help from someone who is approaching you offering. The odds that you will meet a nefarious character go way up when they are the one choosing to have an interaction with you. The same concept can apply to computer security. When a window pops ...
Read more

Email Aliases

 This is the inaugural post for a new series I will be doing called Securing the Tech. I will be publishing information about computer security. Sometimes it will be high level concepts, other times we may dig deep into topics. Hopefully it will remain relevant to what people are needing to know to make their lives more secure. Today we will be touching on email security. All of us have had that moment when we didn't really want to give our email address, but what else could we do? We give our email address at the risk of increased spam or likelihood of identity theft. But what can you do? Two words: email aliases . Most email services will let you set up multiple email addresses tied to the main email address you use. These "alias" addresses will allow you to keep your email address more private, though to be honest an alias won't work in all situations.  Depending on your email provider aliases can work very differently. I am not referring to "plus addressing...
Read more