N.S. failing to protect against 'typosquatting,' doppelganger websites, says analyst

·5 min read
An IT security analyst in Halifax says the provincial government is failing to protect Nova Scotians from potential online impostors who steal personal information with lookalike websites.  (Shutterstock/Dan74 - image credit)
An IT security analyst in Halifax says the provincial government is failing to protect Nova Scotians from potential online impostors who steal personal information with lookalike websites. (Shutterstock/Dan74 - image credit)

An IT security analyst in Halifax says the provincial government is failing to protect Nova Scotians from potential online impostors who steal personal information with lookalike websites.

So for $20, Logan Atwood registered the web address "govns.ca" so it can't be used in so-called "typosquatting" attacks.

"Working in the industry, I realized just how many bad things that domain could be used for," Logan said.

Typosquatting is the practice of buying web addresses that are nearly identical to popular websites.

If anyone makes the right typing mistake, web traffic flows to a different host, which can be harnessed for advertising purposes.

But a bigger risk is posed by "doppelganger" websites, which are identical to official websites but minus a "." in the address.

"This is a special class of attack, even beyond typosquats," he said.

Tool for identity theft

Logan says doppelganger websites can be used to fool people into giving up sensitive personal information.

"Someone could create an email campaign looking to steal identities. And just tell people, "Hey, click here to receive your updated vaccine QR code." And have people put in their name, address, health card and just see how much information that would be able to get from them," Logan said.

"There could also be the potential to cause havoc and chaos with interprovincial relations, because you'd be able to send email that most people would actually think is coming from an elected official," Logan said.

CBC
CBC

"And you could be sending that to another province, the federal government, potentially even other countries," he said.

It could also be a way to sneak around proof of vaccination.

"Someone could purchase these domains and put up a fake vaccine QR code verifier, put up a website to allow generating these fake documents," he said

Logan says controlling provincial doppelganger websites is key to preventing these risks.

"It's generally considered a best practice, especially when you're looking at government, where they have a duty and responsibility to their citizens," Logan said.

Old version of N.S. address

Since October of 2018, the province has been transitioning from its old web address, "gov.ns.ca" to "novascotia.ca".

But the old address still looms large in the minds of internet users.

Logan surveyed his IT security colleagues to see if they'd catch the difference between "gov.ns.ca" and "govns.ca".

"They all told me that they wouldn't have noticed that in the email header," Logan said.

"So the very people that are supposed to be able to catch this sort of thing in their own personal lives told me that, yeah, they would have missed this," he said.

Provincial government unconcerned

Communications Nova Scotia is in charge of maintaining the province's web presence.

"The primary domains we use are novascotia.ca (current) and gov.ns.ca (legacy)," said spokesperson Chrissy Matheson.

"We only register domains we use or could use in the future.… We do not register domains that could represent typos and misspellings of our registered domains," she said.

"This practice could be costly for taxpayers and could unintentionally give legitimacy to lookalike domains," Matheson said.

"If a website misrepresents itself as a government property (by using the government logo, for example), CNS can take legal steps to have that website taken down. This has not been a big issue for the Nova Scotia Government," she said.

Major issue for the feds

Meanwhile, the federal Communications Security Establishment (CSE) has an active campaign to fight typosquatters and other scammers who try to impersonate federal institutions.

"Since March 2020, the Cyber Centre's work has contributed to the removal of over 10,000 fraudulent sites or e-mail addresses, including web sites impersonating the Government of Canada," said CSE spokesperson Evan Koronewski.

"CSE has helped identify and remove malicious websites pretending to be the Canada Border Services Agency, Public Health Agency, and the Canada Revenue Agency," Koronewski said.

Koronewski says COVID-19 has triggered a surge in government website impersonation.

"This work continues each and every day as we identify and remove more fraudulent domains impersonating the Government of Canada for any reason," he said.

Provincial risk goes beyond Nova Scotia

Attwood says Nova Scotia isn't the only province neglecting doppelganger websites.

He's registered lookalike sites for Manitoba govmb.ca, Quebec govqc.ca, Saskatchewan govsk.ca and the Yukon govyk.ca.

He also registered lookalikes for New Brunswick in both English and French, befitting the province's bilingual status.

"With New Brunswick, they had both 'gov' and 'gouvnb' available," he said.

Alarmingly, a doppelganger for the former Alberta website is already gone.

"There is govab.ca and that's currently already registered.… The identity of the owner is obscured through private registration," Logan said.

Offer to provinces

In the meantime Logan has set all the provincial lookalikes to link to a CBC story about a previous Nova Scotia IT problem.

He's also changed the doppelganger website settings to make it impossible to use them to send emails.

Logan says he wants all the jurisdictions to take the websites off his hands.

He says he's reached out by email..

"I requested that they acknowledge they received the email, and that they were ready to initiate a domain transfer. I would like for the respective provinces to own these domains," he said.

So far, he's received no response.

Logan insists his motivations are "pure," and he will give the sites away, even though registration cost him $20 each.

"Free … I wouldn't turn down having my costs covered, but by no means am I asking for them to be," he said.

MORE TOP STORIES

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting