Unbeknownst to Reddit users, the site that likes to call itself the “front page of the internet” has acquired an unwanted evil twin they’d do well to avoid.
Sophos Home offers clear and easy to understand subscription pricing. We offer one- and two-year pricing options, and discounts for continuing customers. Renewals are done automatically at the end of the subscription period, with clear communication via email about upcoming renewal events. Sophos Home Premium Security Delivers Advanced, Real-Time Antivirus Protection from the Latest Ransomware, Hacking Attempts and More. Get Sophos Home Today. Sophos Home Premium Security Delivers Advanced, Real-Time Antivirus Protection from the Latest Ransomware, Hacking Attempts and More. Get Sophos Home Today.
Registered in July 2010 as reddit.co (notice the missing ‘m’), it’s reportedly been used to host Flash games, a porn cam, and has spent a long time parked and for sale to anyone who might want to buy it.
Earlier this week, security engineer Alec Muffett noticed that Reddit.co had turned into something altogether more troubling – a clone of Reddit.com, most likely intended to phish user credentials.
Muffett found the site by accident, which is exactly how anyone would discover a site that is reached by mis-typing the correct domain by a single letter.
This made him wonder aloud:
How on earth the .co registry permitted it to be registered, is beyond me…
In fact, .co is the country code top-level domain (ccTLD) for Colombia – one might have assumed the registrar appointed to manage these would not have allowed it to be combined with such an obvious trademark as Reddit. Trademark holders are usually also careful to register similar-looking domains to protect themselves.
Muffett said he reported the page to Google’s Safe Browsing. Almost 24 hours later and the fake site was still reachable although by the morning of 7 February, Google had started blocking it.
What, if any, precautions can users of sites like Reddit take against this kind of typosquatting?
It sounds like a job for two-factor authentication (2FA) which, by coincidence, Reddit finally implemented late last month using the time-based one-time password (TOTP) protocol.
Anyone who had enabled this and found themselves trying to log in to the Reddit clone would have discovered two benefits. First, the phishing site had no prompt for the six-digit TOTP code, which would hopefully alert users that something is wrong.
Second, even if users had handed over their usernames and passwords to the phishing site their credentials would not be enough to give the crooks access to their 2FA-protected accounts on the real Reddit site.
But might TOTP codes not also be vulnerable to being phished?
TOTP works by combining a secret shared key held by the server with the current time, an operation which is repeated on the device before the output from the two is checked to see they match. Authenticator repeats this cycle every 30 seconds, which means that an attack has considerably less than this on average to conduct any phish of the code entered by the user.
Using a username, password and TOTP straight after they have been harvested is not impossible, but it’s a more complex task to get right than simply storing them for later use.
Attacks of this type seem to be rare, probably because so few people use 2FA in its various forms that attackers see no need to go to these lengths.
Password managers are another possible defence: Reddit users visiting the fake site would immediately have their attention drawn to the fact that the software had no password or username for the imposter domain.
It also pays to inspect the URL of the site you’re visiting, if something looks suspicious – misspelled words or missing letters – retreat!
It’s been rather too long coming but Reddit users can finally secure their accounts with two-factor authentication (2FA).
Read the announcement:
You asked for it, and we’re delivering!
Reddit Sophos Intercept X
Which ignores that Reddit is probably the last of the big internet brands to offer what, by 2018, has become a standard security option.
It is at least easy to turn on, by clicking on a link at the bottom of the preferences tab, which is also used to set the account password.
A small glitch Naked Security noticed is that the words “two factor authentication” don’t appear on all accounts in the appropriate space on the page. If that’s the case, look for the term ‘status’, beside which should be the phrase ‘click to enable’ to turn on authentication.
Reddit Sophos Xg Firewall
Using a 2FA app supporting the TOTP (Time-Based One-Time) protocol, such as Google’s Authenticator or Authy, the process is completed by scanning the QR code and entering a one-time six-digit verification code. A different code will be generated for every subsequent login.
Once finished, it’s important to generate and print out 10 backup codes in case there is a problem with the authentication app or the user mislays their smartphone.
The positive aspect of the announcement is that Reddit has jumped straight to app-based 2FA, eschewing the established but now insecure SMS text-based codes still offered by many sites.
It’s just a pity it’s taken so long. Pioneer Google first offered multi-factor authentication (called two-step verification) as long ago as 2011, as did Facebook (Login Approvals), both after noticing increases in attacks fuelled by weak passwords, password re-use and phishing attacks.
Twitter and Microsoft added the same in 2013 (login verification), while even Instagram and WhatsApp had it by 2016 and 2017, respectively.
A turning point for Reddit was the 2016 incident when a hacker broke into moderator accounts and defaced subreddits. This drew attention to the weakness of securing accounts using passwords alone – which some speculated might have been the point of the attack.
After eventually resetting the passwords on 100,000 accounts, the company admitted it was looking at implementing 2FA. As it said at the time:
Reddit itself has not been exploited, but even the best security in the world won’t work when people are reusing passwords between sites.
Equally, enabling 2FA will only make a difference to security if people bother to activate it.
A week ago, a Google engineer fessed that fewer than 10% of its Gmail users had bothered to turn on its 2-step verification security – and that’s after seven years in which the company has nagged its users relentlessly to do this.
It’s possible that users have grown weary of having to enable 2FA on lots of sites but apps like Google’s Authenticator (which works for multiple sites) is one way to streamline this.