A convincing clone of the popular social news aggregation and discussion site Reddit has been spotted on the reddit.co domain. The author is obviously counting on users not to spot it for what it is: a site meant to harvest users’ username and password.

HEADSUP: Looking for infosec people at @Reddit. Website at (phishing?) domain reddit(.)co — using the Colombian TLD — was acting a pitch-perfect apparent MITM of the actual Reddit. Now returning 500 before I could screenshot it. Domain ownership is as-follows: pic.twitter.com/hpucMroumd — Alec Muffett (@AlecMuffett) February 5, 2018

Security researcher Alex Muffett sounded the alarm on Sunday, moved to inform the Reddit team about it, and is still waiting for Google Safe Browsing to flag the site as malicious.

The fake site’s home page looks very much like Reddit’s, though clicking on any of the posts that aren’t photos or videos hosted outside of Reddit returns an HTTP ERROR 500 page.

The person behind the fake site has also obtained an SSL certificate for it, so that users would see the HTTPS and believe they are on a “safe” site with an encrypted connection:

As I’m writing this, the site is still up.

A larger problem

“Make no mistake, this is an effective scam,” says Azeem Aleem, Director, Advanced Cyber Defence Practice EMEA and APJ at RSA.

“They’ve put in the time and effort to create a remarkably realistic website that even shows a secure SSL certificate in your browser window. It is well designed, well executed, and it highlights the very real danger of modern spoofing attacks. While it’s troubling to see these complex scams harvesting personal details, what’s more worrying is what this stolen data will be used for, as stolen credentials are used to breach the victim’s other accounts, and carry out sophisticated phishing attacks on friends, colleagues, and family.”

Time is of the essence for Reddit here, and the company needs to warn its users about the site, he noted.

“It’s not just sites like Reddit.co – last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cybercriminals, allowing them to appear trusted while tricking unsuspecting victims out of their data and damaging brand reputations across the internet,” says Kevin Bocek, Chief Cyber Security Officer at Venafi.

“This attack is part of a much larger problem that jeopardizes the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed. The answer is certificate reputation scoring to help people know what can and can’t be trusted.”

“This site previously hosted porn, it’s not a real Reddit owned domain, and the certificate was issued by Comodo whereas the real Reddit uses certificates produced by DigiCert. These are all things a certificate reputation score would have flagged for remediation by Reddit a long time ago,” he explained.

“Free certificates provide little validation, yet users see them as sacred. If people cannot trust that the sites they visit are genuine, our digital world could start to crumble. Action is needed now by security teams of enterprises since no one else will protect you from the bad guys.”