Flatline Computer Services LLC
HOST FILE
Home
About Us
Our Services
Business Support
Residential Support
Contact Information
Tech Tips
FOR SALE

What's a HOSTS file, and how do scammers use it for identity theft?

An IP address is the numeric identifier that is used to identify a computer on the Internet. When you type in a domain name, like "google.com", your computer uses a service called DNS (Domain Name Service) to convert the name into an IP address. Then it uses the IP address to contact the other computer.

But a worm or virus can trick a computer to go to the wrong IP address when you enter a domain name. In many cases you'll know this is happening because every time you try to go to a particular web site, you find yourself somewhere else.

How they do it: Your computer has a file named HOSTS, typically located in your Windows\System32\Drivers\Etc directory (you can do a search under your Windows directory for a file named HOSTS to find it on your system). A correct HOSTS file looks like this.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

The HOSTS file overrides the conversion of domain names to IP addresses. Try adding the following lines to your HOSTS file:

66.94.230.32 google.com

66.94.230.32 www.google.com

See what happens when you browse to google.com (you may need to restart your system). You should see something like this:

Annoyance or Danger?

Finding yourself on the wrong page is annoying enough, but it can also lead to identity theft. What if, for example, somebody created a web site that was an almost exact duplicate of a site like paypal.com? If they can modify your HOSTS file through a virus or other attack, they can direct you to their fake site any time you type paypal.com in your address bar. When you enter your user ID and password, they'll be able to use that info to log into your account and possibly steal your money (or worse). Some fake sites are so close to the real thing that even experts can be fooled.

PreventionMost antivirus programs won't catch changes to the HOSTS file, but will catch the viruses that change the HOSTS file, so keeping your antivirus program up to date is critical.

You can also give your HOSTS file some additional protection. Find it on your drive, right click on it, and select Properties. Then check the "Read Only" checkbox to make the file read only. It's not impossible for viruses to change it back, but those that don't will be blocked.

It's not a bad idea to look at your HOSTS file periodically to make sure nobody has modified it. 

Advanced Prevention: If you're on a Windows 2000 or XP system, you can also click on the "Security" tab and uncheck the Full Control, Modify and Write options (To get to the security settings on XP-Home, you need to boot into "safe mode" by pressing F8 during boot up). You'll also have to turn off inheritable permissions (you'll need to click on the Advanced button to see the inheritable permissions checkbox on XP).

It's not easy for a program to change security settings, so modifying the security setting provides better safety that just setting the file to Read Only.

Copyright © 2003 FlatLine Computer Services LLC. All rights reserved.