What's a HOSTS file, and how do scammers use
it for identity theft?
In chapter 5 of "Always Use Protection" you learned
what an IP address is - the numeric identifier that is used to
identify a computer on the Internet. When you type in a domain
name, like "google.com", your computer uses a service
called DNS (Domain Name Service) to convert the name into an IP
address. Then it uses the IP address to contact the other
But a worm or virus can trick a computer to go to the wrong IP
address when you enter a domain name.
In many cases you'll know this is happening because every time
you try to go to a particular web site, you find yourself
How they do it
Your computer has a file named HOSTS, typically located in
your Windows\System32\Drivers\Etc directory (you can do a search
under your Windows directory for a file named HOSTS to find it on
your system). A correct HOSTS file looks like this.
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 18.104.22.168 rhino.acme.com # source server
# 22.214.171.124 x.acme.com # x client host
The HOSTS file overrides the conversion of domain names to IP
addresses. Try adding the following lines to your HOSTS file:
See what happens when you browse to google.com (you may need
to restart your system).
You should see something like this:
Annoyance or Danger?
Finding yourself on the wrong page is annoying enough, but it
can also lead to identity theft. What if, for example, somebody
created a web site that was an almost exact duplicate of a site
like paypal.com? If they can modify your HOSTS file through a
virus or other attack, they can direct you to their fake site any
time you type paypal.com in your address bar. When you enter your
user ID and password, they'll be able to use that info to log into
your account and possibly steal your money (or worse).
Some fake sites are so close to the real thing that even
experts can be fooled.
Most antivirus programs won't catch changes to the HOSTS file,
but will catch the viruses that change the HOSTS file, so keeping
your antivirus program up to date is critical.
You can also give your HOSTS file some additional protection.
Find it on your drive, right click on it, and select Properties.
Then check the "Read Only" checkbox to make the file
read only. It's not impossible for viruses to change it back,
but those that don't will be blocked.
It's not a bad idea to look at your HOSTS file periodically to
make sure nobody has modified it.
If you're on a Windows 2000 or XP system, you can also
click on the "Security" tab and uncheck the Full
Control, Modify and Write options (To get to the security settings
on XP-Home, you need to boot into "safe mode" by
pressing F8 during boot up). You'll also have to turn off
inheritable permissions (you'll need to click on the Advanced
button to see the inheritable permissions checkbox on XP).
It's not easy for a program to change security
settings, so modifying the security setting provides better safety
that just setting the file to Read Only.