1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Doing a Due Diligence - How to spot a forged website?

Discussion in 'Site Flipping' started by Netvertiser, Aug 26, 2016.

  1. Netvertiser

    Netvertiser Registered Member

    Joined:
    Dec 4, 2013
    Messages:
    60
    Likes Received:
    7
    When checking Adsense, Amazon or Paypal earnings through screenshare how do you spot a forged website?

    The first on the checklist is to check the hosts file on a seller's machine, but then I manipulated my hosts file and each time I got one warning or the other that the certificate doesn't match or that something went wrong or browser simply redirected to the forged site I put in hosts file.

    So am I safe to assume that the website is not being forged (since these websites are all behind SSL ) if the URL in the address bar shows correct domain and a lock is shown as a sign of connection being fully secure?

    If yes, then there's no real fear of being offered a forged website, if the websites in question are behind an SSL, correct?

    One other thing:
    Is it possible to enter an Adsense ID of a different website in Google Analytics that the seller also owns (which makes more money) than the website in question? If no, then there is safe to assume that what is being shown in Google Analytics for Adsense (assuming all landing pages are showing only website that is being sold) is real and one actually doesn't even need to look inside the Adsense account of a seller?
     
  2. Netvertiser

    Netvertiser Registered Member

    Joined:
    Dec 4, 2013
    Messages:
    60
    Likes Received:
    7
    Is no one buying up here or no one doing their due diligence?

    Thomas?
     
  3. Netvertiser

    Netvertiser Registered Member

    Joined:
    Dec 4, 2013
    Messages:
    60
    Likes Received:
    7
    Is meathead (Thomas) still active in here or is this section more or less useless for website buying debate?
     
  4. Mex

    Mex Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2016
    Messages:
    184
    Likes Received:
    67
    • Thanks Thanks x 1
  5. Netvertiser

    Netvertiser Registered Member

    Joined:
    Dec 4, 2013
    Messages:
    60
    Likes Received:
    7
    So you are saying once all this is in place (hosts file redirects to a forged localhost website and the forged website is using a self-signed localhost CA and the seller whitelisted all browser warnings) and the seller loads https://www.paypal.com in his browser then the URL in address bar still displays https://www.paypal.com and the green lock still displays "Paypal, Inc. [US]" ??
     
  6. Phil Gangluff

    Phil Gangluff Newbie

    Joined:
    Mar 12, 2014
    Messages:
    38
    Likes Received:
    11
    Occupation:
    Full-Time Internet Marketer
    Location:
    Arkansas, USA
    Home Page:
    Yes, but you can always click the lock and view the actual certificate to make sure it's not self-signed.
     
    • Thanks Thanks x 1
  7. end_user

    end_user Newbie

    Joined:
    Oct 13, 2016
    Messages:
    9
    Likes Received:
    0
    Gender:
    Male
    Occupation:
    Artist
    Location:
    brooklyn NY
    Netvertiser have you ever found a good checklist for your question? I'm looking to learn how to evaluate sites on flippa, FE, Empire etc. so would love any resource you can share. knowing how to rule out fraud and time waste on Flippa especially seems essential.
     
  8. tasburrfoot

    tasburrfoot Regular Member

    Joined:
    Dec 16, 2008
    Messages:
    323
    Likes Received:
    152
    There was a DEFFON talk some years ago about an underlying flaw, involving null bytes that allowed you to get certificates for any domain. Example would be you have your site comblahblah.com, when applying for the certificate you would use a subdomain PayPal.com\0xblahblah.com. It would validate that it was a subdomain of comblahblah.com but, when issuing it would stop at the null byte thus issuing a valid cert for PayPal.com.

    I believe this specific issue has long since been fixed(talk was 7-8 years ago), but there have since been other methods developed(most recently there was a signatory exploit for sale on dark0de before they got shut down, that would have been 2014).

    Moxie Marlinspike is the go to resource for anything SSL, dude knows his shit(developer of SSL strip).
     
  9. end_user

    end_user Newbie

    Joined:
    Oct 13, 2016
    Messages:
    9
    Likes Received:
    0
    Gender:
    Male
    Occupation:
    Artist
    Location:
    brooklyn NY
    thanks tasburrfoot, I think I'm really talking about vetting at the first pass. I think what your bringing up is after that point, unless spoofing sites is really really common in flippa etc sales. which at my level of expertise would make it a no-go for now.
     
  10. Netvertiser

    Netvertiser Registered Member

    Joined:
    Dec 4, 2013
    Messages:
    60
    Likes Received:
    7
    Frankly, I had a loooong list created years ago that was too complicated and that I stopped using, because there was so much stuff to pay attention that if followed through I would have never buy any site. Frankly there is too much competition that if you bother too much, you will wave that site goodbye, because you are too slow.

    I learned to be quick and don't bother about little things. So I trust my instinct and overall general feelings. As far as standard procedures just google "website due diligence" and go from there. You will compile a big list from that. And once you start digging into sites and following that, 99% of the offers will fell off and you'll be fighting over that 1% and you'll see how you will not be able to follow through all the checklist because before you do, someone quicker will just buy that site or slap it with a LOI and you are done. I've lost many sites like that because other buy them too fast.
     
  11. sadecentpoint

    sadecentpoint Jr. VIP Jr. VIP

    Joined:
    Oct 9, 2013
    Messages:
    137
    Likes Received:
    11
    actually you need to know what you wanted to do with the website you will buy . if you are buying an established business then do u intend to take it to the next level or atleast put in some work to atleast run the business because lets face it " there is nothing in IM called AUTOPILOT"
    due diligence is to check traffic by google analytics , Team viewer session of earning , go back and forth in his account to see the green shield .
     
  12. end_user

    end_user Newbie

    Joined:
    Oct 13, 2016
    Messages:
    9
    Likes Received:
    0
    Gender:
    Male
    Occupation:
    Artist
    Location:
    brooklyn NY
    thanks! Netvertiser & sadecentpoint - great stuff. I'm just getting rolling, look forward to being able to work the way you describe.