Let's talk about HOSTS
When connecting to websites (or other internet resources), most users will use a domain name (or a URL - Uniform Resource Locator) such as http://google.com . Computers don't talk in names such as google.com rather they communicate with an Internet Protocol Address (IP Address). Generally speaking the current IP Address schema is IP Version 4 (IPv4). In normal human readable form it's 4 groups (or octets) of numbers from 1 to 254 each, seperated by a period. For example 192.168.1.100.
To get the Number for a given name, computers need to send a message to a Domain Name Service (DNS) Server. This is part of the configuration of your internet and it CANNOT be a name and it MUST be an IP Address.
Although the overal Process of name resolution is complex, for the understanding of this, suffice it to say, that the "Request" with the NAME is sent to DNS and the RESPONSE is received as an IP Address.
Once a response is received, the request is sent to the appropriate website (by IP Address) for whatever page you are looking for. In that request is the REQUESTERS IP address eliminating the need for a lookup for the return information.
Enter in the HOSTS file.
The HOSTS file is just a plain text file that has (generally) 3 types of information. COMMENTS, WEB ADDRESSES (or HOST names), and IP ADDRESSES.
Comments are prefaced with the # sign. They are either at the BEGINNING of a line or somewhere else within a line. # signs at the beginning of a line mean that the whole line is a comment. When it's in the middle, only everything to the right of the # sign is a comment. Every thing to the LEFT of the # represents data.
The HOSTS file was a file that was used in computing before the Internet (as we know it today). This file did for networks what DNS does. It was generally on a more limited scale however. Network Admins would manually enter the IP Addresses for the individual Hosts on their network. This had to be done on EVERY machine that wished to talk to other machines on the network. So as long as the network was relatively small, this was a simpiler way to resolve names.
As networks grew, the maintaining of a HOSTS file became a full time job. Imagine if you will, a network with 200 computers on it. You add ONE MORE. Now for all the other 200 computerss to communicate with the new one, you need to make an entry into each and every one of those hosts files. A daunting task, particularly on networks that are constantly changing.
DNS replaced the HOSTS file, however, many people still used the HOSTS files. Thus many operating systems still support the HOSTS files. In fact, they not only support it, but they give it PRIORITY!
Going back to the Name resolution (above), When you enter a URL in your browser, your Operating System actually has already loaded a copy of the HOSTS file into memory. If an entry matches, it will use the IP Address from the HOSTS file and never even look at the DNS. This also has the added benefit of being relativly quick in responses.
Advantages of HOSTS files
As just mentioned, an advantage is that lookups for websites are quicker if they are in the hosts file. There is no "Additional" web traffic just to find out the "Address" (Resolved Name) of the site you want to go to since it's already in your computers memory.
Many (including my self) use the HOSTS file to BLOCK advertising. We do this by re-directing KNOWN advertising (or malware/spyware/virus) sites to the ip of 127.0.0.1 which is the loop back adapter of your OWN computer. Without getting to technickal, unless you have a webserver on your own computer, chances are that only a "Cannot be displayed" message will appear where the advertisement was supposed to be.
The "SCAM" with HOSTS
Because more and more people are getting wise to the online escrow (and subsequent scams), if the scam artists build a site that looks like escrow.com but it only has a web-address SIMILAR to (or maybe not at all like it) escrow.com such as a site like esrowtransactions.com the more savvy or aware users are taking note and typing in (manual in their address bar of the browser) the URL to the site that they are being "Asked" to go to. So the scammer may ask you to use ESCROW.COM but give you a link to esrowtransactions.com.
I guess this can be considered the electronic equivalent of the "Slight of Hand". Again because more and more people are getting wise to this and even reporting it (which gets them shut down sooner), they have developed a way to EXPLOIT the Hosts file. In an email they will send you a link or an image, or something that you have to "Open". When you do, it will do what ever it is that you expected (Display an image, go to a site, open a document, or whatever), but it will ALSO modify your HOSTS file and cause it to be reloaded into your computers memory.
Now they give you a link to escrow.com and the link will take you to a site that looks EXACTLY (mostly) like the REAL ESCROW.COM. Accept instead of going to the IP Address of 188.8.131.52 it may take you somewhere else where the scammers have FULL CONTROL over the site, the escrow, everything. And soon they would have control over your money (or merchandise which ever one it was).
So what to do?Well you can make a periodic habit to look at the HOSTS file. In many Windows™ systems, the file can be found at c:\windows\system32\drivers\etc\hosts (NO file extension) and can be viewed or edited with a basic text editor (Notepad, wordpad). Other Unix/Linux systems generally have the file in /etc/hosts (again no file extension) and again, is just plain texts. Generally speaking unless YOU have modified the file for a specifc purpose (such as ad blocking mentioned above) there are typically only a couple of items in the HOSTS file.
Typical Windows™ Default HOSTS file
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 184.108.40.206 rhino.acme.com # source server # 220.127.116.11 x.acme.com # x client host 127.0.0.1 localhost
As you can see there is essentially only ONE entry and that's for localhost. So if you see other entries for anything else that doesn't look familiar, especially if it's a site that you are dealing with (or think you are dealing with), then this should raise a flag of concern.
So to confirm (or deny) your suspicions you can Comment out the offending line by placing a # at the beginning of the line. To be absolutely safe you should save the file and reboot. You should still be able to access the site by manually typing in the address (DON'T click on the link in the email). It should take you to the site. If you try and log in and find that you cannot (or even if you can and your transaction is not there), then you have likely been duped and you should discontinue contact with other party and immediatly notify the authorities, sites like ours, and the contacts at the legimate site. They are all to familiar with these scams and they may have advice to help you out as well.