Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/6/2017
03:30 PM
Tim Helming
Tim Helming
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Phishing Season Lasts All Year for Top US Retailers

No major brand is immune from cyber squatters; the more popular the company, the more look-alike domains phishers register as bait. Here are some techniques to watch out for.

Pop quiz: What do phishing and Seattle’s winter rain totals have in common? Answer: both are at all-time highs.

In the case of the rain, opinions vary as to the cause - random variation, global warming, Pacific Ocean water temperatures. But for phishing, the reason for the records is obvious: it continues to be incredibly effective. The Anti-Phishing Working Group reports that 2016 saw over 1.2M phishing attacks, a 65% increase over 2015. The FBI places the financial losses since 2013 at well over $3B - and that’s just for one particular “species” of phish, the so-called business email compromise.

There are various "lures" that phishers use to attempt to draw their victims in, but a common category capitalizes on the appeal of well-known brands. So-called cyber squatters purchase Internet domains, often in huge numbers, to set up look-alike sites that draw unsuspecting victims with promises of such things as great prices on luxury goods. What actually gets delivered ranges from counterfeit goods to malware, and into the bargain, credit card numbers and other sensitive information are also often stolen. To make the ruse harder to detect, many phishing sites, after harvesting the user’s credentials, forward the user to the legitimate site. Thus, the user may have no inkling that something bad just happened.

Retail Phishing Research
We recently did some research on cyber squatting at global scale to see what levels of abuse popular brands are facing, and the findings were illuminating. Our methodology was straightforward: using a tool designed to catch phishing domains, we input a number of well-known brands such as Amazon, Apple, Nike, and Wal-Mart, and then we reviewed the daily findings for new domains spoofing those brands over a five-day period in the spring of 2017. The tool automatically generates look-alike strings, such as typos, non-ASCII character look-alikes, and affixes such as account- or -online, and then alerts on new domain registrations matching these criteria.

Because there can be legitimate sites that happen to include a name in them (imagine a person named Ani Kershaw registering the domain "anikershaw.com," which contains the string ‘nike’ but is obviously not intended to spoof the retailer), we further filtered the results to include only those domains with that reputation, and blacklist tools identified as risky. In addition to standard blacklist providers, we used an algorithm that examines how tightly linked a domain is to other domains that have been blacklisted. Thus, the domains discovered in our study carry risk on two levels: they mimic well-known brands, and they have strong connections to domains that have previously been "convicted."

By the Numbers
As you might imagine, the more popular the brand, the more suspicious domains it garners. During the five-day test period, some 200 high-risk-scoring Apple-related domains were registered. If this was a representative week- and our ongoing monitoring suggests it was -Apple would rack up some 12,000 high-risk-score domains per year. This is one of the many reasons that big companies don’t just register their own variants ahead of time; the numbers of possible permutations are enormous, especially when you consider that any given variant could exist in each of over 1,000 top level domains (.com, .net, .co.uk, .bike, etc.).

No major brand is immune; Apple is just one familiar example. We found abuse domains for Amazon (14), Nike (10), Wal-Mart (5), and several others. And if the numbers for those retailers don’t seem overwhelming, remember that these were domains just from a five-day period in March.

Cyber squatters use a variety of techniques to generate illegitimate domain names. Three very common ones are:

  • Affixes: the addition of one or more words before or after the target word, e.g. noreply-amazon[.]com, nikefree[.]us
  • Typos: misspellings that are easy to overlook in long URLs or small fonts, e.g. iphone-applen[.]com
  • Homoglyphs: use of look-alike characters, e.g. ƒacebook[.]com (that first character is a florin, not a letter F)

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

It’s also worth noting that the brand’s name can occur entirely outside of the domain name itself, because of how URLs are constructed. So, in a made-up but completely plausible example, you might see a URL like paypal.account.login.accountid-2058s03823-validate[.]com, and because of how URLs work, the actual domain name that the cyber squatter would have registered in this example was "accountid-2058s03823-validate[.]com" - the rest would have just been a matter of DNS and server configuration, which are quite easy to do.

Countermeasures
Given these grim realities, how do you protect your organization (to say nothing of yourself) against increasingly savvy phishers? Remember, since phishing is a human problem, the solutions are human ones, too. Technology helps, but it can best be relied upon to cut down on the noise level. It is also prudent to assume that some phishing emails are going to get through the filters.

Healthy paranoia: Since you know that attackers really are out to get you with phishing emails, treat every single link and attachment with caution. If you have any question at all about the email’s authenticity or origin, ask the sender about it - in person, if necessary. And don’t hesitate to bring in IT if a link or attachment looks in any way suspicious. Look carefully at URLs. Remember, phishers are counting on people to be distracted and moving fast. Taking a moment to hover your mouse over a link and getting a good look at the URL that appears there could help you avoid visiting a dangerous site. 

Education: Research has shown that companies that educate employees about phishing generally report lower incidences of breaches than those that don’t. Users don’t have to be technically savvy to become good at detecting possible phishing emails. As a bonus, if they bring the security team a phish that they didn’t fall for, that phish may contain valuable forensic information that could help the security team learn more about an adversary targeting the organization. This is especially true of business email compromise or other executing spearphishing emails, the ones where it is evident that the phisher has gone to some lengths to spoof an employee or organization. 

Monitor keywords: Organizations should consider using tools that continuously scan the Internet for look-alike domains spoofing their names or brands. It isn’t practical to defensively register all of the possible typos, affixes, homoglyphs, etc., so the next best thing is to learn about new registrations as quickly as possible, so that you can block traffic to the domains. Besides monitoring your own brand, it is worth considering your business ecosystem as a whole. For example, if you are a manufacturer that works closely with suppliers or subcontractors, consider monitoring their names as well. It would be a bad day if you unwittingly sent the plans for your world-changing new widget to a criminal who impersonated one of your subcontractors.

Related Content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tadwhitaker
50%
50%
tadwhitaker,
User Rank: Author
6/7/2017 | 2:00:00 PM
Phishing
Customer service is privacy's worst nightmare.
jaydenlam
0%
100%
jaydenlam,
User Rank: Apprentice
6/7/2017 | 5:18:03 AM
About the American economy
American economy have to grow more. We have to develop it . Nice article
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.