Cloud

6/6/2017
03:30 PM
Tim Helming
Tim Helming
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Phishing Season Lasts All Year for Top US Retailers

No major brand is immune from cyber squatters; the more popular the company, the more look-alike domains phishers register as bait. Here are some techniques to watch out for.

Pop quiz: What do phishing and Seattle’s winter rain totals have in common? Answer: both are at all-time highs.

In the case of the rain, opinions vary as to the cause - random variation, global warming, Pacific Ocean water temperatures. But for phishing, the reason for the records is obvious: it continues to be incredibly effective. The Anti-Phishing Working Group reports that 2016 saw over 1.2M phishing attacks, a 65% increase over 2015. The FBI places the financial losses since 2013 at well over $3B - and that’s just for one particular “species” of phish, the so-called business email compromise.

There are various "lures" that phishers use to attempt to draw their victims in, but a common category capitalizes on the appeal of well-known brands. So-called cyber squatters purchase Internet domains, often in huge numbers, to set up look-alike sites that draw unsuspecting victims with promises of such things as great prices on luxury goods. What actually gets delivered ranges from counterfeit goods to malware, and into the bargain, credit card numbers and other sensitive information are also often stolen. To make the ruse harder to detect, many phishing sites, after harvesting the user’s credentials, forward the user to the legitimate site. Thus, the user may have no inkling that something bad just happened.

Retail Phishing Research
We recently did some research on cyber squatting at global scale to see what levels of abuse popular brands are facing, and the findings were illuminating. Our methodology was straightforward: using a tool designed to catch phishing domains, we input a number of well-known brands such as Amazon, Apple, Nike, and Wal-Mart, and then we reviewed the daily findings for new domains spoofing those brands over a five-day period in the spring of 2017. The tool automatically generates look-alike strings, such as typos, non-ASCII character look-alikes, and affixes such as account- or -online, and then alerts on new domain registrations matching these criteria.

Because there can be legitimate sites that happen to include a name in them (imagine a person named Ani Kershaw registering the domain "anikershaw.com," which contains the string ‘nike’ but is obviously not intended to spoof the retailer), we further filtered the results to include only those domains with that reputation, and blacklist tools identified as risky. In addition to standard blacklist providers, we used an algorithm that examines how tightly linked a domain is to other domains that have been blacklisted. Thus, the domains discovered in our study carry risk on two levels: they mimic well-known brands, and they have strong connections to domains that have previously been "convicted."

By the Numbers
As you might imagine, the more popular the brand, the more suspicious domains it garners. During the five-day test period, some 200 high-risk-scoring Apple-related domains were registered. If this was a representative week- and our ongoing monitoring suggests it was -Apple would rack up some 12,000 high-risk-score domains per year. This is one of the many reasons that big companies don’t just register their own variants ahead of time; the numbers of possible permutations are enormous, especially when you consider that any given variant could exist in each of over 1,000 top level domains (.com, .net, .co.uk, .bike, etc.).

No major brand is immune; Apple is just one familiar example. We found abuse domains for Amazon (14), Nike (10), Wal-Mart (5), and several others. And if the numbers for those retailers don’t seem overwhelming, remember that these were domains just from a five-day period in March.

Cyber squatters use a variety of techniques to generate illegitimate domain names. Three very common ones are:

  • Affixes: the addition of one or more words before or after the target word, e.g. noreply-amazon[.]com, nikefree[.]us
  • Typos: misspellings that are easy to overlook in long URLs or small fonts, e.g. iphone-applen[.]com
  • Homoglyphs: use of look-alike characters, e.g. ƒacebook[.]com (that first character is a florin, not a letter F)

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

It’s also worth noting that the brand’s name can occur entirely outside of the domain name itself, because of how URLs are constructed. So, in a made-up but completely plausible example, you might see a URL like paypal.account.login.accountid-2058s03823-validate[.]com, and because of how URLs work, the actual domain name that the cyber squatter would have registered in this example was "accountid-2058s03823-validate[.]com" - the rest would have just been a matter of DNS and server configuration, which are quite easy to do.

Countermeasures
Given these grim realities, how do you protect your organization (to say nothing of yourself) against increasingly savvy phishers? Remember, since phishing is a human problem, the solutions are human ones, too. Technology helps, but it can best be relied upon to cut down on the noise level. It is also prudent to assume that some phishing emails are going to get through the filters.

Healthy paranoia: Since you know that attackers really are out to get you with phishing emails, treat every single link and attachment with caution. If you have any question at all about the email’s authenticity or origin, ask the sender about it - in person, if necessary. And don’t hesitate to bring in IT if a link or attachment looks in any way suspicious. Look carefully at URLs. Remember, phishers are counting on people to be distracted and moving fast. Taking a moment to hover your mouse over a link and getting a good look at the URL that appears there could help you avoid visiting a dangerous site. 

Education: Research has shown that companies that educate employees about phishing generally report lower incidences of breaches than those that don’t. Users don’t have to be technically savvy to become good at detecting possible phishing emails. As a bonus, if they bring the security team a phish that they didn’t fall for, that phish may contain valuable forensic information that could help the security team learn more about an adversary targeting the organization. This is especially true of business email compromise or other executing spearphishing emails, the ones where it is evident that the phisher has gone to some lengths to spoof an employee or organization. 

Monitor keywords: Organizations should consider using tools that continuously scan the Internet for look-alike domains spoofing their names or brands. It isn’t practical to defensively register all of the possible typos, affixes, homoglyphs, etc., so the next best thing is to learn about new registrations as quickly as possible, so that you can block traffic to the domains. Besides monitoring your own brand, it is worth considering your business ecosystem as a whole. For example, if you are a manufacturer that works closely with suppliers or subcontractors, consider monitoring their names as well. It would be a bad day if you unwittingly sent the plans for your world-changing new widget to a criminal who impersonated one of your subcontractors.

Related Content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tadwhitaker
50%
50%
tadwhitaker,
User Rank: Author
6/7/2017 | 2:00:00 PM
Phishing
Customer service is privacy's worst nightmare.
jaydenlam
0%
100%
jaydenlam,
User Rank: Apprentice
6/7/2017 | 5:18:03 AM
About the American economy
American economy have to grow more. We have to develop it . Nice article
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.