03:30 PM
Tim Helming
Tim Helming
Connect Directly
E-Mail vvv

Why Phishing Season Lasts All Year for Top US Retailers

No major brand is immune from cyber squatters; the more popular the company, the more look-alike domains phishers register as bait. Here are some techniques to watch out for.

Pop quiz: What do phishing and Seattle’s winter rain totals have in common? Answer: both are at all-time highs.

In the case of the rain, opinions vary as to the cause - random variation, global warming, Pacific Ocean water temperatures. But for phishing, the reason for the records is obvious: it continues to be incredibly effective. The Anti-Phishing Working Group reports that 2016 saw over 1.2M phishing attacks, a 65% increase over 2015. The FBI places the financial losses since 2013 at well over $3B - and that’s just for one particular “species” of phish, the so-called business email compromise.

There are various "lures" that phishers use to attempt to draw their victims in, but a common category capitalizes on the appeal of well-known brands. So-called cyber squatters purchase Internet domains, often in huge numbers, to set up look-alike sites that draw unsuspecting victims with promises of such things as great prices on luxury goods. What actually gets delivered ranges from counterfeit goods to malware, and into the bargain, credit card numbers and other sensitive information are also often stolen. To make the ruse harder to detect, many phishing sites, after harvesting the user’s credentials, forward the user to the legitimate site. Thus, the user may have no inkling that something bad just happened.

Retail Phishing Research
We recently did some research on cyber squatting at global scale to see what levels of abuse popular brands are facing, and the findings were illuminating. Our methodology was straightforward: using a tool designed to catch phishing domains, we input a number of well-known brands such as Amazon, Apple, Nike, and Wal-Mart, and then we reviewed the daily findings for new domains spoofing those brands over a five-day period in the spring of 2017. The tool automatically generates look-alike strings, such as typos, non-ASCII character look-alikes, and affixes such as account- or -online, and then alerts on new domain registrations matching these criteria.

Because there can be legitimate sites that happen to include a name in them (imagine a person named Ani Kershaw registering the domain "," which contains the string ‘nike’ but is obviously not intended to spoof the retailer), we further filtered the results to include only those domains with that reputation, and blacklist tools identified as risky. In addition to standard blacklist providers, we used an algorithm that examines how tightly linked a domain is to other domains that have been blacklisted. Thus, the domains discovered in our study carry risk on two levels: they mimic well-known brands, and they have strong connections to domains that have previously been "convicted."

By the Numbers
As you might imagine, the more popular the brand, the more suspicious domains it garners. During the five-day test period, some 200 high-risk-scoring Apple-related domains were registered. If this was a representative week- and our ongoing monitoring suggests it was -Apple would rack up some 12,000 high-risk-score domains per year. This is one of the many reasons that big companies don’t just register their own variants ahead of time; the numbers of possible permutations are enormous, especially when you consider that any given variant could exist in each of over 1,000 top level domains (.com, .net,, .bike, etc.).

No major brand is immune; Apple is just one familiar example. We found abuse domains for Amazon (14), Nike (10), Wal-Mart (5), and several others. And if the numbers for those retailers don’t seem overwhelming, remember that these were domains just from a five-day period in March.

Cyber squatters use a variety of techniques to generate illegitimate domain names. Three very common ones are:

  • Affixes: the addition of one or more words before or after the target word, e.g. noreply-amazon[.]com, nikefree[.]us
  • Typos: misspellings that are easy to overlook in long URLs or small fonts, e.g. iphone-applen[.]com
  • Homoglyphs: use of look-alike characters, e.g. ƒacebook[.]com (that first character is a florin, not a letter F)

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

It’s also worth noting that the brand’s name can occur entirely outside of the domain name itself, because of how URLs are constructed. So, in a made-up but completely plausible example, you might see a URL like paypal.account.login.accountid-2058s03823-validate[.]com, and because of how URLs work, the actual domain name that the cyber squatter would have registered in this example was "accountid-2058s03823-validate[.]com" - the rest would have just been a matter of DNS and server configuration, which are quite easy to do.

Given these grim realities, how do you protect your organization (to say nothing of yourself) against increasingly savvy phishers? Remember, since phishing is a human problem, the solutions are human ones, too. Technology helps, but it can best be relied upon to cut down on the noise level. It is also prudent to assume that some phishing emails are going to get through the filters.

Healthy paranoia: Since you know that attackers really are out to get you with phishing emails, treat every single link and attachment with caution. If you have any question at all about the email’s authenticity or origin, ask the sender about it - in person, if necessary. And don’t hesitate to bring in IT if a link or attachment looks in any way suspicious. Look carefully at URLs. Remember, phishers are counting on people to be distracted and moving fast. Taking a moment to hover your mouse over a link and getting a good look at the URL that appears there could help you avoid visiting a dangerous site. 

Education: Research has shown that companies that educate employees about phishing generally report lower incidences of breaches than those that don’t. Users don’t have to be technically savvy to become good at detecting possible phishing emails. As a bonus, if they bring the security team a phish that they didn’t fall for, that phish may contain valuable forensic information that could help the security team learn more about an adversary targeting the organization. This is especially true of business email compromise or other executing spearphishing emails, the ones where it is evident that the phisher has gone to some lengths to spoof an employee or organization. 

Monitor keywords: Organizations should consider using tools that continuously scan the Internet for look-alike domains spoofing their names or brands. It isn’t practical to defensively register all of the possible typos, affixes, homoglyphs, etc., so the next best thing is to learn about new registrations as quickly as possible, so that you can block traffic to the domains. Besides monitoring your own brand, it is worth considering your business ecosystem as a whole. For example, if you are a manufacturer that works closely with suppliers or subcontractors, consider monitoring their names as well. It would be a bad day if you unwittingly sent the plans for your world-changing new widget to a criminal who impersonated one of your subcontractors.

Related Content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/7/2017 | 2:00:00 PM
Customer service is privacy's worst nightmare.
User Rank: Apprentice
6/7/2017 | 5:18:03 AM
About the American economy
American economy have to grow more. We have to develop it . Nice article
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.