Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/6/2017
03:30 PM
Tim Helming
Tim Helming
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Phishing Season Lasts All Year for Top US Retailers

No major brand is immune from cyber squatters; the more popular the company, the more look-alike domains phishers register as bait. Here are some techniques to watch out for.

Pop quiz: What do phishing and Seattle’s winter rain totals have in common? Answer: both are at all-time highs.

In the case of the rain, opinions vary as to the cause - random variation, global warming, Pacific Ocean water temperatures. But for phishing, the reason for the records is obvious: it continues to be incredibly effective. The Anti-Phishing Working Group reports that 2016 saw over 1.2M phishing attacks, a 65% increase over 2015. The FBI places the financial losses since 2013 at well over $3B - and that’s just for one particular “species” of phish, the so-called business email compromise.

There are various "lures" that phishers use to attempt to draw their victims in, but a common category capitalizes on the appeal of well-known brands. So-called cyber squatters purchase Internet domains, often in huge numbers, to set up look-alike sites that draw unsuspecting victims with promises of such things as great prices on luxury goods. What actually gets delivered ranges from counterfeit goods to malware, and into the bargain, credit card numbers and other sensitive information are also often stolen. To make the ruse harder to detect, many phishing sites, after harvesting the user’s credentials, forward the user to the legitimate site. Thus, the user may have no inkling that something bad just happened.

Retail Phishing Research
We recently did some research on cyber squatting at global scale to see what levels of abuse popular brands are facing, and the findings were illuminating. Our methodology was straightforward: using a tool designed to catch phishing domains, we input a number of well-known brands such as Amazon, Apple, Nike, and Wal-Mart, and then we reviewed the daily findings for new domains spoofing those brands over a five-day period in the spring of 2017. The tool automatically generates look-alike strings, such as typos, non-ASCII character look-alikes, and affixes such as account- or -online, and then alerts on new domain registrations matching these criteria.

Because there can be legitimate sites that happen to include a name in them (imagine a person named Ani Kershaw registering the domain "anikershaw.com," which contains the string ‘nike’ but is obviously not intended to spoof the retailer), we further filtered the results to include only those domains with that reputation, and blacklist tools identified as risky. In addition to standard blacklist providers, we used an algorithm that examines how tightly linked a domain is to other domains that have been blacklisted. Thus, the domains discovered in our study carry risk on two levels: they mimic well-known brands, and they have strong connections to domains that have previously been "convicted."

By the Numbers
As you might imagine, the more popular the brand, the more suspicious domains it garners. During the five-day test period, some 200 high-risk-scoring Apple-related domains were registered. If this was a representative week- and our ongoing monitoring suggests it was -Apple would rack up some 12,000 high-risk-score domains per year. This is one of the many reasons that big companies don’t just register their own variants ahead of time; the numbers of possible permutations are enormous, especially when you consider that any given variant could exist in each of over 1,000 top level domains (.com, .net, .co.uk, .bike, etc.).

No major brand is immune; Apple is just one familiar example. We found abuse domains for Amazon (14), Nike (10), Wal-Mart (5), and several others. And if the numbers for those retailers don’t seem overwhelming, remember that these were domains just from a five-day period in March.

Cyber squatters use a variety of techniques to generate illegitimate domain names. Three very common ones are:

  • Affixes: the addition of one or more words before or after the target word, e.g. noreply-amazon[.]com, nikefree[.]us
  • Typos: misspellings that are easy to overlook in long URLs or small fonts, e.g. iphone-applen[.]com
  • Homoglyphs: use of look-alike characters, e.g. ƒacebook[.]com (that first character is a florin, not a letter F)

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

It’s also worth noting that the brand’s name can occur entirely outside of the domain name itself, because of how URLs are constructed. So, in a made-up but completely plausible example, you might see a URL like paypal.account.login.accountid-2058s03823-validate[.]com, and because of how URLs work, the actual domain name that the cyber squatter would have registered in this example was "accountid-2058s03823-validate[.]com" - the rest would have just been a matter of DNS and server configuration, which are quite easy to do.

Countermeasures
Given these grim realities, how do you protect your organization (to say nothing of yourself) against increasingly savvy phishers? Remember, since phishing is a human problem, the solutions are human ones, too. Technology helps, but it can best be relied upon to cut down on the noise level. It is also prudent to assume that some phishing emails are going to get through the filters.

Healthy paranoia: Since you know that attackers really are out to get you with phishing emails, treat every single link and attachment with caution. If you have any question at all about the email’s authenticity or origin, ask the sender about it - in person, if necessary. And don’t hesitate to bring in IT if a link or attachment looks in any way suspicious. Look carefully at URLs. Remember, phishers are counting on people to be distracted and moving fast. Taking a moment to hover your mouse over a link and getting a good look at the URL that appears there could help you avoid visiting a dangerous site. 

Education: Research has shown that companies that educate employees about phishing generally report lower incidences of breaches than those that don’t. Users don’t have to be technically savvy to become good at detecting possible phishing emails. As a bonus, if they bring the security team a phish that they didn’t fall for, that phish may contain valuable forensic information that could help the security team learn more about an adversary targeting the organization. This is especially true of business email compromise or other executing spearphishing emails, the ones where it is evident that the phisher has gone to some lengths to spoof an employee or organization. 

Monitor keywords: Organizations should consider using tools that continuously scan the Internet for look-alike domains spoofing their names or brands. It isn’t practical to defensively register all of the possible typos, affixes, homoglyphs, etc., so the next best thing is to learn about new registrations as quickly as possible, so that you can block traffic to the domains. Besides monitoring your own brand, it is worth considering your business ecosystem as a whole. For example, if you are a manufacturer that works closely with suppliers or subcontractors, consider monitoring their names as well. It would be a bad day if you unwittingly sent the plans for your world-changing new widget to a criminal who impersonated one of your subcontractors.

Related Content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jaydenlam
0%
100%
jaydenlam,
User Rank: Apprentice
6/7/2017 | 5:18:03 AM
About the American economy
American economy have to grow more. We have to develop it . Nice article
tadwhitaker
50%
50%
tadwhitaker,
User Rank: Author
6/7/2017 | 2:00:00 PM
Phishing
Customer service is privacy's worst nightmare.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.