Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Tim Helming
Tim Helming
Connect Directly
E-Mail vvv

Why Phishing Season Lasts All Year for Top US Retailers

No major brand is immune from cyber squatters; the more popular the company, the more look-alike domains phishers register as bait. Here are some techniques to watch out for.

Pop quiz: What do phishing and Seattle’s winter rain totals have in common? Answer: both are at all-time highs.

In the case of the rain, opinions vary as to the cause - random variation, global warming, Pacific Ocean water temperatures. But for phishing, the reason for the records is obvious: it continues to be incredibly effective. The Anti-Phishing Working Group reports that 2016 saw over 1.2M phishing attacks, a 65% increase over 2015. The FBI places the financial losses since 2013 at well over $3B - and that’s just for one particular “species” of phish, the so-called business email compromise.

There are various "lures" that phishers use to attempt to draw their victims in, but a common category capitalizes on the appeal of well-known brands. So-called cyber squatters purchase Internet domains, often in huge numbers, to set up look-alike sites that draw unsuspecting victims with promises of such things as great prices on luxury goods. What actually gets delivered ranges from counterfeit goods to malware, and into the bargain, credit card numbers and other sensitive information are also often stolen. To make the ruse harder to detect, many phishing sites, after harvesting the user’s credentials, forward the user to the legitimate site. Thus, the user may have no inkling that something bad just happened.

Retail Phishing Research
We recently did some research on cyber squatting at global scale to see what levels of abuse popular brands are facing, and the findings were illuminating. Our methodology was straightforward: using a tool designed to catch phishing domains, we input a number of well-known brands such as Amazon, Apple, Nike, and Wal-Mart, and then we reviewed the daily findings for new domains spoofing those brands over a five-day period in the spring of 2017. The tool automatically generates look-alike strings, such as typos, non-ASCII character look-alikes, and affixes such as account- or -online, and then alerts on new domain registrations matching these criteria.

Because there can be legitimate sites that happen to include a name in them (imagine a person named Ani Kershaw registering the domain "anikershaw.com," which contains the string ‘nike’ but is obviously not intended to spoof the retailer), we further filtered the results to include only those domains with that reputation, and blacklist tools identified as risky. In addition to standard blacklist providers, we used an algorithm that examines how tightly linked a domain is to other domains that have been blacklisted. Thus, the domains discovered in our study carry risk on two levels: they mimic well-known brands, and they have strong connections to domains that have previously been "convicted."

By the Numbers
As you might imagine, the more popular the brand, the more suspicious domains it garners. During the five-day test period, some 200 high-risk-scoring Apple-related domains were registered. If this was a representative week- and our ongoing monitoring suggests it was -Apple would rack up some 12,000 high-risk-score domains per year. This is one of the many reasons that big companies don’t just register their own variants ahead of time; the numbers of possible permutations are enormous, especially when you consider that any given variant could exist in each of over 1,000 top level domains (.com, .net, .co.uk, .bike, etc.).

No major brand is immune; Apple is just one familiar example. We found abuse domains for Amazon (14), Nike (10), Wal-Mart (5), and several others. And if the numbers for those retailers don’t seem overwhelming, remember that these were domains just from a five-day period in March.

Cyber squatters use a variety of techniques to generate illegitimate domain names. Three very common ones are:

  • Affixes: the addition of one or more words before or after the target word, e.g. noreply-amazon[.]com, nikefree[.]us
  • Typos: misspellings that are easy to overlook in long URLs or small fonts, e.g. iphone-applen[.]com
  • Homoglyphs: use of look-alike characters, e.g. ƒacebook[.]com (that first character is a florin, not a letter F)

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

It’s also worth noting that the brand’s name can occur entirely outside of the domain name itself, because of how URLs are constructed. So, in a made-up but completely plausible example, you might see a URL like paypal.account.login.accountid-2058s03823-validate[.]com, and because of how URLs work, the actual domain name that the cyber squatter would have registered in this example was "accountid-2058s03823-validate[.]com" - the rest would have just been a matter of DNS and server configuration, which are quite easy to do.

Given these grim realities, how do you protect your organization (to say nothing of yourself) against increasingly savvy phishers? Remember, since phishing is a human problem, the solutions are human ones, too. Technology helps, but it can best be relied upon to cut down on the noise level. It is also prudent to assume that some phishing emails are going to get through the filters.

Healthy paranoia: Since you know that attackers really are out to get you with phishing emails, treat every single link and attachment with caution. If you have any question at all about the email’s authenticity or origin, ask the sender about it - in person, if necessary. And don’t hesitate to bring in IT if a link or attachment looks in any way suspicious. Look carefully at URLs. Remember, phishers are counting on people to be distracted and moving fast. Taking a moment to hover your mouse over a link and getting a good look at the URL that appears there could help you avoid visiting a dangerous site. 

Education: Research has shown that companies that educate employees about phishing generally report lower incidences of breaches than those that don’t. Users don’t have to be technically savvy to become good at detecting possible phishing emails. As a bonus, if they bring the security team a phish that they didn’t fall for, that phish may contain valuable forensic information that could help the security team learn more about an adversary targeting the organization. This is especially true of business email compromise or other executing spearphishing emails, the ones where it is evident that the phisher has gone to some lengths to spoof an employee or organization. 

Monitor keywords: Organizations should consider using tools that continuously scan the Internet for look-alike domains spoofing their names or brands. It isn’t practical to defensively register all of the possible typos, affixes, homoglyphs, etc., so the next best thing is to learn about new registrations as quickly as possible, so that you can block traffic to the domains. Besides monitoring your own brand, it is worth considering your business ecosystem as a whole. For example, if you are a manufacturer that works closely with suppliers or subcontractors, consider monitoring their names as well. It would be a bad day if you unwittingly sent the plans for your world-changing new widget to a criminal who impersonated one of your subcontractors.

Related Content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
6/7/2017 | 5:18:03 AM
About the American economy
American economy have to grow more. We have to develop it . Nice article
User Rank: Author
6/7/2017 | 2:00:00 PM
Customer service is privacy's worst nightmare.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...