Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/6/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ongoing Campaign Spoofs Walmart, Dating, Movie Sites

A new investigation detects more than 540 domain names linked to the Walmart brand and camouflaged as career, dating, and entertainment websites.

A newly discovered spoofing campaign has been discovered mimicking the Walmart brand and several career, dating, and movie and TV websites, with more than 540 domains detected so far.

Corin Imai, senior security adviser for DomainTools, was alerted to the activity about two weeks ago when the term "Walmart" was found spoofed in multiple domains. The flagged domain walmartcareers[.]us prompted her to research related terms and other suspicious domains.

Imai's analysis led to the discovery of an email address linked to 184 other potentially risky domains with an average age of 190 days. Further investigation into these domains led to the discovery of a much broader campaign spoofing a range of websites related and unrelated to the Walmart brand. Of the 540-plus domains identified, only 181 have appeared on blacklists. Others have a high risk score, which Imai says indicates they'll likely be blacklisted in the future.

The initial intent of this investigation was to analyze spoofing campaigns targeting Fortune 500 companies, she says, but researchers' findings took them down an unexpected path. "Generally with phishing domains, we see things escalate between 24 and 48 hours," Imai explains. Within two days of their analysis, researchers saw more of these suspicious websites being blacklisted.

Of the domains found so far, many appear to target job hunters and people using online dating and entertainment websites. It seems the attackers' intent is to exploit this interest by creating fake sites designed to capture users credentials, going step-by-step to set up a credential page so they can verify they are who they claim to be, while at the same time scraping login data.

As of now, it seems the actor or group behind this campaign is solely after credentials; however, some of the spoofed pages seem to be spam. "It's kind of an odd cross-section," Imat says, pointing to the combination of spoofed career, dating, and movie and television websites. Other fake sites include cashgiftcards[.]us, captainmarvelmovie[.]us, and mcdonaldcareer[.]us.

Most of the IP country codes for detected domains are in the United States, Imai found, but registrant details indicate an address in Pakistan. "Right now it looks like the same actor," she says. "There's nothing pointing to it being multiple actors, based on historical information."

While spoofing is not a new threat, Imai says the number of domains in this campaign, coupled with the attackers' ability to mimic the look and feel of target websites, signifies a group with both the resources and sophistication to launch a large campaign. There is sufficient traffic to these sites to warrant a further investigation into how many people are submitting their data. Security pros may be likely to check the domain of a suspicious- page, but consumers may not.

Imai plans to continue this investigation, which will include sandboxing suspicious websites to see whether they're after more than credentials and further researching the campaign's full scope and intent. She plans to publish ongoing updates to her blog post.

DomainTools' team isn't the only group to unearth a recent spoofing campaign targeting a major retailer. Security company Segasec monitored Amazon in the days before and after Prime Day to watch for suspicious activity; researchers found 4,000 potential attacks between July 10 to 21. In one campaign, attackers used Amazon-related domains in a phishing scam targeting PayPal customers.

Imai advises businesses to seek domains that may be attempting to mimic their brands. Many of these malicious domains haven't been blacklisted, meaning customers can still be affected. Organizations should also consider their takedown processes and see whether they can be accelerated.

For consumers, she recommends checking a website's legitimacy by taking a peek at the URL to ensure it's not suspicious before entering personal information or payment data.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4245
PUBLISHED: 2019-12-11
Orca has arbitrary code execution due to insecure Python module load
CVE-2013-4593
PUBLISHED: 2019-12-11
RubyGem omniauth-facebook has an access token security vulnerability
CVE-2013-6495
PUBLISHED: 2019-12-11
JBossWeb Bayeux has reflected XSS
CVE-2013-7370
PUBLISHED: 2019-12-11
node-connect before 2.8.2 has cross site scripting in methodOverride Middleware
CVE-2019-18935
PUBLISHED: 2019-12-11
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote cod...