Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/6/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ongoing Campaign Spoofs Walmart, Dating, Movie Sites

A new investigation detects more than 540 domain names linked to the Walmart brand and camouflaged as career, dating, and entertainment websites.

A newly discovered spoofing campaign has been discovered mimicking the Walmart brand and several career, dating, and movie and TV websites, with more than 540 domains detected so far.

Corin Imai, senior security adviser for DomainTools, was alerted to the activity about two weeks ago when the term "Walmart" was found spoofed in multiple domains. The flagged domain walmartcareers[.]us prompted her to research related terms and other suspicious domains.

Imai's analysis led to the discovery of an email address linked to 184 other potentially risky domains with an average age of 190 days. Further investigation into these domains led to the discovery of a much broader campaign spoofing a range of websites related and unrelated to the Walmart brand. Of the 540-plus domains identified, only 181 have appeared on blacklists. Others have a high risk score, which Imai says indicates they'll likely be blacklisted in the future.

The initial intent of this investigation was to analyze spoofing campaigns targeting Fortune 500 companies, she says, but researchers' findings took them down an unexpected path. "Generally with phishing domains, we see things escalate between 24 and 48 hours," Imai explains. Within two days of their analysis, researchers saw more of these suspicious websites being blacklisted.

Of the domains found so far, many appear to target job hunters and people using online dating and entertainment websites. It seems the attackers' intent is to exploit this interest by creating fake sites designed to capture users credentials, going step-by-step to set up a credential page so they can verify they are who they claim to be, while at the same time scraping login data.

As of now, it seems the actor or group behind this campaign is solely after credentials; however, some of the spoofed pages seem to be spam. "It's kind of an odd cross-section," Imat says, pointing to the combination of spoofed career, dating, and movie and television websites. Other fake sites include cashgiftcards[.]us, captainmarvelmovie[.]us, and mcdonaldcareer[.]us.

Most of the IP country codes for detected domains are in the United States, Imai found, but registrant details indicate an address in Pakistan. "Right now it looks like the same actor," she says. "There's nothing pointing to it being multiple actors, based on historical information."

While spoofing is not a new threat, Imai says the number of domains in this campaign, coupled with the attackers' ability to mimic the look and feel of target websites, signifies a group with both the resources and sophistication to launch a large campaign. There is sufficient traffic to these sites to warrant a further investigation into how many people are submitting their data. Security pros may be likely to check the domain of a suspicious- page, but consumers may not.

Imai plans to continue this investigation, which will include sandboxing suspicious websites to see whether they're after more than credentials and further researching the campaign's full scope and intent. She plans to publish ongoing updates to her blog post.

DomainTools' team isn't the only group to unearth a recent spoofing campaign targeting a major retailer. Security company Segasec monitored Amazon in the days before and after Prime Day to watch for suspicious activity; researchers found 4,000 potential attacks between July 10 to 21. In one campaign, attackers used Amazon-related domains in a phishing scam targeting PayPal customers.

Imai advises businesses to seek domains that may be attempting to mimic their brands. Many of these malicious domains haven't been blacklisted, meaning customers can still be affected. Organizations should also consider their takedown processes and see whether they can be accelerated.

For consumers, she recommends checking a website's legitimacy by taking a peek at the URL to ensure it's not suspicious before entering personal information or payment data.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.