Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/18/2019
12:05 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How Fraudulent Domains 'Hide in Plain Sight'

Cybercriminals use new types of top-level domains, topical keywords, and targeted emails to trick victims into clicking malicious links.

Domain fraud is an old cybersecurity risk manifesting in new ways as cybercriminals take advantage of new top-level domains, privacy regulations, and social engineering tactics.

More than three-quarters of businesses found "lookalike" domains posing as their brand, researchers at Proofpoint Digital Risk Protection discovered as part of the 2019 Domain Fraud Report. Nearly all (96%) found exact matches of their brand-owned domain with a different top-level domain (TLD); for example, ".net" tacked on the end of the URL instead of ".com."

"This is a huge brand problem, both from a direct revenue standpoint and indirect loss standpoint," says Kevin Epstein, vice president of threat operations at Proofpoint. In a best-case scenario, a consumer may happen upon a blank website with a domain similar to yours. Worst-case scenario, they end up on a fake website, engage in a transaction, and their money and credit card information is sent to a cybercriminal. They're angry at the attacker – and the brand.

"I'd associate this brand, now, with something negative," Epstein continues. Spoofed domains can tarnish a business' reputation, resulting in customer loss and indirect financial impact.

Most domains are registered by people and businesses for legitimate reasons. Some are registered by fraudsters planning to launch phishing attacks, sell knock-off goods on spoofed sites, or use "typo-squatting" domains to make money off unintentional traffic for other sites. Between the first and fourth quarters of 2018, Proofpoint found the registrations of fraudulent domains rose 11%. Domains were categorized as fraudulent based on a classification engine built to analyze domain records, reputation, website content, email activity, and other factors.

"The most interesting thing to me is this change in attacker philosophy," says Epstein of this year's report. Cybercriminals have shifted from investing in highly technical attacks to more individually focused phishing attacks "happening on every street corner of the Internet." Any email can be an attempt to con you out of money, pretending to be from your boss or bank.

Social Scamming

It all comes down to the tricks of a manipulative social engineer. The rise of new TLDs has contributed to fraudulent domain registrations. Researchers saw "significant growth" in fraudulent domains outside the classic ".com," ".net," and ".org." Some of the lesser known TLDs in fraudulent domains include ".top" (#2), ".fr" (#3), ".men" (#19), and ".work" (50). European country codes are often used among criminals hoping to fool victims with fake links.

"Apparently as human beings we're sensitive more to the brand than the extension," says Epstein. "Over time, as computer users, we're less trained to ignore things after the dot."

If someone sees the name of a well-known bank in a URL, they're likely to click without noticing a .pop or .xyz at the end. This should give people pause, but well-known brands seem safe.

This can be seen in new findings from Segasec, which recently detected an increase in domain spoofing targeting customers of Walmart, Best Buy, and Wayfair. In the week leading up to Mother's Day, they noticed 188 domains related to the Walmart brand were created, up from 80 new domains two weeks prior to the holiday: walmartgiftpromo[.]com is an example. Others include bestbuy-survey[.]online, bestbuyus[.]org, and bestbuycyprus[.]eu.

"It is potentially one of the most common threat tactics," says Segasec CEO Elad Schulman. "It's aimed to mislead the weakest link, which is the end user." What's more, he adds, cybercriminals don't have to be advanced to pull this off. "This is something you can familiarize with very easily," he adds.

Some fraudulent websites have certificates, which also put victims at ease. Attackers are leaning away from plain domains and towards legitimate certificates, a trend that leads to an "error of attribution" on the part of victims. Sure, the lock symbol means the connection to the server is encrypted – but it doesn't mean the server is legitimate. People feel safe when they see the lock; as a result, they're likely to engage with these potentially malicious sites.

Think Before You Click

Rather than rely on the passive typo-squatting strategy, more attackers are directly targeting domain spoofing victims with phishing attacks. Business email compromise (BEC) is common, researchers report. Many criminals pick a large class of people to target with malicious links appearing to be from real brands, or containing keywords they think victims are likely to click.

Which terms are most common? Some consistently appeared in the top rankings; for example, "real estate," which was top for June through December, as well as "for sale," "I am," "block chain," "bit coin," and other US city names and terms related to cryptocurrency. Other tech-related terms frequently seen in domains included "server," "security," and "system."

The people targeted with these malicious emails aren't the CEO or CFO, but middle-management people who typically work with them. "It's not necessarily related to top titles," Epstein says. An attacker is more likely to succeed in tricking the CEO's assistant than the CEO, and they'll frequently peruse LinkedIn and other social platforms to figure out their targets.

It's not only email at risk for domain spoofing attacks, as Schulman points out. "We're talking about digital channels an organization has to interact with its customers," he adds. "Sometimes it's via email, sometimes it's a website, sometimes it's via application, sometimes it's across all social channels." He agrees the trend of typo-squatting is down as targeted attacks spread.

"There's no accidental stumbling upon it," he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NortonS122
50%
50%
NortonS122,
User Rank: Apprentice
6/18/2019 | 6:42:28 AM
Very useful information

It is really very nice to get the information about the websites that are spamming and hiding from us, people really do not know what should they open and what not. Another solution is to have Norton Setup antivirus in PCs and Laptops because it offers the security features.

7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8003
PUBLISHED: 2020-01-27
A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free.
CVE-2019-20427
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integ...
CVE-2019-20428
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic due to the lack of validation for specific fields of packets sent by a client. The ldl_request_cancel function mishandles a large lock_count parameter.
CVE-2019-20429
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2...
CVE-2019-20430
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client.