Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/18/2019
12:05 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How Fraudulent Domains 'Hide in Plain Sight'

Cybercriminals use new types of top-level domains, topical keywords, and targeted emails to trick victims into clicking malicious links.

Domain fraud is an old cybersecurity risk manifesting in new ways as cybercriminals take advantage of new top-level domains, privacy regulations, and social engineering tactics.

More than three-quarters of businesses found "lookalike" domains posing as their brand, researchers at Proofpoint Digital Risk Protection discovered as part of the 2019 Domain Fraud Report. Nearly all (96%) found exact matches of their brand-owned domain with a different top-level domain (TLD); for example, ".net" tacked on the end of the URL instead of ".com."

"This is a huge brand problem, both from a direct revenue standpoint and indirect loss standpoint," says Kevin Epstein, vice president of threat operations at Proofpoint. In a best-case scenario, a consumer may happen upon a blank website with a domain similar to yours. Worst-case scenario, they end up on a fake website, engage in a transaction, and their money and credit card information is sent to a cybercriminal. They're angry at the attacker – and the brand.

"I'd associate this brand, now, with something negative," Epstein continues. Spoofed domains can tarnish a business' reputation, resulting in customer loss and indirect financial impact.

Most domains are registered by people and businesses for legitimate reasons. Some are registered by fraudsters planning to launch phishing attacks, sell knock-off goods on spoofed sites, or use "typo-squatting" domains to make money off unintentional traffic for other sites. Between the first and fourth quarters of 2018, Proofpoint found the registrations of fraudulent domains rose 11%. Domains were categorized as fraudulent based on a classification engine built to analyze domain records, reputation, website content, email activity, and other factors.

"The most interesting thing to me is this change in attacker philosophy," says Epstein of this year's report. Cybercriminals have shifted from investing in highly technical attacks to more individually focused phishing attacks "happening on every street corner of the Internet." Any email can be an attempt to con you out of money, pretending to be from your boss or bank.

Social Scamming

It all comes down to the tricks of a manipulative social engineer. The rise of new TLDs has contributed to fraudulent domain registrations. Researchers saw "significant growth" in fraudulent domains outside the classic ".com," ".net," and ".org." Some of the lesser known TLDs in fraudulent domains include ".top" (#2), ".fr" (#3), ".men" (#19), and ".work" (50). European country codes are often used among criminals hoping to fool victims with fake links.

"Apparently as human beings we're sensitive more to the brand than the extension," says Epstein. "Over time, as computer users, we're less trained to ignore things after the dot."

If someone sees the name of a well-known bank in a URL, they're likely to click without noticing a .pop or .xyz at the end. This should give people pause, but well-known brands seem safe.

This can be seen in new findings from Segasec, which recently detected an increase in domain spoofing targeting customers of Walmart, Best Buy, and Wayfair. In the week leading up to Mother's Day, they noticed 188 domains related to the Walmart brand were created, up from 80 new domains two weeks prior to the holiday: walmartgiftpromo[.]com is an example. Others include bestbuy-survey[.]online, bestbuyus[.]org, and bestbuycyprus[.]eu.

"It is potentially one of the most common threat tactics," says Segasec CEO Elad Schulman. "It's aimed to mislead the weakest link, which is the end user." What's more, he adds, cybercriminals don't have to be advanced to pull this off. "This is something you can familiarize with very easily," he adds.

Some fraudulent websites have certificates, which also put victims at ease. Attackers are leaning away from plain domains and towards legitimate certificates, a trend that leads to an "error of attribution" on the part of victims. Sure, the lock symbol means the connection to the server is encrypted – but it doesn't mean the server is legitimate. People feel safe when they see the lock; as a result, they're likely to engage with these potentially malicious sites.

Think Before You Click

Rather than rely on the passive typo-squatting strategy, more attackers are directly targeting domain spoofing victims with phishing attacks. Business email compromise (BEC) is common, researchers report. Many criminals pick a large class of people to target with malicious links appearing to be from real brands, or containing keywords they think victims are likely to click.

Which terms are most common? Some consistently appeared in the top rankings; for example, "real estate," which was top for June through December, as well as "for sale," "I am," "block chain," "bit coin," and other US city names and terms related to cryptocurrency. Other tech-related terms frequently seen in domains included "server," "security," and "system."

The people targeted with these malicious emails aren't the CEO or CFO, but middle-management people who typically work with them. "It's not necessarily related to top titles," Epstein says. An attacker is more likely to succeed in tricking the CEO's assistant than the CEO, and they'll frequently peruse LinkedIn and other social platforms to figure out their targets.

It's not only email at risk for domain spoofing attacks, as Schulman points out. "We're talking about digital channels an organization has to interact with its customers," he adds. "Sometimes it's via email, sometimes it's a website, sometimes it's via application, sometimes it's across all social channels." He agrees the trend of typo-squatting is down as targeted attacks spread.

"There's no accidental stumbling upon it," he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NortonS122
50%
50%
NortonS122,
User Rank: Apprentice
6/18/2019 | 6:42:28 AM
Very useful information

It is really very nice to get the information about the websites that are spamming and hiding from us, people really do not know what should they open and what not. Another solution is to have Norton Setup antivirus in PCs and Laptops because it offers the security features.

Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25465
PUBLISHED: 2020-12-04
Null Pointer Dereference. in xObjectBindingFromExpression at moddable/xs/sources/xsSyntaxical.c:3419 in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25461
PUBLISHED: 2020-12-04
Invalid Memory Access in the fxProxyGetter function in moddable/xs/sources/xsProxy.c in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25462
PUBLISHED: 2020-12-04
Heap buffer overflow in the fxCheckArrowFunction function at moddable/xs/sources/xsSyntaxical.c:3562 in Moddable SDK before OS200903.
CVE-2020-25463
PUBLISHED: 2020-12-04
Invalid Memory Access in fxUTF8Decode at moddable/xs/sources/xsCommon.c:916 in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25464
PUBLISHED: 2020-12-04
Heap buffer overflow at moddable/xs/sources/xsDebug.c in Moddable SDK before before 20200903. The top stack frame is only partially initialized because the stack overflowed while creating the frame. This leads to a crash in the code sending the stack frame to the debugger.