Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/18/2019
12:05 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How Fraudulent Domains 'Hide in Plain Sight'

Cybercriminals use new types of top-level domains, topical keywords, and targeted emails to trick victims into clicking malicious links.

Domain fraud is an old cybersecurity risk manifesting in new ways as cybercriminals take advantage of new top-level domains, privacy regulations, and social engineering tactics.

More than three-quarters of businesses found "lookalike" domains posing as their brand, researchers at Proofpoint Digital Risk Protection discovered as part of the 2019 Domain Fraud Report. Nearly all (96%) found exact matches of their brand-owned domain with a different top-level domain (TLD); for example, ".net" tacked on the end of the URL instead of ".com."

"This is a huge brand problem, both from a direct revenue standpoint and indirect loss standpoint," says Kevin Epstein, vice president of threat operations at Proofpoint. In a best-case scenario, a consumer may happen upon a blank website with a domain similar to yours. Worst-case scenario, they end up on a fake website, engage in a transaction, and their money and credit card information is sent to a cybercriminal. They're angry at the attacker – and the brand.

"I'd associate this brand, now, with something negative," Epstein continues. Spoofed domains can tarnish a business' reputation, resulting in customer loss and indirect financial impact.

Most domains are registered by people and businesses for legitimate reasons. Some are registered by fraudsters planning to launch phishing attacks, sell knock-off goods on spoofed sites, or use "typo-squatting" domains to make money off unintentional traffic for other sites. Between the first and fourth quarters of 2018, Proofpoint found the registrations of fraudulent domains rose 11%. Domains were categorized as fraudulent based on a classification engine built to analyze domain records, reputation, website content, email activity, and other factors.

"The most interesting thing to me is this change in attacker philosophy," says Epstein of this year's report. Cybercriminals have shifted from investing in highly technical attacks to more individually focused phishing attacks "happening on every street corner of the Internet." Any email can be an attempt to con you out of money, pretending to be from your boss or bank.

Social Scamming

It all comes down to the tricks of a manipulative social engineer. The rise of new TLDs has contributed to fraudulent domain registrations. Researchers saw "significant growth" in fraudulent domains outside the classic ".com," ".net," and ".org." Some of the lesser known TLDs in fraudulent domains include ".top" (#2), ".fr" (#3), ".men" (#19), and ".work" (50). European country codes are often used among criminals hoping to fool victims with fake links.

"Apparently as human beings we're sensitive more to the brand than the extension," says Epstein. "Over time, as computer users, we're less trained to ignore things after the dot."

If someone sees the name of a well-known bank in a URL, they're likely to click without noticing a .pop or .xyz at the end. This should give people pause, but well-known brands seem safe.

This can be seen in new findings from Segasec, which recently detected an increase in domain spoofing targeting customers of Walmart, Best Buy, and Wayfair. In the week leading up to Mother's Day, they noticed 188 domains related to the Walmart brand were created, up from 80 new domains two weeks prior to the holiday: walmartgiftpromo[.]com is an example. Others include bestbuy-survey[.]online, bestbuyus[.]org, and bestbuycyprus[.]eu.

"It is potentially one of the most common threat tactics," says Segasec CEO Elad Schulman. "It's aimed to mislead the weakest link, which is the end user." What's more, he adds, cybercriminals don't have to be advanced to pull this off. "This is something you can familiarize with very easily," he adds.

Some fraudulent websites have certificates, which also put victims at ease. Attackers are leaning away from plain domains and towards legitimate certificates, a trend that leads to an "error of attribution" on the part of victims. Sure, the lock symbol means the connection to the server is encrypted – but it doesn't mean the server is legitimate. People feel safe when they see the lock; as a result, they're likely to engage with these potentially malicious sites.

Think Before You Click

Rather than rely on the passive typo-squatting strategy, more attackers are directly targeting domain spoofing victims with phishing attacks. Business email compromise (BEC) is common, researchers report. Many criminals pick a large class of people to target with malicious links appearing to be from real brands, or containing keywords they think victims are likely to click.

Which terms are most common? Some consistently appeared in the top rankings; for example, "real estate," which was top for June through December, as well as "for sale," "I am," "block chain," "bit coin," and other US city names and terms related to cryptocurrency. Other tech-related terms frequently seen in domains included "server," "security," and "system."

The people targeted with these malicious emails aren't the CEO or CFO, but middle-management people who typically work with them. "It's not necessarily related to top titles," Epstein says. An attacker is more likely to succeed in tricking the CEO's assistant than the CEO, and they'll frequently peruse LinkedIn and other social platforms to figure out their targets.

It's not only email at risk for domain spoofing attacks, as Schulman points out. "We're talking about digital channels an organization has to interact with its customers," he adds. "Sometimes it's via email, sometimes it's a website, sometimes it's via application, sometimes it's across all social channels." He agrees the trend of typo-squatting is down as targeted attacks spread.

"There's no accidental stumbling upon it," he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
NortonS122
50%
50%
NortonS122,
User Rank: Apprentice
6/18/2019 | 6:42:28 AM
Very useful information

It is really very nice to get the information about the websites that are spamming and hiding from us, people really do not know what should they open and what not. Another solution is to have Norton Setup antivirus in PCs and Laptops because it offers the security features.

MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15513
PUBLISHED: 2019-08-23
An issue was discovered in OpenWrt libuci (aka Library for the Unified Configuration Interface) as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang.
CVE-2019-15504
PUBLISHED: 2019-08-23
drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir).
CVE-2019-15505
PUBLISHED: 2019-08-23
drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).
CVE-2019-15507
PUBLISHED: 2019-08-23
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. Th...
CVE-2019-15508
PUBLISHED: 2019-08-23
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fi...