In a single month, cybersquatters registered almost 14,000 domain names, more than half of which went on to host malicious or likely fraudulent content, Palo Alto Networks states in a report released this week.
The company, which collected information on newly registered domains in December 2019, found 13,857 domains classified by its software as cybersquatting based on lexical analysis. Over the next eight months, the company went on to watch how the registrants used the domains. Domains registered using names similar to large Internet companies or banks usually ended up as phishing or fraud sites, the company says.
Cybersquatted domains resembling Apple.com, for example, led to malicious content more than 70% of the time, the report states. In addition, major events — such as the coronavirus pandemic — are used as a way to refresh a cybersquatter's stable of domains, says Zhanhao Chen, senior staff researcher for Palo Alto Networks' Unit 42 research team.
"In general, cybercriminals are always digging for opportunities to generate squatting domains from trending topics," he says. "For global topics like COVID-19, they're more likely to be combined with popular domains from major brands to try to scam as many users as possible."
Cybersquatting has been around almost as long as the Internet, originally as a tool of domain speculators, but in modern times more likely as a tool of fraudsters and cybercriminals. One of the most common techniques is typosquatting, where the registrants create variants of a brand's domain with common typographical errors.
Another common method is combosquatting, in which the attacker combines a common word — such as "security" or "payments" — with the brand. For example, secure-wellsfargo[.]org, a cybersquatting domain using the Wells Fargo brand, targeted the bank's customers in an attempt to use phishing to steal sensitive information.
In Palo Alto Networks' research, almost 19% of the 13,857 cybersquatted domains are classified as "malicious," either used for malware distribute or phishing attacks. Another 37% of the cybersquatted domains are considered "suspicious," which includes domains that are questionable, appear to be parked, have insufficient content, or host legally questionable software.
Combosquatted domains made extensive use of the coronavirus pandemic, Palo Alto Networks' Chen says.
"For COVID-19 specifically, we observed several squatting cases taking advantage of the pandemic," he says. "Cybercriminals combined trademarks with keywords like 'covid19' and 'coronavirus' to generate squatting domains and scam users."
Cybersquatters typically register their domains through registrars that have lax policies or automation tools that allow the mass registration of domains, according to the report.
"The most abused registrar, Internet.bs, provides free services preferred by domain squatters, including privacy-protected registration and URL forwarding," the report states. "The second-most abused registrar, Openprovider, offers cheap and easy bulk registrations attracting many squatting registrations."
Because of the proliferation of free options for Secure Sockets Layer (SSL) certificate registrations, cybersquatting domains are increasingly using HTTPS, which typically gives the domain an air of respectability. Palo Alto Networks found that 18.5% of the malicious squatting domains are using HTTPS. However, users should not trust a domain just because the URL has a lock icon next to it, Chen says.
"The green lock is not enough," he says. "Security best practice is to confirm the domain name in the certificate is trusted."
Companies can protect their domains by proactively registering variants of their domain or company name, accounting for common misspellings and typos. Other variants of a company's domain name can be taken down through legal means. Cybersecurity firms offer monitoring services as well.
From a user security side, companies should train their employees to recognize suspicious domains. In addition, domain filters are increasingly taking into account a variety of factors, such as age of a domain and whether it is lexically similar to a brand name, to better identify potentially malicious or fraudulent domains.