Brand trust is more important than ever for customers looking to engage with online services, professions, or retail shops. However, cybercriminals have scaled up their malicious activities by squatting domain names of popular brands to confuse and target users.
What does the report say?
According to a report from Palo Alto Unit 42 Networks, threat actors are repurposing the old-school cybersquatting attack technique to accomplish a wide range of malicious objectives. From December 2019 to date, the attack method was used for:
- Malware distribution: A domain mimicking Samsung hosted AZORult trojan capable of stealing credit card information.
- Phishing: Scammers created a legitimate-looking fake site of Wells Fargo to steal sensitive information, email credentials, and ATM PINs from customers. Additionally, these banking sites were used to offer fake services for free to privileged customers.
- Network intrusion: Fake domains related to Microsoft were used by attackers to compromise an entire network and conduct C2 attacks.
- Re-bill scam: Several phishing sites mimicking Netflix were set up to steal victims’ money by prompting them to make an initial payment towards a product like weight loss pills.
- Potentially Unwanted Program (PUP): Malicious actors created and registered a fake site looking similar to Walmart to distribute PUP such as spyware, adware, and malicious browser extension.
- Tech support scam: Fake Microsoft domain was used to scare users into paying for false customer support.
- Reward scam: A domain mimicking Facebook lured users with fake rewards such as free products or prize money. To claim the prize, the users were required to fill out a form with their personal information.
Most targeted brands
Domain squatters prefer popular websites in mainstream search engines, social media, and financial, shopping, and banking services to target online users. The most commonly targeted brands include the likes of PayPal, Apple, RoyalBank, Netflix, LinkedIn, Amazon, Dropbox, TripAdvisor, Facebook, Google, Norton, and Microsoft, among others. The brand names are tweaked a little before they are hosted using cheap or free DNS services.
Palo Alto researchers explained, “When visiting these sites, users are often prepared to share sensitive information, which opens them up to phishing and scams to steal sensitive credentials or money if they can be deceived into visiting a squatting domain instead.”
- Because of the proliferation of free options for Secure Socket Layer (SSL) certificate registrations, it has become easy for threat actors to link the secure HTTPS protocol to cybersquatting domains.
- Among the total fake domains registered since December 2019, Palo Alto Networks found 18.5% of those domains using HTTPS. Therefore, users should not trust a domain just because the URL has a lock icon next to it.
What companies must do?
- Companies can protect their domains by proactively registering variants of their domain or company, accounting for common misspellings and typos. External fake domains, if detected, should be immediately taken down through legal means.
- Additionally, employees and customers should be trained on how to recognize suspicious domains. The use of domain filters can also help in better identifying potentially malicious or fraudulent domains.