Boom in Lookalike Retail Domains

New research into domains registered with a trusted TLS certificate has found lookalike domains outnumber legitimate retails sites by more than 4:1.

In a study conducted by researchers at Venafi, suspicious domains targeting 20 major retailers in the US, UK, France, Germany, and Australia were analyzed. Researchers found over 100,000 lookalike domains that use valid TLS certificates to appear safe and trustworthy. 

Threat actors use fake domains, cunningly rendered to appear legitimate, to steal personal data and financial information from unsuspecting online shoppers. The domains are created using URLs that vary by only a few characters from the addresses used by the genuine stores they are imitating.   

According to Venafi’s research, growth in the number of lookalike domains has more than doubled since 2018.

Among the top 20 online UK retailers, researchers found that there are over six times more look-alike domains than valid domains.

Researchers tied the increase in lookalike domains to the availability of free TLS certificates, such as the ones available from Let's Encrypt, which were used by 60% of the lookalike domains. 

“We continue to see rampant growth in the number of malicious, look-alike domains used in predatory phishing attacks,” said Jing Xie, senior threat intelligence researcher at Venafi.

"This is a result of the push to encrypt more and potentially all web traffic, a trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection. Most businesses and many retailers don’t have the updated technology in place to find these malicious sites and remove them to protect their customers.”

Researchers urged online retailers to protect their customers by searching for suspicious domains and reporting them to the anti-phishing service Google Safe Browsing and to the Anti-Phishing Working Group (APWG). 

Researchers see no end to the profitable practice of domain spoofing. 

"Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future," concluded Xie.

"In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs. This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates."

What’s Hot on Infosecurity Magazine?