Cyber-Criminals Mimicking Global Brand Domain Names to Launch Scams

Cyber-criminals are regularly mimicking the domain names of mainstream global brands to scam consumers, a practice known as cyber-squatting, according to a new study by Palo Alto Networks.

It found that the types of domains most commonly impersonated for malicious purposes relate to the most profitable companies worldwide, such as mainstream search engines and social media, financial, shopping, and banking websites. The primary purpose is to launch phishing attacks and scams on users in order to steal credentials or money.

Companies mimicked in the top 20 most abused domains in December 2019 based on adjusted malicious rate included PayPal, Apple, Netflix and Amazon.

Cyber-squatting is when domain names are registered that try to trick users into believing they are related to existing brands, typically by intentionally misspelling variants of their names. Whilst not always done with malicious intent, many of these domains pose a cyber-risk to visitors, and the practice is illegal in the US.

According to Palo Alto Networks' analysis, 36.57% (5104) of squatted domain names registered in December 2019 had evidence of association malicious URLs within the domain or utilizing bulletproof hosting, while 18.59% (2595) were found to be malicious as they distributed malware or conducted phishing attacks. In total, 13,857 squatting domains were registered in December 2019, working out to an average of 450 per month.

The cybersecurity firm added that it observed “a variety of malicious domains with different objectives” in the period from December 2019 to date. Examples included a domain related to Amazon (amazon -india[.]online) specifically targeting mobile users in India to steal user credentials, a domain related to Samsung (samsung eblya iphone [.]com) that aimed to steal credit card information by hosting Azorult malware and domains related to Walmart (walrmart 44[.]com) and Samsung (samsung pr0mo[.]online) that distributed potentially unwanted programs such as spyware and adware.

Palo Alto Networks commented: “Domain squatting techniques leverage the fact that users rely on domain names to identify brands and services on the Internet. These squatting domains are often used for nefarious activities, including phishing, malware and PUP distribution, C2 and various scams.”

It advised: “We recommend that enterprises block and closely monitor their traffic, while consumers should make sure that they type domain names correctly and double-check that the domain owners are trusted before entering any site.”

Speaking to Infosecurity, Zhanhao Chen, senior staff researcher for Unit 42 at Palo Alto Networks said: "Cyber-squatting techniques continue to evolve. Squatters are using more sophisticated squatting techniques, from the typo-squatting (registering misspelled variants of a domain) to level-squatting (including the targeted brand’s domain name as a subdomain) and sound-squatting (creating a domain that takes advantage of words that sound alike). We also see cyber criminals taking advantage of trending topics like COVID-19."  

What’s Hot on Infosecurity Magazine?