Threats, Cybercrime

Websites repeatedly stalked by fraudulent copycats, say researchers

A spoofed Paypal webpage. (Image from Digital Shadows report.)

New research has shed some light on just how constantly corporate brands are bombarded by fraudulent attempts to impersonate their website domains. In its new "Impersonating Domains Report," researchers at Digital Shadows found that over a four-month span this year, its business clients on average witnessed 90 different fraudulent domains impersonating their websites and brands. That extrapolates to almost 1,100 imitated domains per year.

The reason: it’s simple and cheap to set up a fake website, and so cybercriminals can stand new ones up as quickly as detected ones are reported and taken down.

“The tech’s getting better and the cost is getting lower and those things are probably what's working against the [security] community,” said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. Indeed, it’s possible to register a subdomain for as little as five to 15 bucks, and even bulletproof hosting services and phishing and website-building toolkits are relatively affordable and intuitive to use, he said.

“Everything's built to be able to just plug in all the information you need, and an application will do it for you,” said Nikkel. Sometimes “they give you a full tutorial on how to set everything up and [so] you don't necessarily need to have a network administrator or a systems admin level of knowledge to be able to set it up.”

Jeremy Ventura, senior security strategist at Mimecast, said the findings are not especially surprising, considering that “over the last 18 months, we’ve seen the highest increase of cyberattacks across the board,” including email-based phishing campaigns that, like phishing websites, can damage trust in a brand name.

“Anyone today can create a domain and then leverage software such as WordPress to quickly create a website,” said Ventura. “The minimal time, resources and budget required to execute an attack, in combination with a high success rate, makes brand impersonation attacks an increasingly popular threat vector.” Moreover, many targeted organizations struggle to interfere with these threats “because most lack the tooling and processes to gain visibility into where their domains reside online. And most don’t realize the full extent to which their brand is being exploited until they begin proactively monitoring for it.

For its research, Digital Shadows’ Photon Team analyzed a data set of more than 175,000 fraudulent domains. “That's actually the first time we've been able to analyze such a large set of data like this,” said Nikkel. “It was interesting to get a baseline to understand where we are, and then as we can pull some data, and time goes on, it would be interesting to see basically how that number changes.”

Digital Shadows reports that out of its total client base, businesses operating in the financial services, food and beverage, technology, health care, and insurance verticals were responsible for nearly half of all total risk events observed

“We didn’t expect the food-and-beverage industry to have such a strong presence of risky domains,” the report said. “Since it’s a consumer-facing industry, we can surmise that some fraud is involved, especially if domains are serving up malware or being used for social engineering...”

Nikkel also noted that for certain industries, the number of domain threats that ultimately showed up in curated threat intelligence feeds was surprisingly low (and in some instances none at all). This could be for positive reasons – including incident response times improving such that the problem is handled before the threat ever makes it into the feed – or for negative reasons, including malicious actors findings ways to elude threat intel efforts.

Nikkel suspects it may be a mix of both.

“I’ve seen this before in previous campaigns where threat actors would basically register an entire block of domains and then just sit on them – and so maybe the domains themselves aren't raising red flags because they just haven't been spotted [yet],” said Nikkel

“Or maybe they just haven't had a long enough time to live, per se,” he continued. After all, he noted, most email phishing domains stay up for fewer than 24 hours before the adversaries take them down, and it’s reasonable to conclude that malicious actors are similarly giving impersonation domains short lifespans as well.

“And so a lot of times, threat feeds may not necessarily have the insights into those really quickly spun-up domains, to where it gets a chance to get caught by the community or it gets a chance to get analyzed in some way,” said Nikkel. Sometimes the bad actors even rotate these domains in and out, “so it's definitely a numbers game, for sure.”

At the same time, other malicious domains are being spotted and removed promptly. “At least the takedowns are happening quickly. Maybe it's… registrars and hosting companies that are being more compliant” about eliminating troublesome domains, Nikkel noted.

And it’s also possible that certain industries are simply privy to better intel reports than others, Nikkel acknowledged.

While the report explains that website fraud schemes are often enabled through lookalike domains created through typosquatting techniques, it also makes reference to website compromises enabled through phishing and identity theft. These scams are often designed to trick site visitors into giving up their PII, login credentials and payment information, or to deliver malware to unsuspecting victims.

“The bad behavior could end there, but some enterprising threat actors see an impersonating domain simply as a gateway into a broader attack campaign,” the report adds.

Digital Shadows suggests several ways to fend off such schemes, including monitoring domains, and preemptively registering variants of your domain name to prevent typosquatting. However, Ventura from Mimecast noted that the use of domain monitoring “is still rare, despite the increase in attacks.”

The report also recommends more robust threat intel sharing, incorporating domain impersonation into security awareness training, and promptly reporting malicious domains to the authorities and demanding a takedown.

“There are lots of different ways to go through the whole takedown process,” said Nikkel. “Typically, it’s sending messages to the registrars or the hosting companies to let them know about the fraudulent content – and if they're legitimate, they'll comply with that. If not, there's lots of ways to engage law enforcement, if you're looking at some sort of really malicious campaign.”

Nikkel also advised website operators to openly share threat updates with their own customers, warning them of any discoveryed malicious domains attempting to mimic their brand.

Ventura also offered his own tip on defense: “IT and security teams need to gain visibility into brand presence, and invest in technology and services that can proactively hunt for lookalike and malicious domains, so they can neutralize brand imitation on the web,” he said. “In addition, investing in advanced web security technology can prevent employees from being able to access fake domains and malicious websites.”

“Last but not least, services that provide monitoring to identify brand impersonation, including the Domain-based Message Authentication, Reporting and Conformance (DMARC) email protocol, are a must for online brand safety. In fact, most of the time, brand protection services can help brands mitigate problems and more rapidly take down brand impersonation websites faster than organizations can do on their own.”

prestitial ad