Cybercriminals mimic major brand domains to scam customers

1 Sep 2020

Image: © HappyLenses/Stock.adobe.com

New research shows cybercriminals are registering domains that look similar to those from major brands such as Amazon, PayPal and Netflix to fool customers.

The way in which cybercriminals target users is becoming more sophisticated all the time. Now, a new report is warning customers to watch out for malicious domains that appear to look like they’re related to legitimate company websites, a practice known as ‘cybersquatting’.

Today (1 September), the Palo Alto Networks threat intelligence team, Unit 42, released new research examining data from December 2019 to date that shows cybercriminals mimicking the domains of major brands such as Facebook, Apple, Amazon, PayPal and Netflix.

The cybersquatting technique can be used to conduct a variety of attacks such as phishing, malware distribution and renewal scams. According to Unit 42, cybercriminals prefer profitable targets, such as mainstream search engines, shopping and banking websites, where they can attempt to steal sensitive credentials or money.

In recent months, Unit 42 discovered cybercriminals setting up malicious domains related to major brands to conduct attacks including phishing, malware distribution, renewal scams, technical support scams and reward scams. Focusing on data from December 2019, Unit 42 ranked the top 20 most abused domains.

A chart showing the most abused domains according to Palo Alto Networks.

Top 20 most abused domains in December 2019. Image: Palo Alto Networks

Cybersquatting relies on users mistakenly identifying a site as a familiar, authentic brand due to a similar domain name. Cybersquatting is not a new phenomenon and it is illegal in the US.

Unit 42’s report showed how convincing these types of scams can be, with some showing convincing replicas of website front pages as a cover for redirected links. Others can attempt to capitalise on users’ typing mistakes, for example, whatsalpp.com for WhatsApp; this is known as typo-squatting.

Other forms include combo-squatting, when a popular brand name is combined with words such as ‘payment’ or ‘security’; sound-squatting, which takes advantage of similar-sounding words and can be particularly effective with the increased use in text-to-speech software such as Siri; and bit-squatting, in which the domain has a character that differs in one bit from the same character as the targeted legitimate domain, for example, micposoft.com instead of microsoft.com.

According to the report, bit-squatting can benefit attackers because a hardware error can cause a random bit-flip in memory where domain names are stored temporarily, meaning users may be led to malicious domains, even if they type in the correct one.

“Although such hardware errors are usually rare, an academic research paper has shown that ​bit-squatting is a real threat​,” the report said.

The Palo Alto Networks squatting detector system discovered that 13,857 squatting domains were registered in December 2019, an average of 450 per day. The team found that almost 20pc of these squatted domain names were malicious, often distributing malware or conducting phishing attacks, while almost 37pc were considered ‘high risk’, meaning they had evidence of association with malicious URLs.

Users are advised to always be vigilant for any unusual domain names.

Jenny Darmody is the editor of Silicon Republic

editorial@siliconrepublic.com