Spoofed Domains Still a Persistent Threat

Domains impersonating companies and their brand names still pose a significant threat—research from Digital Shadows released today found that on average 1,100 fake websites are registered against individual organizations annually.

And with commercial phishing kits available in criminal marketplaces for as little as $50, Digital Shadows found, cybercriminals can target a brand and have a fraudulent website up and running in a flash without being subjected to the typical procedures to register a domain.

“A fake domain can easily be thrown together with limited financial resources and technical skills and unlimited potential for threat,” Digital Shadows said in a report released today. Cybercriminals can get a lot of bang for their buck as well, spoofing domains to obtain PII, harvesting credentials that can be used in account takeovers, dropping malware, spreading disinformation and/or selling to third-party brokers.

Digital Shadows’ Photon Research Team drew from data collected from its client base and found during the first four months of 2021, more than 175,000 impersonating domains were raised in five sectors–financial services, food and beverage, technology,  insurance and health care, plus a catchall “other” category. Not surprisingly, outside of the 53% logged as “other,” the greatest impact was felt by financial services (accounting for 20% of the fraudulent websites), followed by 12% in food and beverage and 11% in technology. Insurance and health care rounded out the list with 6% and 4%, respectively.

The researchers noted that not only was the financial services sector most often targeted, it was the sector most likely to be plied by cybercriminals. A whopping 87% of the domains analyzed by Digital Shadows found an associated DNS record that gave them an official look. And exactly half had assigned mail exchanger (MX) records, so they were primed to send and receive phishing emails. In addition, 66% of the domains were hosting content that could include logos and images that cybercriminals could use to exploit the targeted brand and its customers.

Food and beverage saw its share of activity, logging the highest number of alerts per organization–nearly 900 risky or impersonating domains in four months. That adds up to nearly 2,700 alerts annually. And researchers found that the sector had the most domains with complete webpages that could be used to impersonate brands–93% had a DNS record while 77% included content. More than half, 54%, had assigned MX records.

“One of the most common domain impersonation tactics is typo-squatting, aka URL hijacking, which is part of the MITRE D3FEND framework,” the report said. Attackers attempt to predict the typos people often make while typing a URL. They then purchase those misspelled domains in an effort to “attract unintended visitor traffic and often conduct malicious activities with protection against law enforcement.”

Digital Shadows researchers cited a number of indicators that a URL “has turned from just a parked page into a fully armed and operational battle station,” chief among them the domain has landed on a threat feed. In this case, the age of the malicious domain report can help determine the risk. “A newly reported malicious domain (within the past 90 days, for example) has a higher chance of being risky,” the report said.

A newly registered domain is also a red flag, as are domains with associated DNS or MX records. “It’s not always a feature, but it’s definitely a big warning sign when piled onto the other risk factors, especially because an MX record means it can send and receive emails,” the researchers said.

Another sign of trouble? A parked page that suddenly begins hosting content. “A page with content generally completes the jump into complete fraud and other maliciousness,” the report said. “If this is an impersonating page, the content may be a complete copy of legitimate content hosted somewhere else.”

With all these insights and warnings, why is domain impersonation still a thing?

That’s simple, said Sean Nikkel, senior cyberthreat intel analyst at Digital Shadows. Spoofed domains still threaten “because the technique still works.”

He explained that adversaries use social engineering, and are “likely betting on people being inattentive in the heat of the moment, to get them to malicious content.” Spoofed domains also “continue to prove effective in spreading malware or for harvesting credentials through seemingly legitimate login pages,” he said.

And the technique isn’t solely the domain of cybercriminals. Nation-state actors, too, “have a long history of using the technique,” said Nikkel. “As long as it stays easy to register spoofed domains and they continue to prove effective for accomplishing adversarial goals, much like it is today, it’s a problem that won’t go away anytime soon.”

Menu