Recently, we’ve released a few articles on typosquatting, Getting Started with Domain Monitoring Part I, and Part II and a solutions guide for Domain Monitoring to give everyone a sense of the threats presented when it comes to domains. As there are many. For the frequent readers of our blogs, some of you may have been asking yourselves, “OK, Digital Shadows (now ReliaQuest), what’s with all of the domain talk lately?” Glad you asked!
We followed one of the principles of doing good threat intelligence by diving into our data, which you can read all about in our new research report. For the approximately four months we analyzed, there were over 175,000 alerts to analyze. This ended up showing us that, on average, every month, about 90 alerts showed up per client. That translates into nearly 1,100 domains per year.
The guiding thoughts behind our impersonating domains research was to see if we could find trends supporting media or community reporting or uncover some exciting threads of our own. In this blog, we’ll dive into the few surprises throughout the analysis and research alongside some of the usual suspects you see or hear elsewhere in the security community.
Why do Domain Impersonations matter?
The concept of spoofing domains and impersonating brands is not new. At least, it shouldn’t be. Many sharp researchers and security companies in this space have written various papers, articles, and blogs over the years, and probably ad nauseam at this point.
We need to talk about it because it still matters. After all, it’s still something every adversary does. It’s why phishing is still the best lowest-tech attack vector and why every year, domains are still getting spoofed. They do it because IT (clap emoji) WORKS (clap emoji).
On the internet, domains and brands go together like peanut butter & jelly, so it’s one of those assets that need to be protected or at least watched. It’s often the first place customers, employees, and partners learn more about a particular company, especially one with a high-profile or great product, for instance. Knowing this, adversaries will go to great lengths to support their aims by using trickery and fraud to take advantage of that public trust.
What techniques are used in domain impersonation?
As we found, threat actors use all kinds of techniques to spoof domain names, register lookalike subdomains, website content, and even logos to complete their fraud. As a result of these campaigns, we’ve seen the targets range from harvesting credentials to delivering malware on unsuspecting victims.
The actual pages associated with some of these impersonating domains ran the entire spectrum:
- DNS and MX records attached
- Activity; parked or newly-registered
- Content; displaying some sort of web content or referencing content
- Logos; displaying logo or associated imagery
- Threat feeds; mentions on threat feed
In a few cases, they’d even ended up on a threat feed, which is how the intelligence and security communities often share indicators of compromise and other adversary data with the rest of the world.
The good news is that there are takedown services that can assist with moving these bad actors off these domains. Still, as Michael wrote in his domain monitoring blog, it’s much harder to do this with parked pages simply there and not actually performing a malicious function. It’s also hard to do with bulletproof hosting, which typically turns a blind eye to malicious or criminal activity or does not comply with law enforcement or takedowns.
What does the threat landscape look like in 2021?
So what do those threats look like, in terms of our customers? It means getting alerted to the presence of these potentially spoofed domains.
1,100 impersonating domains and subdomains detected on average per year per Digital Shadows (now ReliaQuest) client.
In particular industry verticals like financial services, food and beverage, technology, and healthcare, some clients saw some of the most alerts or risk factors compared to other client industries.
Why have impersonating domains ballooned in volume?
It’s a complicated question, one that depends on a lot of factors.
For one, it’s the sheer number of terminal-level domains (TLDs) that go beyond the usual .com, .net, and .org TLDs that are familiar to many of us. Try and register a domain, and you will be presented with probably dozens of options between various available domain spellings and TLDs (we know, we’ve checked).
As we’ve written about before, it becomes cost-prohibitive to pay for all of these domains to block illegitimate use or support redirects from typos. Based on the data we saw for our clients, and just them alone, it’s likely an average of at least a half-million domain alerts for the year. Now, to get a sense of that scale globally, multiply that times the number of possible permutations between word and letter changes, multiple TLD use, and the number of companies and products that exist worldwide and… Well, let’s say it’s a lot, and you can see how it gets complicated.
Lowered Technical Barriers to Cybercrime
As usual, the criminal underground has responded to the demand and offers just about everything you’d need to get access to hosting, registering domains, setting up phishing services or professionally-spoofed pages at scale, as well as lots of niche tools and specialties in-between that support these enterprises. There are lots of tutorials and other advice out there that can help you on your quest to commit fraud on the web. We even found that some of these services don’t require tons of resources, whether technical or financial.
What are the motives for domain impersonation?
This has probably been echoed through other, similar research projects elsewhere, but there were some common threads regarding the motivations behind domain impersonation, which can answer the question of “Why?” In some cases, it might be world domination if we’re talking about a nation-state actor (who also plays the domain game), but it is more than likely just about money and notoriety on the criminal side.
The top reason to set up an impersonating domain is to harvest credentials.
This is done by nation-state actors and criminals alike and serves various purposes. It’s more than likely to perform some measure of account takeover, whether it’s for your social media account, bank login, or employer’s online webmail portal. It may even just be for your favorite streaming service.
Phishing is probably the culprit, and it might be messages warning you about your account expiring or maybe even fake payment invoices that you need to check by logging in right now! It may even be just a request from a potential customer to check out a file or a colleague trying to send you a share link, and it takes you to what seems to be a Microsoft Online portal login, as seen below:
This is how you make a security analyst panic.
Once credentials are harvested, they may be monetized further and sold in bulk on various marketplaces for various uses, including the sale to initial access brokers (IABs) who often traffic in the purchase and sale of administrator and remote access credentials. In the case of a nation-state actor harvesting credentials, they might use stolen credentials to gain access to critical or sensitive information that supports an ongoing espionage operation, for example.
The following motivation shouldn’t come as any surprise, but personal information, medical data, and financial or payment data are still lucrative, especially in bulk and especially when it’s new data. A spoofed shop page might harvest credit card details, while another page pretending to be your bank might take a Social Security number or other personal information. While these offerings in singles can often sell for pennies to dollars on the dark web, they can bring in some money for criminals together in bulk.
The final motivations are also shared by criminals and spies alike, and that’s to drop malware and use information against us. Domains with spoofed pages might look like a software update for a standard application, which hosts a remote access Trojan, for example. Or it might take the form of an embedded link in a document or, worse, an email attachment that’s a misleadingly-named file meant for further download and inspection by the user. In using information against victims, spoofed domains could redirect users to fake news sites or support similar attempts at misinformation en masse. In other cases, they may be directing traffic to so-called clickbait and similar sites attempting to make money from ad clicks.
How can you defend against domain impersonations?
As we’ll show you in the release of our domain research this week, the threats are many while the barrier to entry keeps getting lower. As a matter of course, Digital Shadows (now ReliaQuest) can monitor that attack surface for you, and help you keep your brand protected by monitoring lookalike domains. We can help reduce the noise of looking at every single domain out there and help you make a choice, based on various risk factors such as: domains that are newly registered, appearing in threat feeds, parked, or possibly even hosting content, which might even include your logos and designs. We can help you take down those domains where possible and keep an eye on those that appear risky.
As we’ve discussed before, it might be cost- and time-prohibitive to do all of this yourself, and as you’ll see in the research, not every risky domain ends up on a threat feed. If you’d like to know how the domain monitoring works, take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a 7-day test drive, or request a demo from us to help you better understand where the online risk lies.