|
PayPal is still one of the most imitated brands on the Internet. From 1-8 June 2020, the Typosquatting Data Feed detected a total of 64 PayPal lookalike domains. The domains appeared on the data feed because they became part of the Domain Name System (DNS) on the same day similar ones were. While such occurrences can be a result of PayPal’s brand protection strategy, it could also mean that threat actors are planning to use them in phishing attacks.
The latter is not an unlikely scenario, especially since IBM X-Force has been releasing different warnings related to various PayPal squatting campaigns. In a little over a year, it issued four notices on these dates:
With this in mind, what can we say about these newly detected domain names?
Of the 64 domains, half have since been dropped. Listed below are the domains detected within the specified date range that remain active:
We can’t say for sure if any of the 32 domains are typosquatting or malicious domains as PayPal could have registered some of them as part of its typosquatting or brand protection strategy. These domain names could also have been purchased for domaining purposes.
However, we did compare their WHOIS records with that of the legitimate paypal[.]com website via Bulk WHOIS Lookup. Here’s what we found out:
The registrant names, organizations, and contact information were all anonymized or protected for privacy, or left blank.
All domains were registered either in Sweden or Russia, with only one exception. Pay-pal-support[.]xyz was registered in the U.S.
On the other hand, the WHOIS details of the official paypal[.]com are as follows:
Registrar: MarkMonitor, Inc.
Registrant organization: Paypal Inc.
Registrant address: 2211 North First Street, San Jose, California
All other information such as the email address, telephone, and technical and administrative details are also provided. As such, there is a glaring difference between the WHOIS records of the legitimate PayPal domain and its lookalikes.
Another reason for treating these 32 typosquatting domains as suspicious is the fact that PayPal uses the same WHOIS details for a large number (if not all) of its other domains. We found 2,451 domains that use the same registration details as paypal[.]com.
We were able to look into PayPal’s typosquatting strategy with the help of Reverse WHOIS Search. Utilizing its advanced search feature, we specified the following search terms:
Out of the almost 2,500 domains, only seven were registered between 1 May and 9 June 2020. And only one of them can be deemed a lookalike.
Integrating Typosquatting Data Feed could help PayPal protect its brand and its users promptly. By contacting the owners or even the registrars of these domains, PayPal can save its users from becoming victims of phishing, fraud, and other cybercrime.
On 8 June, a user with the Twitter handle @JetmanPR warned his followers about a phishing email he received. The email was supposedly from PayPal, alerting him about suspicious activities on his PayPal account.
The email is fake based on the email domain and the glaring grammatical errors in the message. The PayPal user thankfully didn’t fall for the ruse. Others were not as lucky.
In May, a woman almost lost £11,000 to scammers after clicking a malicious link embedded in a message that was supposedly from PayPal. Luckily, her bank’s fraud team was alerted and fixed everything.
PayPal squatting seemingly remains prevalent, as shown by the Typosquatting Data Feed. PayPal is already educating users about phishing and provides them with an avenue to report such acts. As an additional effort, keeping track of PayPal-inspired domain registrations is possible with Typosquatting Data Feed.
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix