In a recent study INKY subjected around 657 million emails in 2020 and found almost 5 million phishing campaigns, more than 590,000 of which were brand impersonations. It then came up with a list of the top 25 most phished brands in a 2021 report.

We sought to determine newly-created artifacts that could figure in potential attacks targeting customers of the top 3 in INKY’s list—Microsoft, Zoom, and Amazon.

Potential Attack Artifacts for Microsoft

INKY ranked Microsoft the most phished brand in 2020. The tech giant was targeted by nearly 29,000 campaigns, almost 70% of which were brand impersonations. Many of the company’s customers and stakeholders may have succumbed to business email compromise (BEC) and spoofing attacks.

To protect against similar campaigns this year, we looked at various domain intelligence sources for artifacts that may figure in phishing attacks.

A dive into the Newly Registered & Just Expired Domains Database for February 2021 gave us a list of 214 .com newly registered domains (NRDs) that contain the string “microsoft.” Examples include:

• analysis-microsoft[.]com
• defender-microsoft[.]com
• microsoftcoding[.]com
• bizzmicrosoft365[.]com
• microsoft365emailbackup[.]com
• microsoftappsupport[.]com
• glassmicrosoft[.]com
• microsoftserviceupdates[.]com
• microsoftdynamicscrmsupport[.]com
• blogmicrosoft[.]com

The NRDs above could potentially figure in a phishing attack targeting Microsoft’s customers, suppliers, partners, and employees. And if misspelled variations of the string are included, there could be far more artifacts to consider.

Potential Attack Artifacts for Zoom

Zoom ranked as the second-most-phished brand in the INKY report, recording about 3,800 campaigns for 2020, a little over 9% of which were brand impersonations. That is not surprising since remote workers, students, and practically everyone trooped online to continue life as we know it.

One way to secure home and office networks against phishing attacks is by monitoring emails for signs of disposable domains that may be spoofing popular brands like Zoom.

A look at the Disposable Email Domains Data Feed for February 2021 revealed the domain zoom[.]cd, which may figure in a malicious campaign targeting the telecommunications company’s users.

The INKY report also showed a sample phishing email that used the email address ms-zoom[.]notifications@mnoose[.]com. The domain mnoose[.]com, according to its privacy-protected WHOIS record, is less than 3 months old (at the time of writing) and owned by an organization which name remained public in the record.

Potential Attack Artifacts for Amazon

Finally, Amazon was the top 3 most-phished brand in 2020. The world’s biggest online retailer was the target of almost 2,800 campaigns, about 7% of which were recorded as brand impersonations. What was a little surprising is that not all supposed Amazon shipment notification emails have an attachment or a link to click. Some just had a phone number. When users call, a threat actor answers and convinces them to give up their login credentials.

Close scrutiny of Typosquatting Data Feed for January 2021 gave us a list of six bulk-registered domains containing the string “amazon,” namely:

• amazong[.]shop
• amazong[.]toys
• amazong[.]store
• amazon-kb[.]best
• amazon-kn[.]top
• amazon-kt[.]top

Of these, amazong[.]toys and amazong[.]store are tagged “suspicious,” amazon-kt[.]top is tagged a spamming domain, and amazon-kb[.]best is tagged as “malicious” on VirusTotal.

Three domains’ WHOIS records have been redacted for privacy. That is not the case for real Amazon-owned domains’ WHOIS records, which show the retailer’s complete registration details. None of the potential typosquatting domains above share any of the details in Amazon domains’ WHOIS records as well.

The Enterprise Typosquatting Data Feed for the month provided the following connected IP addresses:

• 107[.]161[.]23[.]204
• 192[.]161[.]187[.]200
• 209[.]141[.]38[.]71
• 134[.]73[.]5[.]157
• 157[.]52[.]230[.]115

VirusTotal checks for the related IP addresses also found 107[.]161[.]23[.]204, 192[.]161[.]187[.]200, and 209[.]141[.]38[.]71 malicious and 134[.]73[.]5[.]157 a spam source.

As this post showed, consulting domain intelligence sources for potential attack artifacts related to publicized malicious campaigns can help improve any individual’s or organization’s cybersecurity posture.

If you are interested in obtaining more information on potential phishing domains containing brand names, do not hesitate to contact us so we can collaborate.