|
Kozow[.]com hosts the website of free dynamic Domain Name System (DNS) service provider Dynu Systems. It has been cited for ties to several malicious activities over the past few months. To see if it would be a good idea for organizations to consider blocking the domain from their networks, we collated a list of kozow[.]com subdomains and subjected them to deeper scrutiny.
We obtained a list of 22,160 kozow[.]com subdomains from our database and analyzed the common strings found.
The following brands, whether correctly or incorrectly spelled, appeared in the subdomains, which could indicate typosquatting or more destructive threats, such as phishing and malware-hosting:
Amazon took the top spot with the highest number of possibly spoofed subdomains (1,982), at least three of which are malicious—cpcontacts[.]amazonde-accountalert[.]kozow[.]com, amazon-recoverydata3[.]kozow[.]com, and alert-amazon[.]com-verifypage[.]kozow[.]com.
WhatsApp followed with 404 subdomains. Examples of malicious subdomains include grupwhatsappdewasa[.]kozow[.]com, cpanel[.]whatsappbokep18[.]kozow[.]com, and chatwhatsapps[.]kozow[.]com. These subdomains could be targeting app users looking to join groups.
In third place was Apple with 387 subdomains, at least three of which are malicious—cpcalendars[.]appleld-apple-com[.]skq[.]kozow[.]com, cpcontacts[.]appleld-apple-com[.]skq[.]kozow[.]com, and www-secure-apple[.]supports-accounts0129[.]kozow[.]com. A lot of these seemed to pretend to offer support to targets.
Other malicious examples for each brand and the ruses used are listed below.
The other abused brands include Google/Android/YouTube (73 subdomains), Facebook (49), Bank of America (43), Instagram (38), Wells Fargo (29), Spotify (14), HSBC (6), ITPro (4), Adobe (3), AOL (3), Starbucks (3), and Yahoo (2). The typosquatters do not seem to have a particular target industry, as tech giants, banks and financial service providers, streaming service providers, utility providers, and even an online publication were in the top 20 list.
Apart from subdomains containing brands or company names as listed above, the following strings were also appearing repetitively:
The string “contact” topped the list with 1,007 subdomains, at least three of which are malicious—cpcontacts[.]amazonde-accountalert[.]kozow[.]com, cpcontacts[.]appleld-apple-com[.]skq[.]kozow[.]com, and cpcontacts[.]updatemyaccount-paypal[.]kozow[.]com.
This was closely followed by “calendar” with 978 subdomains and “app” with 722. Malicious examples of subdomains containing both strings include cpcalendars[.]appleld-apple-com[.]skq[.]kozow[.]com, cpcalendars[.]www-appmazon-login-authorized-secure[.]kozow[.]com, cpcalendars[.]secure[.]my-amazon[.]updatedetailinfo73292300[.]kozow[.]com, cpcalendars[.]appleld-apple-com[.]skq[.]kozow[.]com, cpcontacts[.]appleld-apple-com[.]skq[.]kozow[.]com, and cpanel[.]secure[.]apps[.]home-dashboard-ridireecttoamazonverif[.]kozow[.]com.
Other examples are listed below per theme.
The other abused strings include verify/verification (399 subdomains), support (257), info/information (188), recover/recovery (179), online (154), login/logon (93), payment (90), signin (74), and help (61). These strings were used in tandem with the brands listed above, most likely to provide a semblance of legitimacy to the subdomains.
Many potential threats might be hiding behind domains like kozow[.]com in the form of subdomains, notably to evade detection and subsequent blocking. But close monitoring of subdomain data feeds can help alleviate the problem as this post showed.
If you are interested in the complete list of kozow[.]com subdomains used in this post or would like to collaborate on similar research, feel free to contact us.
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC