|
Domain attack surface discovery is an incessant quest for domain and subdomain names that could be used as attack vectors. The larger its attack surface, the more vulnerable an organization tends to be. On the other hand, the more attack vectors discovered, the higher the chances of mitigating cyber attacks.
This post aims to see how the domain attack surface of the 10 most spoofed brands looks like in recent weeks, particularly between 1 July and 3 August 2021. In particular, we addressed these questions:
The brands in this study are based on Check Point’s Brand Phishing Report for the second quarter of 2021. The report lists companies that own the most imitated brands by hackers in their phishing campaigns. Microsoft topped the list, accounting for 45% of the total number of brand-related phishing attacks recorded.
Some of these companies were also present when we studied the domain attack surface of the 10 most spoofed brands in 2020.
The 10 brands accumulated over 42,000 domains and subdomains as per our data sample, added from 1 July to 3 August 2021. This number consists of roughly at least 12,000 domains and 30,000 subdomains, added within a span of only four weeks.
These cyber resources with exact matches of the brand names were found using Domains and Subdomains Discovery, which is part of the Domain Research Suite (DRS).
While Microsoft was the most spoofed brand in phishing campaigns, Amazon had the largest domain attack surface with close to 12,000 domains and subdomains. It was followed by Chase Bank, Apple, Google, and PayPal.
Some examples of the cyber resources found for each brand are provided below.
Brand | Examples of Domains | Examples of Subdomains |
---|---|---|
Amazon | • jp-amazon-amazon[.]top • amazon-amazon[.]monster • xn—mzon-4naz[.]vg | • amazon.zr4w9c[.]cn • amazon.alloqejqufcjvs[.]club • amazon.plotpad[.]com |
Chase Bank | • chase03[.]cf • chasebk[.]us • chasee[.]icu | • chase[.]scuritybetumbokchase[.]com • chase[.]secure3913[.]link • chase[.]cxoeventsme[.]com |
Apple | • aappleid[.]apple • appledapple[.]ph • applechapple[.]be | • aappleid[.]apple[.]com-usersupdate[.]live • apple[.]appleid[.]com-ar[.]xyz • appleid[.]apple[.]sign-in-apps-stored[.]com |
• googlegoogle[.]gq • googlegoogle[.]com[.]cn • xn—googl-fsa641b[.]ws | • accont[.]google[.]brsuporte[.]co • google[.]gerson[.]barreiros[.]nom[.]br • safety[.]google[.]admin-mcas-gov[.]ms | |
PayPal | • xn—ppl-loa30mca[.]ws • ppaypal[.]me • 4paypal[.]ml | • paypal-paypal[.]holhost[.]com • paypalpaypal1[.]repl[.]co • paypal[.]customer-servce[.]com |
DHL | • dhlsupplychain[.]dhl • dhlsg[.]me • dhlweb[.]xyz | • dhl[.]pay-systemeng[.]site • dhl[.]paying-delivery[.]site • dhl[.]pay-onlineservice[.]com |
Microsoft | • xn—microft-e1a22g[.]vg • microsofts[.]in • microsoft-e5[.]vg | • microsoft[.]microsoft[.]ooficesuit[.]xyz • microsoft[.]thekeysupport[.]com • microsoft[.]signon-o365[.]cloud |
• linkedinforlinkedin[.]tk • xn—lnkdin-i6b4230d[.]ph • hulinkedin[.]ws | • linkedin[.]voicemailsend[.]live • linkedin[.]revisaodeperfil[.]com[.]br • linkedin[.]dfsoltec[.]com | |
Bestbuy | • xn—btbuy-uza96w[.]ws • bestbuyu[.]ws • ibestbuy[.]it | • cdn[.]bestbuy[.]surfavenuemallbestbuy[.]com • bestbuycoupon[.]ostheotasori[.]tk • welcome[.]bestbuy[.]accoountonline[.]com |
Dropbox | • xn—opbox-4ya6853c[.]com • wdropbox[.]ws • httdropbox[.]vg | • dropbox[.]car[.]blog • dropbox-api[.]dropbox[.]com[.]fac3b00k[.]ga • dropbox[.]siliconvalleysignings[.]com |
Are These Cyber Resources Publicly Attributable to the Brands They Contain?
Some of the domains and subdomains found in this study are likely owned and controlled by the brands’ owners. While this category of domains still belongs to their domain attack surface, it could be easier for the brands to address threats that weaponize their domains and subdomains.
So, how many of the domains found can be publicly attributed to the brands? We retrieved the registrant email addresses of the brands’ official domains from WHOIS Search and WHOIS History Search to answer this.
These were then compared to the WHOIS records of the domains obtained from Bulk WHOIS Lookup. Note that Bulk WHOIS Lookup returned the WHOIS records of 60% of the total number of domains. Some of the domains may have already been dropped by their owners.
Of the domains with WHOIS records, only 24 or 0.09% use the same registrant email addresses as the brands’ official domains. Hence, 99.91% cannot be publicly attributed to the brands and could have been registered and are being managed by other entities.
Another interesting aspect when analyzing domain attack surfaces is the TLD distribution. In other words: Are the domains registered under specific domain registries? What is the role of country-code TLDs (ccTLDs) in the domain attack surface?
As for the 10 most imitated brands in this study, a majority (35%) fall under the .com space. The rest are distributed across 209 other TLDs. The top 10 TLDs are shown in the graph below.
As you can see, six of the top 10 TLDs are ccTLDs—.vg, .ws, .ph, .co, .ga, and .ml. About 5% of the domains are under .politie, a TLD reserved for the Netherlands Police. These domains could have been reported for cybercrime or used by law enforcement. Some examples of such domains are:
We took about 30% of the domains as samples and ran them on Threat Intelligence Platform (TIP) to see if they have been reported as malicious or not. Alarmingly, 68% turned out to be listed on blocklist sites, such as VirusTotal and Google Safe Browsing.
These domains have already been found malicious, although they are only about a month old (at the time of writing). The domain 0365microsoftonline[.]com, for example, only appeared in the Domain Name System (DNS) on 29 July 2021.
For the top 10 most spoofed brands under study, more than 42,000 domains and subdomains were added in a span of only four weeks, and almost all of them could not be publicly attributed to the brands they contain. It is also worth noting that circa 30% of our reduced sample turned out to be malicious.
If you are a cybersecurity researcher or professional who wants to enhance your domain attack surface discovery process, contact us. We can talk more about obtaining data from well-parsed and ready-to-consume domain, IP, and DNS intelligence sources.
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
Sponsored byWhoisXML API