As an attack vector, phishing has had several underlying purposes—e.g., delivering malware, stealing sensitive information, and defrauding victims. However, it looks like most phishing emails could be used to obtain user credentials according to the 2021 Annual State of Phishing Report by Cofense. After analyzing millions of emails, Cofense found that 57% are credential phishing emails.

While credential phishing can be executed in many ways, researchers at WhoisXML API attempted to identify suspicious domain names that contain account-related terms, such as “login,” “signin,” and “password.” Using text strings like these, alongside the legitimate company’s name, could make the email appear believable and potentially lure victims into giving away their credentials.

More specifically, this post aims to determine how widely used these text strings are in domains related to PayPal and Amazon, two companies commonly targeted in phishing campaigns.

“Feel free to download the sample list of additional IoCs and artifacts related to this threat research. Our main findings are also further detailed below.”

Obtaining the Sample

PayPal and Amazon are among the top 10 most impersonated brands in the world. We focused on these two brands, but future research can include other companies.

Credential-related domains related to PayPal and Amazon were obtained through Domains & Subdomains Discovery, which is part of the Domain Research Suite (DRS). More specifically, we looked for domains that contain a combination of the brand name and generic account-related terms, such as “password,” “login,” and “signin.”

We also included two unique terms for each brand, as seen on verified phishing domains on PhishTank. For instance, “activation” and “ticket” were usually seen in verified phishing domains targeting PayPal but not so much with Amazon. On the other hand, “shop” and “payment” were repeatedly seen among Amazon-targeted phishing domains.

The search strings and corresponding domain volumes are specified in the table below.

A total of 11,703 domains were discovered.

Malicious Credential Phishing-Related Domains

We ran our discovered sample on Threat Intelligence Platform (TIP) and found that around 15% or 1,715 of the domains were reported as “malicious” by one or more malware detection engines.

A few examples for each brand are listed below.

A majority of these malicious domains fell under the .com (44%) and .shop (38%) top-level domains (TLDs). It’s worth noting that the “.shop” domains in our sample were primarily related to Amazon since it is one of the search strings. In fact, .shop domains make up about 50% of the total number of domains found in this study. That could mean that when it comes to e-commerce sites, such as Amazon, threat actors may take advantage of related TLDs in phishing campaigns.

Aside from .com and .shop, other TLDs that repeatedly appeared among the malicious domains were .info, .ml, .cf, .xyz, .tk, .net, .ga, and .top. The TLDs are a combination of country-code TLDs (ccTLDs), new generic TLDs (ngTLDs), and gTLDs.

Content That the Malicious Domains Host

How dangerous are these domain names? Aside from being reported as “malicious,” one way to determine how dangerous they are is to take a look at the content they host. Screenshot API helped us answer the question.

Of the 1,715 malicious domains, only 70 domains resolved to live websites. Several of the domains that did not point to sites may have already been taken down, given that they were reported as “malicious.” Alarmingly, some of the domains still host content that could be used in credential phishing or brand impersonation. The domain paypallogin[.]net, for instance, appears to host a login page:

Credential phishing is a pressing concern, as threat actors increasingly aim to steal sensitive user data. Among their tactics is to use typosquatting domains such as the PayPal and Amazon-related domains found in this study. User awareness and early detection of such domain names could be the key towards avoiding credential phishing.

If you’re interested in the domain names related to possible Amazon- and PayPal-related credential phishing activity or to discuss potential security research collaborations, feel free to contact us.