There’s a new phishing-as-a-service (PaaS) solution in town, and it’s called “Frappo.” This new phishing toolkit enabled threat actors to launch impersonation attacks on at least 19 companies in the financial, entertainment, and telecommunications industries. WhoisXML API researchers monitored the Domain Name System (DNS) for registration activities related to the target brands since the phishing pages may be hosted on cybersquatting domains. Among our findings are:

• 16,800+ domains containing the names of the target companies added since 1 April 2022
• 14,400+ IP resolutions pointing to 5,800+ unique IP addresses
• Only 0.71% of the domains were publicly attributable to the target companies
• 800+ of the domains are already being flagged as malicious by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Most Domains Can’t Be Publicly Attributed to the Target Brands

As anyone in the cybersecurity community would expect, Frappo’s target companies are among the most impersonated brands worldwide. These include large financial institutions in North America and other popular organizations, namely:

• Amazon
• ATB Financial
• Bank of Montreal (BMO)
• Bank of America (BOA)
• Chase
• Canadian Imperial Bank of Commerce (CIBC)
• Citibank
• Citizens
• Costco
• Desjardins
• M&T Bank
• Netflix
• Royal Bank of Canada (RBC)
• Rogers
• Scotia
• Tangerine Bank
• TD Canada Trust
• Uber
• Wells Fargo

Using Domains & Subdomains Discovery, we retrieved domains registered since 1 April 2022 that seem to imitate the official domains of these companies. For those prone to false positives, such as TD Bank (td[.]com) and ATB Financial (atb[.]com), we only included domains that begin with the exact second-level text string.

Out of more than 9,600 cybersquatting domains with available WHOIS records retrieved through Bulk WHOIS Lookup, only 69 or 0.71% could be publicly attributed to the imitated brands. These domains used the companies’ email addresses as registrant email addresses in their WHOIS records.

Screenshot Analysis of Resolving Cybersquatting Domains

Based on Bulk IP Lookup results, half of the domains in the study currently resolve to different IP addresses. What content do they host? While several domains were parked and resolved to 404 pages, our Screenshot Service uncovered some interesting web pages.

Some domains hosted login pages, including those already flagged as malicious. We showed some examples below.

Some domains were also designed to look similar to those of the imitated companies, oftentimes sporting their brand logos and colors. Below are a few examples.

Semantic Analysis of Possible Frappo Domains

Although the domains in this study could be used in several malicious campaigns unrelated to Frappo, there is still a possibility that they host Frappo phishing pages. It’s interesting to see how they could be used to lure potential victims to fake login pages. Aside from bearing the names of the target companies, the domains also used text strings that could make users believe they are being redirected to the correct websites.

These strings included tech and online terms, such as “services,” “support,” “auth,” and “mobile.” There were also account-related words like “login,” “signon,” “verification,” and “validation.” We also found some text strings that expressed a sense of urgency, such as “alert,” “help,” “security,” and “sale.” The word cloud below shows these and other common terms that appeared in the cybersquatting domains.

Malicious Domain Alert

We performed a bulk malware check on all the domains and found that several were malicious, meaning threat actors didn’t waste time weaponizing them. More than 800 domains were flagged as dangerous by various malware engines. Alarmingly, some of these malicious domains still resolved to web pages that hosted questionable content.

With phishing and impersonation campaigns increasingly becoming more accessible and automated through toolkits like Frappo, nipping related threats in the bud is essential. Monitoring domain registrations can help, along with constant vigilance and user cybersecurity education.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.