|
Threat actors are increasingly impersonating businesses in phishing attacks. In May 2022, 52% of business email compromise (BEC) scams impersonated third-party organizations, exposing businesses to supply chain attacks. Detecting cybersquatting resources that can potentially serve as vehicles for such attacks can help protect businesses, including their employees, clients, partners, and other stakeholders.
In line with this, WhoisXML API uncovered and analyzed the domain footprint of 29 Fortune 500 companies and 20 top CEOs. We mapped out the business impersonation landscape in the Domain Name System (DNS). Some of our key findings include:
You can read more about these and other findings by downloading the white paper from our website. We’ll discuss some of them below.
Domains & Subdomains Discovery played a significant role in uncovering the cybersquatting properties in this study. We focused on three types of business impersonation to narrow down the data sample and avoid as many false positives as possible.
First, we built on the data from the 2021 CEO Impersonation Report and looked for resources containing the names of 20 top CEOs.
We then focused on web properties that used the names of 29 Fortune 500 companies, alongside search strings commonly used in phishing URLs. These strings may promote a sense of urgency in the victims or imitate a department or critical function of the mimicked company.
The table below lists the search strings and provides some examples of the cybersquatting resources we found.
Type of Keyword | Keywords | Examples of Properties Found |
---|---|---|
Urgency-inducing strings | • “login” • “signin” • “register” • “pay” • “auth” • “sale” • “update” • “verif” • “recover” | • login-required-wells-fargo-account[.]com • signinadobe[.]ph • registeramazon[.]vg • carteamericanexpressprepayee[.]vg • salesforce-oauth[.]s[.]christian[.]kompasbank[.]net • appleresales[.]com • microsoftupdaterequired5[.]ws • webdisk[.]netflix101e-verify[.]duckdns[.]org • hostmaster[.]oracle-data-recovery-p7780[.]123-free-download[.]com |
Department or function | • “marketing” • “support” • “finance” • “security” • “recruit” | • adobemarketingclub[.]continu[.]nl • premiumpaymentsupportinfoamazon[.]com • esboraclelegacyfinanceskupub[.]sharefile[.]eu • applecare-customer-security[.]com • kaggle-walmart-recruiting-store-sales-forecasting[.]connxusdemo[.]com |
In sum, the types of business impersonation covered in this report are:
We analyzed the narrowed-down data sample to determine their attribution, associations, and usage. Below are the questions we tackled.
Establishing the ownership of the domains allows us to determine who controls them. The properties are less likely to be malicious if they can be attributed to the imitated organizations. However, if they bear the company name but are controlled by other entities, they can potentially be used in malicious or impersonation campaigns.
The cybersquatting domains in this study could hardly be attributed to legitimate companies. Only about 2% had registrant organizations that matched the company names used in the domains.
Most of the resources had their WHOIS records redacted or privacy-protected, which most of the mimicked companies aren’t doing.
Through Bulk WHOIS Lookup, we also looked at the domain registrars and Internet service providers (ISPs) to identify the organizations that manage them. Around 38% of the properties were registered with PDR Ltd. The other top registrars included GoDaddy, Mark Monitor, Namecheap, Network Solutions, NameSilo, Amazon, CoCCA Registry Services, and REGRU.
On the other hand, the leading ISP was Amazon, accounting for 27% of the total number of IP resolutions uncovered through Bulk IP Geolocation. Cloudflare, Google, HYAS, Digital Ocean, Microsoft, Linode, Sharktech, Fastly, and OVH completed the top 10 ISPs.
Screenshot analyses of the cybersquatting resources yielded interesting results. While several were parked and resolved to 403 and 404 pages, others hosted questionable content. One example is amazonfinance[.]co[.]za, whose website screenshot appears below.
Among the glaring inconsistencies is the Amazon logo on the page’s upper-left corner. While it is the company’s logo, its pixelated background suggests that it may have been copied off the web.
The page also encourages users to avail of Amazon’s personal loan offer. However, simple research would tell us that Amazon only offers business loans. Details about the loan can also be found on sell[.]amazon[.]com/programs/amazon-lending instead of a different website.
Out of the more than 49,000 cybersquatting resources, 12.32% have been reported malicious by various malware engines. We provide some examples of the malicious domains and subdomains below.
Malicious Domains | Malicious Subdomains |
---|---|
• acountnetflixsupport[.]ml • adobe-auth-mesquiteisd[.]ml • apple-support-teck[.]com • authwellsfargologin[.]com • customerlogindecemberamazon[.]com • helpsecurityformeta[.]ml • infoverifisemangkaamazon[.]com • metafinance[.]cc • metalivesupportteam[.]xyz • metamaskupdate[.]com • metamask-verifyprocess[.]net • metapresale[.]xyz • metaverifiedbadgesupport[.]cf • metaverifychannels[.]tk • netflix-verify[.]fr • notice-wells-fargo-update03032[.]com • paymentttdsamazonamazon[.]com • salesforceapplesoftware[.]com • servicespayments-amazonbillingaccounts[.]info • supportonmetaandinfo[.]tk | • webmail[.]idmsaweb-signinauthapple[.]egcayf6gy363e9u[.]com • support[.]secure[.]apple[.]accounts[.]gologens[.]com • cpcalendars[.]idmsaweb-signinauthapple[.]93raalrz3i8dbr5[.]com • login[.]microsoft[.]tgihf[.]click • mail[.]netflixbillupdate[.]dynserv[.]org • ssosecurepay-amazon[.]myvnc[.]com • cpcalendars[.]amazon-signin-seorangcepu-161[.]duckdns[.]org • cpcalendars[.]awsconsoleauthentication-amazon[.]x24hr[.]com • inlogin[.]metamask[.]mintemuco[.]com • www[.]login[.]microsoftonline[.]otlib[.]me • amazon-websign02[.]appsauth-secure[.]sdt2oa[.]com • cpcontacts[.]payment-authentication-netflix[.]ns01[.]info • wellsfargologin[.]ddns[.]net • securepay-amazon[.]ddnsking[.]com • www[.]netflix-login-fr-activates[.]prohoster[.]biz • www[.]support[.]apple[.]br-find[.]live • awsupdatexpired-amazon[.]x24hr[.]com • login[.]microsoft[.]checkpoint[.]academy • cpanel[.]signinauth-appidkeyapple[.]rs6g8wf8y110[.]com • www[.]loginauth-webauthapple[.]j15i38edvygu[.]com |
Impersonation remains an age-old problem for businesses. Digitization has amplified the threat and its repercussions. One cybersquatting property can be used to trick several people into giving out their credentials, downloading malware, or even sending money to scammers. Detecting these properties as they get added to the DNS is a critical step toward mitigating business impersonation.
If you wish to uncover cybersquatting properties or perform similar research, please don’t hesitate to contact us.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API