DNS Business Impersonation Landscape Report

Home / Industry

DNS Business Impersonation Landscape Report – 2022 Edition

	By WhoisXML API (Sponsored Post) A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider
	July 18, 2022 Views: 14,519

Threat actors are increasingly impersonating businesses in phishing attacks. In May 2022, 52% of business email compromise (BEC) scams impersonated third-party organizations, exposing businesses to supply chain attacks. Detecting cybersquatting resources that can potentially serve as vehicles for such attacks can help protect businesses, including their employees, clients, partners, and other stakeholders.

In line with this, WhoisXML API uncovered and analyzed the domain footprint of 29 Fortune 500 companies and 20 top CEOs. We mapped out the business impersonation landscape in the Domain Name System (DNS). Some of our key findings include:

49,000+ cybersquatting domains and subdomains targeting CEOs and Fortune 500 companies were added between 1 June 2021 and 31 May 2022
Almost all of these properties could not be publicly attributed to the imitated companies or persons
About 13% of the cybersquatting resources have been reported as malicious, with some nonmalicious ones hosting questionable content

You can read more about these and other findings by downloading the white paper from our website. We’ll discuss some of them below.

Focusing on 3 Types of Business Impersonation

Domains & Subdomains Discovery played a significant role in uncovering the cybersquatting properties in this study. We focused on three types of business impersonation to narrow down the data sample and avoid as many false positives as possible.

First, we built on the data from the 2021 CEO Impersonation Report and looked for resources containing the names of 20 top CEOs.

We then focused on web properties that used the names of 29 Fortune 500 companies, alongside search strings commonly used in phishing URLs. These strings may promote a sense of urgency in the victims or imitate a department or critical function of the mimicked company.

The table below lists the search strings and provides some examples of the cybersquatting resources we found.

Type of Keyword	Keywords	Examples of Properties Found
Urgency-inducing strings	• “login” • “signin” • “register” • “pay” • “auth” • “sale” • “update” • “verif” • “recover”	• login-required-wells-fargo-account[.]com • signinadobe[.]ph • registeramazon[.]vg • carteamericanexpressprepayee[.]vg • salesforce-oauth[.]s[.]christian[.]kompasbank[.]net • appleresales[.]com • microsoftupdaterequired5[.]ws • webdisk[.]netflix101e-verify[.]duckdns[.]org • hostmaster[.]oracle-data-recovery-p7780[.]123-free-download[.]com
Department or function	• “marketing” • “support” • “finance” • “security” • “recruit”	• adobemarketingclub[.]continu[.]nl • premiumpaymentsupportinfoamazon[.]com • esboraclelegacyfinanceskupub[.]sharefile[.]eu • applecare-customer-security[.]com • kaggle-walmart-recruiting-store-sales-forecasting[.]connxusdemo[.]com

In sum, the types of business impersonation covered in this report are:

CEO impersonation
Organizational department or company impersonation
Urgency-based business impersonation

4 Questions Addressed by the DNS Business Impersonation Landscape Report

We analyzed the narrowed-down data sample to determine their attribution, associations, and usage. Below are the questions we tackled.

Do the Web Properties Belong to the Rightful Owners?

Establishing the ownership of the domains allows us to determine who controls them. The properties are less likely to be malicious if they can be attributed to the imitated organizations. However, if they bear the company name but are controlled by other entities, they can potentially be used in malicious or impersonation campaigns.

The cybersquatting domains in this study could hardly be attributed to legitimate companies. Only about 2% had registrant organizations that matched the company names used in the domains.

Most of the resources had their WHOIS records redacted or privacy-protected, which most of the mimicked companies aren’t doing.

What Organizations Are Responsible for the Domains?

Through Bulk WHOIS Lookup, we also looked at the domain registrars and Internet service providers (ISPs) to identify the organizations that manage them. Around 38% of the properties were registered with PDR Ltd. The other top registrars included GoDaddy, Mark Monitor, Namecheap, Network Solutions, NameSilo, Amazon, CoCCA Registry Services, and REGRU.

On the other hand, the leading ISP was Amazon, accounting for 27% of the total number of IP resolutions uncovered through Bulk IP Geolocation. Cloudflare, Google, HYAS, Digital Ocean, Microsoft, Linode, Sharktech, Fastly, and OVH completed the top 10 ISPs.

What Do the Properties Look Like?

Screenshot analyses of the cybersquatting resources yielded interesting results. While several were parked and resolved to 403 and 404 pages, others hosted questionable content. One example is amazonfinance[.]co[.]za, whose website screenshot appears below.

Among the glaring inconsistencies is the Amazon logo on the page’s upper-left corner. While it is the company’s logo, its pixelated background suggests that it may have been copied off the web.

The page also encourages users to avail of Amazon’s personal loan offer. However, simple research would tell us that Amazon only offers business loans. Details about the loan can also be found on sell[.]amazon[.]com/programs/amazon-lending instead of a different website.

Have Threat Actors Weaponized the Domains?

Out of the more than 49,000 cybersquatting resources, 12.32% have been reported malicious by various malware engines. We provide some examples of the malicious domains and subdomains below.

Malicious Domains	Malicious Subdomains
• acountnetflixsupport[.]ml • adobe-auth-mesquiteisd[.]ml • apple-support-teck[.]com • authwellsfargologin[.]com • customerlogindecemberamazon[.]com • helpsecurityformeta[.]ml • infoverifisemangkaamazon[.]com • metafinance[.]cc • metalivesupportteam[.]xyz • metamaskupdate[.]com • metamask-verifyprocess[.]net • metapresale[.]xyz • metaverifiedbadgesupport[.]cf • metaverifychannels[.]tk • netflix-verify[.]fr • notice-wells-fargo-update03032[.]com • paymentttdsamazonamazon[.]com • salesforceapplesoftware[.]com • servicespayments-amazonbillingaccounts[.]info • supportonmetaandinfo[.]tk	• webmail[.]idmsaweb-signinauthapple[.]egcayf6gy363e9u[.]com • support[.]secure[.]apple[.]accounts[.]gologens[.]com • cpcalendars[.]idmsaweb-signinauthapple[.]93raalrz3i8dbr5[.]com • login[.]microsoft[.]tgihf[.]click • mail[.]netflixbillupdate[.]dynserv[.]org • ssosecurepay-amazon[.]myvnc[.]com • cpcalendars[.]amazon-signin-seorangcepu-161[.]duckdns[.]org • cpcalendars[.]awsconsoleauthentication-amazon[.]x24hr[.]com • inlogin[.]metamask[.]mintemuco[.]com • www[.]login[.]microsoftonline[.]otlib[.]me • amazon-websign02[.]appsauth-secure[.]sdt2oa[.]com • cpcontacts[.]payment-authentication-netflix[.]ns01[.]info • wellsfargologin[.]ddns[.]net • securepay-amazon[.]ddnsking[.]com • www[.]netflix-login-fr-activates[.]prohoster[.]biz • www[.]support[.]apple[.]br-find[.]live • awsupdatexpired-amazon[.]x24hr[.]com • login[.]microsoft[.]checkpoint[.]academy • cpanel[.]signinauth-appidkeyapple[.]rs6g8wf8y110[.]com • www[.]loginauth-webauthapple[.]j15i38edvygu[.]com

Malicious Domains

Malicious Subdomains

• acountnetflixsupport[.]ml
• adobe-auth-mesquiteisd[.]ml
• apple-support-teck[.]com
• authwellsfargologin[.]com
• customerlogindecemberamazon[.]com
• helpsecurityformeta[.]ml
• infoverifisemangkaamazon[.]com
• metafinance[.]cc
• metalivesupportteam[.]xyz
• metamaskupdate[.]com
• metamask-verifyprocess[.]net
• metapresale[.]xyz
• metaverifiedbadgesupport[.]cf
• metaverifychannels[.]tk
• netflix-verify[.]fr
• notice-wells-fargo-update03032[.]com
• paymentttdsamazonamazon[.]com
• salesforceapplesoftware[.]com
• servicespayments-amazonbillingaccounts[.]info
• supportonmetaandinfo[.]tk

• webmail[.]idmsaweb-signinauthapple[.]egcayf6gy363e9u[.]com
• support[.]secure[.]apple[.]accounts[.]gologens[.]com
• cpcalendars[.]idmsaweb-signinauthapple[.]93raalrz3i8dbr5[.]com
• login[.]microsoft[.]tgihf[.]click
• mail[.]netflixbillupdate[.]dynserv[.]org
• ssosecurepay-amazon[.]myvnc[.]com
• cpcalendars[.]amazon-signin-seorangcepu-161[.]duckdns[.]org
• cpcalendars[.]awsconsoleauthentication-amazon[.]x24hr[.]com
• inlogin[.]metamask[.]mintemuco[.]com
• www[.]login[.]microsoftonline[.]otlib[.]me
• amazon-websign02[.]appsauth-secure[.]sdt2oa[.]com
• cpcontacts[.]payment-authentication-netflix[.]ns01[.]info
• wellsfargologin[.]ddns[.]net
• securepay-amazon[.]ddnsking[.]com
• www[.]netflix-login-fr-activates[.]prohoster[.]biz
• www[.]support[.]apple[.]br-find[.]live
• awsupdatexpired-amazon[.]x24hr[.]com
• login[.]microsoft[.]checkpoint[.]academy
• cpanel[.]signinauth-appidkeyapple[.]rs6g8wf8y110[.]com
• www[.]loginauth-webauthapple[.]j15i38edvygu[.]com

Impersonation remains an age-old problem for businesses. Digitization has amplified the threat and its repercussions. One cybersquatting property can be used to trick several people into giving out their credentials, downloading malware, or even sending money to scammers. Detecting these properties as they get added to the DNS is a critical step toward mitigating business impersonation.

If you wish to uncover cybersquatting properties or perform similar research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider — Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.
Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.

The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.