Early last July 2022, news broke out about the arrest of a CEO who allegedly sold fake Cisco networking devices. While he used e-commerce sites as sales channels, the idea that counterfeit products are also peddled through cybersquatting domains is not too far-fetched. In fact, we demonstrated this at Europol’s 13th Operation In Our Sites (IOS), along with other organizations in the cybersecurity community.

Aside from counterfeiting, cybersquatting domains can also serve as vehicles for other types of cybercrime, such as spear phishing, scams, and spamming. In line with that, WhoisXML API researchers monitored the Domain Name System (DNS) for cybersquatting domains targeting Cisco and its major competitors—Avaya, Broadcom, Juniper Networks, and Netgear. Our findings include:

• 2,700+ cybersquatting domains and subdomains targeting the five network hardware providers were added from 1 June to 8 August 2022
• More than 99% of the properties couldn’t be publicly attributed to the legitimate companies
• About 86% of the properties actively resolved to IP addresses
• Despite being relatively new, more than a dozen properties have already been flagged as malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Dissecting the Cybersquatting Properties Targeting Network Hardware Providers

We used the company names as search strings to retrieve relevant properties using Domains & Subdomains Discovery. To lessen the number of false positives, we added restrictions, such as excluding domains that contained the string “francisco” for Cisco cyber resources.

We found 2,797 cybersquatting properties added from 1 June to 8 August 2022. We then analyzed these resources using IP, WHOIS, and other DNS intelligence tools.

Who Owns the Properties?

Before proceeding with any other analyses, we thought it’d be interesting to establish attribution for the properties. Does the targeted company own them? Based on the Bulk WHOIS Lookup results, the cybersquatting properties could hardly be attributed to the network hardware providers.

In particular, only eight domains shared the same publicly available registrant details as the official domains of the companies, and they were all owned by Cisco. About 85% of the non-publicly attributable domains actively resolved to 1,400+ unique IP addresses.

Where Are the Cybersquatting Resources Located?

More than 60% of the properties resolved to IP addresses geolocated in the U.S., while the rest were distributed across 49 other countries. The locations didn’t differ much from the registrant countries of most of the domains. About 46% of them were registered in the U.S. as well, and the remaining domains were registered across 47 other countries.

The table below shows the top 10 countries in terms of IP geolocation and WHOIS registration, along with the percentage of properties attributed to them.

What Organizations Oversee the Properties?

Part of our study was to find out who had authority over the properties. For the domains, that would be GoDaddy, since it is the top registrar of the cybersquatting resources, accounting for 16% of the registrations. It was followed by MarkMonitor, Namecheap, Network Solutions, Info.at Google, Amazon, PDR Ltd., 123-Reg Limited, and Wix. The rest were distributed across 154 other registrars.

Most of the cybersquatting domains in the study (19%) resolved to IP addresses belonging to Amazon. Google accounted for 10%, followed by Cloudflare, Microsoft, Fastly, OVH, Linode, Hetzner, Digital Ocean, and Wix.

Malicious Properties Alert

More than a dozen cybersquatting resources have been reported as malicious since 8 August 2022. Among them is netgearextendersetups[.]com, which resolved to 190[.]115[.]26[.]62. Five other similar-looking cybersquatting domains also resolved to the same IP address but haven’t been flagged yet. These are:

• netgearwifiextendersetupen[.]com
• netgearextendersetupwifi[.]com
• netgearextender-setup[.]com
• netgearwifiextendersetup[.]us
• netgearwifiextendersetupgo[.]com

Aside from resolving to the same IP address, these domains also shared the same registrar and nameserver. The rest of their WHOIS details were redacted, except for netgearwifiextendersetup[.]us. We retrieved a public email address that was historically tied to 17 suspicious-looking domains, according to Reverse WHOIS Search. Some seemed to mimic the login pages of router and entertainment sites. These are shown in the screenshot below.

Only time can tell if they will also be weaponized, but keeping an eye on them and other cybersquatting properties could be a good cybersecurity practice.

We began with cybersquatting properties, some of which could be benign. Still, a deep dive into the malicious ones led us to more suspicious properties that could harm users and their networks.

The suspicious properties we uncovered in this post can be used to sell fake network devices. They can also be weaponized to serve as phishing, scam, and malware distribution vectors.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.