Anything conveniently obtainable online is often ripe for cybercriminal picking, and that’s certainly true for the most commonly used software. We can’t live without them, after all, if we are to thrive and not just survive in the digital world.

Our research delved into web properties that threat actors may have or plan to weaponize to lure in as many potential victims as possible. Our deep dive into the most-impersonated software in malware attacks revealed:

• More than 20,000 domains contain the names of some of the most-mimicked software today—7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp.
• Close to 1,000 of the domains containing the seven featured applications were dubbed “malicious” by various malware engines.
• The 20,000+ domains containing the seven brands resolved to more than 12,000 unique IP addresses.
• From a sample of nearly 1,200 IP addresses, over 10% of the IP address resolutions of the cybersquatting domains were classified as malicious.
• Nearly 30,000 subdomains contain the names of the most-imitated programs.
• Close to 1,000 of the subdomains containing the software brands were tagged “malicious.”

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Most-Favored Cyber Attack Targets

VirusTotal recently identified 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp as the most-mimicked software brands in malware attacks. That’s not surprising given their huge user bases.

We put these brands under the Domain Name System (DNS) satellite to gauge how many web properties there are that may be riding on their popularity.

Digital Footprint of the Most-Mimicked Software

We began our investigation by using the following strings to look for domains and subdomains potentially imitating the seven software’s developers via Domains & Subdomains Discovery:

• “7-zip”
• “teamviewer”
• “ccleaner”
• “microsoft” + “edge”
• “steam”
• “zoom”
• “whatsapp”

Given the commonality of some of the strings (i.e., “steam” and “zoom”), however, note that our dataset for the two brands may contain several false positives. That said, the search led to the discovery of 20,751 domains.

A bulk WHOIS lookup for these domains showed that only nine belonged to two of the legitimate brand owners—Zoom and WhatsApp—based on the registrant email addresses indicated in their WHOIS records. These are shown in the table below.

Closer scrutiny of the domains’ WHOIS records also revealed that a majority were recently created—in the 2020s—a far cry from the legitimate company domains’ creation dates, which fell between 1991 (microsoft[.]com) and 2008 (whatsapp[.]com).

A bulk malware check for the cybersquatting domains via Threat Intelligence Platform (TIP) also showed that 992 were involved in malware and spam distribution.

DNS lookups for the domains revealed that they resolved to 12,615 unique IP addresses scattered across 76 countries led by the U.S., Canada, Germany, the Netherlands, Russia, Australia, Guinea, the U.K., France, and Hong Kong as shown in the following map.

Subjecting 10% or about 1,200 of the total IP address resolution volume to TIP malware checks showed that 111 were malicious.

Our search for potential cybersquatting subdomains, meanwhile, led to the discovery of 28,808 web properties, 944 of which were dubbed “malicious” by various malware engines.

Overall, Steam, Zoom, and WhatsApp topped the list of the most-imitated software based on the volume of domains and subdomains containing their brand names. The specific numbers are shown in the table below.

Attack Mitigation

Our digital footprinting study supports the VirusTotal findings—these seven brands are indeed heavily being imitated. What’s more, only nine out of close to 50,000 web properties belonged to the legitimate companies and at least 5% of the domains and subdomains containing the brands were flagged as malicious and shouldn’t be accessed.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.