|
Anything conveniently obtainable online is often ripe for cybercriminal picking, and that’s certainly true for the most commonly used software. We can’t live without them, after all, if we are to thrive and not just survive in the digital world.
Our research delved into web properties that threat actors may have or plan to weaponize to lure in as many potential victims as possible. Our deep dive into the most-impersonated software in malware attacks revealed:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
VirusTotal recently identified 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp as the most-mimicked software brands in malware attacks. That’s not surprising given their huge user bases.
We put these brands under the Domain Name System (DNS) satellite to gauge how many web properties there are that may be riding on their popularity.
We began our investigation by using the following strings to look for domains and subdomains potentially imitating the seven software’s developers via Domains & Subdomains Discovery:
Given the commonality of some of the strings (i.e., “steam” and “zoom”), however, note that our dataset for the two brands may contain several false positives. That said, the search led to the discovery of 20,751 domains.
A bulk WHOIS lookup for these domains showed that only nine belonged to two of the legitimate brand owners—Zoom and WhatsApp—based on the registrant email addresses indicated in their WHOIS records. These are shown in the table below.
Zoom-Owned Domains | WhatsApp-Owned Domains |
---|---|
zoomevents[.]fr zoommeeting[.]fr zoomone[.]us zoomphone[.]sk zoomrooms[.]fr zoomspaces[.]us zoomvideo[.]fr | metawhatsapp[.]us whatsapp-business[.]us |
Closer scrutiny of the domains’ WHOIS records also revealed that a majority were recently created—in the 2020s—a far cry from the legitimate company domains’ creation dates, which fell between 1991 (microsoft[.]com) and 2008 (whatsapp[.]com).
A bulk malware check for the cybersquatting domains via Threat Intelligence Platform (TIP) also showed that 992 were involved in malware and spam distribution.
DNS lookups for the domains revealed that they resolved to 12,615 unique IP addresses scattered across 76 countries led by the U.S., Canada, Germany, the Netherlands, Russia, Australia, Guinea, the U.K., France, and Hong Kong as shown in the following map.
Subjecting 10% or about 1,200 of the total IP address resolution volume to TIP malware checks showed that 111 were malicious.
Our search for potential cybersquatting subdomains, meanwhile, led to the discovery of 28,808 web properties, 944 of which were dubbed “malicious” by various malware engines.
Overall, Steam, Zoom, and WhatsApp topped the list of the most-imitated software based on the volume of domains and subdomains containing their brand names. The specific numbers are shown in the table below.
Software | Domain Volume | Subdomain Volume |
---|---|---|
7-Zip | 5 | 39 |
TeamViewer | 44 | 114 |
CCleaner | 153 | 298 |
Microsoft Edge | 184 | 487 |
Steam | 10,000 | 7,872 |
Zoom | 7,779 | 10,000 |
2,588 | 10,000 |
Our digital footprinting study supports the VirusTotal findings—these seven brands are indeed heavily being imitated. What’s more, only nine out of close to 50,000 web properties belonged to the legitimate companies and at least 5% of the domains and subdomains containing the brands were flagged as malicious and shouldn’t be accessed.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC