|
While threat actors can use any domain across thousands of top-level domains (TLDs), they often have favorites. For instance, you may be familiar with Spamhaus’s 10 most-abused TLDs for spamming.
WhoisXML API researchers recently built on this list by analyzing 40,000 newly registered domains (NRDs) that sported some of the listed unreputable TLDs. We called this study “DNS Abuse Trends: Dissecting the Domains Under the Most-Abused TLDs.” Below is a summary of the report’s findings:
Having observed domain and DNS activities for years, these patterns didn’t come as a surprise. However, the study further strengthened these trends’ continued relevance in 2023 and probably the upcoming years.
WHOIS data redaction is nothing new. While the legitimate main goal is to protect domain owners’ privacy, threat actors have knowingly taken advantage of WHOIS data redaction under the pretext of privacy protection.
In a webinar conducted by the Coalition for a Secure and Transparent Internet in June 2022, ITIF Vice President Daniel Castro said WHOIS data redaction has given a “new cloak of anonymity and protection to Internet site operators engaged in illegal and malicious activity.”
Our study supported that argument, as most of the domain names sporting the most-abused TLDs revealed little about their registrants. About 64% of the domains had hidden WHOIS records.
This trend will likely continue in the coming years, as privacy laws become tighter and since data protection-as-a-service (which includes domain privacy protection) is predicted to become a US$94.3-billion industry by 2027.
We often see cybersquatting domains targeting popular companies as indicators of compromise (IoCs) used to host fake donation websites, launch denial-of-service (DoS) attacks, and run other malicious campaigns.
As to who their targets are, CheckPoint’s recent report tells us that the most-imitated brands are:
Still, no company or industry is safe. An in-depth study published by Akamai in 2022 revealed that cybersquatters actually don’t ignore any vertical. The domains under the most-abused TLDs we studied were no different.
Many of the properties we identified seemingly rode on the popularity of well-known brands, such as Windows, Apple, United Parcel Service (UPS), and Walmart. Here’s an example of a cybersquatting domain targeting Walmart, which hosted a website featuring the imitated store’s logo and company colors.
On the other hand, the content of the official Walmart domains looks like this:
Brand squatting domains sporting look-alike content remain effective lures to steal sensitive information as in the case of a Google ad for GIMP[.]org that served info-stealers through a look-alike website back in October 2022.
Also, generic finance-related strings frequently appeared among the domains sporting the most-abused TLDs. We saw several domains potentially targeting online banking users and parcel delivery recipients. Examples include acces-deposit[.]live, bankid[.]live, gllacierbnk[.]top, and parcel-track[.]link.
This pattern reminds us of a cybercrime group called the “Disneyland Team,” which spoofed popular banks through domains containing typo variants and Punycode last year. For example, to imitate usbank[.]com, the group distributed malware via ushank[.]com. To spoof Ameriprise, they used the Punycode version of ạmeriprisẹ[.]com—xn—meripris-mx0doj[.]com.
The recurring appearance of the string XN- in our DNS abuse study highlights the prevalent use of Punycode or internationalized domain names (IDNs). As previously illustrated, these can be utilized in brand squatting, where only a few characters are replaced with non-Latin characters.
The presence of XN- could also mean that malicious campaigns and potential targets were likely localized with the help of domains written entirely in the target’s language. Below are a few examples.
Punycode | IDN |
---|---|
xn—54qx09k[.]beauty | 觅光[.]beauty |
xn—6oq6rw3hw6dfy2a1ouk7ff9i2y4a27s[.]top | 银保监会在线查询窗口[.]top |
xn—k1ahd[.]su | прл[.]su |
xn—80aimufiw[.]su | ардуино[.]su |
xn—b8q084c[.]cn | 冷枫[.]cn |
xn—hm-vra[.]live | hōm[.]live |
xn—fiq53l6wck2kojtj8g[.]fit | 中国物流平台[.]fit |
xn—80adzthg3lb[.]link | сітівапк[.]link |
Aside from IDNs, the repeated use of location keywords, such as US, Cyprus, and Dubai, was also common.
These localized domains could be used to deliver location-aware malware, such as Roaming Mantis, which targeted people in France only. The command-and-control (C&C) server was designed to display a 404 error page to users outside France.
While our study focused on domains sporting the most-abused TLDs, the patterns we identified overlapped with those featured in previous studies. For instance, when we analyzed IoCs related to Gigabud RAT, hundreds of artifacts were found squatting on targeted organizations, including Banco de Comercio, Advice, Thai Lion Air, Shopee Thailand, and Kasikornbank.
Our analysis of Royal Ransomware also revealed finance-related domains, particularly those sporting text strings like trading, bbva, and expensify. On top of that, several properties we analyzed in various threat reports weren’t taken down yet at the time of the investigations.
Furthermore, our monthly New Domain Activity Highlights consistently showed massive WHOIS data redaction among NRDs. For three months in a row, the rate had been more than 70%, the highest of which was observed in November 2022, when 85% of the NRDs had redacted WHOIS data.
These studies, along with the findings highlighted in our downloadable report “DNS Abuse Trends: Dissecting the Domains Under the Most-Abused TLDs,” raise a few open questions that remain relevant in 2023, including:
As we await the answers, our team will continue gleaning threat intelligence from domain, IP, and DNS data.
If you want to have a deeper and detailed conversation about DNS abuse or conduct a similar investigation, feel free to contact us.
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API
I’d be interested in seeing a comparison of the stats for domains operated by bad actors with the same stats for reputable domains. Knowing that 2/3rds of spam domains use WHOIS redaction isn’t helpful if 2/3rds of reputable domains also use WHOIS redaction. Behavior where spam domains differ significantly from reputable domains is what we need to have to be able to take any action.
When is a major inventing certified email to avoid spam?