Even if cyber attack tactics, techniques, and procedures (TTPs) have become increasingly sophisticated over the years, age-old phishing remains the most-used attack vector to this day. In fact, SlashNext detected 255 million phishing attacks over six months in 2022. They detailed their findings in the The State of Phishing Report 2022, which also named some of the most impersonated companies in phishing campaigns.

Building on this list, WhoisXML API researchers sought to uncover, study, and possibly attribute the recently created domains bearing the brand names commonly spoofed in phishing attacks to their owners. Our investigation revealed:

• 12,000+ domains containing the names of the most-impersonated brands and added between 1 January and 5 March 2023
• Only .8% of these cybersquatting domains had WHOIS records that could be publicly attributed to the companies whose names appeared in the domains
• 8,000+ of these properties had active IP resolutions, but only 30 of the IP hosts could be attributed to the spoofed companies
• 6% of the domains were already flagged as malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Retrieving Cybersquatting Domains

SlashNext named 18 companies as the most-impersonated global brands. Using Domains & Subdomains Discovery, we found 12,265 domains related to the threat since they contained the brand names registered from 1 January to 5 March 2023. For some companies, we used other targeted text strings to avoid as many false positives as possible.

For example, instead of retrieving all domains containing ADP, we combined it with strings associated with the company, such as pay, hr, log, manage, portal, online, employ, and tech. For Box, we used the company name, alongside cloud, support, work, login, account, and signin.

Furthermore, we only obtained domains that started with the search string for company names that were quite common and began with vowels. The table below shows the search string used for each company and the number of domains we retrieved.

WHOIS and IP Host Attribution

Domain attribution effectively distinguishes cybersquatting (and potentially dangerous) domains from a slew of official-looking properties. For this investigation, we analyzed the attribution in two ways—WHOIS ownership and IP address resolution.

Through Bulk WHOIS API, we determined the registrant organizations of the impersonated companies and the potential cybersquatting domains. All except Discord had public WHOIS records.

Only 97 or less than 1% of the 12,000+ domains in the study could be publicly attributed to the spoofed companies, leaving thousands of cybersquatting domains in the hands of unknown entities.

Our IP resolution analysis yielded a similar outcome. Bulk IP Geolocation API helped us determine that the official domains of the brands in the study resolved to a total of 47 unique IP addresses.

We also found that only about 67% of the recently added cybersquatting domains had active resolutions. However, only 30 (0.4%) of these could be attributed to the companies’ IP addresses that hosted their official domains.

Determining Domain Usage through Malware Checks and Screenshot Analyses

Given that most domains couldn’t be publicly attributed to the impersonated global brands, we sought to find out if some of them had been reported as malicious.

As of 5 March 2023, 6% of the recently added cybersquatting domains were flagged as malicious. Most properties contained strings like support, id, online, login, account, email, and help. The word cloud below shows the common text strings used in the malicious cybersquatting domains.

Some of the most notable and recurring string combinations found in the malicious domains were:

• adobe-email-doc-protect and adobemaildocprotect
• appleid
• auth-bankofamerica
• facebook-checkpoint-help-center
• facebook-fanpage-verify
• keepupadsongoogle
• mynetflix
• paypalverifications
• loginmicrosoftonline and login-microsoftonline

Screenshot analyses of the malicious properties revealed that some continued to host live websites that were made to look similar to those belonging to the impersonated companies. Below are a few examples.

Other malicious domains hosted sites that asked users to provide their login details.

Threat Expansion through WHOIS Associations

The current WHOIS records of the malicious domains led us to 44 unique and unredacted email addresses. Reverse WHOIS searches uncovered 21,116 domains currently registered using the email addresses associated with the malicious domains we found.

An example was the email address used to register the malicious domain applesoporte-id[.]com. We found more than a dozen other domains mostly impersonating Apple. Their relationships are mapped in the following Maltego image.

Threat actors will continue to use phishing to gain initial access to target systems. Impersonating global brands like the ones in this report may remain a favorite phishing tactic because of its effectiveness in luring in victims.

Uncovering potential cybersquatting domains targeting these companies can help with real-time threat detection and response, including new domain blocking, threat actor monitoring, and predictive adversary disruption.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.