Organizations get bombarded with countless attacks from every direction, including via their supply chain. FortifyData’s recent record of the top third-party data breaches in 2023 brings to light how multidirectional threat sources can be.

In one of the data breaches on the list, AT&T disclosed in March 2023 that threat actors accessed the information of approximately 9 million wireless accounts through the telecommunication company’s marketing vendor. Building on this threat source, WhoisXML API researchers looked into domains impersonating marketing service providers that can serve as possible vehicles of third-party threats. Our key findings include:

• 8,400+ domains containing the names of popular marketing vendors, very few of which could be publicly attributed to the companies
• Less than half had IP resolutions, with several hosting suspicious content unrelated to the imitated companies
• Dozens of domains were flagged as malicious, hinting at a pattern that uses the string us followed by a number
• 570+ domains following the malicious pattern added from 1 January to 5 May 2023
• 4% of the us-containing domains were malicious

The domains found in the study can be used to target employees and partners of the imitated marketing companies, creating a domino effect that can affect their clients, as in AT&T’s case.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Cybersquatting Domains Targeting Popular Marketing Vendors

Our research focused on 10 famous marketing service providers. We looked up their company names on Domains & Subdomains Discovery. In one case, we added crm as a search term to avoid false positives. The table below shows the marketing vendors, the search strings used, and the number of domains found as of 5 May 2023.

We found a total of 8,464 domains containing the marketing companies’ names. About 4.4% of them were registered this year.

Cybersquatting Domain Attribution

We then obtained the current WHOIS records of the cybersquatting domains using Bulk WHOIS Lookup to determine their ownership. Based on the registrant organization field, 50% of the cybersquatting domains could be publicly attributed to the marketing vendors. The legitimate companies may own or have some control over the domains.

However, when we based the attribution analysis on the more reliable registrant email field, we found that only 1% could be publicly attributed to the imitated companies. The rest either had redacted WHOIS records or were maintained by other entities.

Suspicious Usage of the Cybersquatting Domains

About 45% of the cybersquatting domains actively resolved to IP hosts. Most were parked, while several hosted or redirected to websites with questionable content. Below are some examples of domains whose content was not directly related to the imitated companies.

Malicious Usage of the Cybersquatting Domains

A bulk malware check on the domains revealed that dozens of them were malicious, with some still hosting active content, as shown below.

Note the similarity between the content of zohocrm[.]ro and hubspotn[.]com from the previous section.

Threat Expansion: Zooming in on Third-Party Threat Patterns

Several malicious cybersquatting domains hinted at a possible campaign tactic where threat actors use domains starting with the string us followed by a number and a dash, such as us1-mailchimp[.]com and us2mailchimp[.]com.

Expanding our threat discovery to include this pattern, we turned to Domains & Subdomains Discovery again and searched for domains that began with the same suspicious strings. We found 575 such web properties added from 1 January to 5 May 2023. The table below shows the breakdown per search string.

We ran a bulk malware check on these properties and found that 4% of the domains were malicious.

The suspicious and malicious domains found in this study can help organizations avoid third-party threats riding on cybersquatting domains. A deeper look into the usage of these properties led us to a suspicious domain pattern, which uncovered hundreds of malicious us-containing domains.

The findings of this study further highlight the multidimensional nature of the current threat landscape. Threat actors could use various threat vectors from different sources, making proactive and extensive threat discovery essential.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.