How Fraudulent Domains 'Hide in Plain Sight'

Cybercriminals use new types of top-level domains, topical keywords, and targeted emails to trick victims into clicking malicious links.

Kelly Sheridan, Former Senior Editor, Dark Reading

June 18, 2019

5 Min Read
Dark Reading logo in a gray background | Dark Reading

Domain fraud is an old cybersecurity risk manifesting in new ways as cybercriminals take advantage of new top-level domains, privacy regulations, and social engineering tactics.

More than three-quarters of businesses found "lookalike" domains posing as their brand, researchers at Proofpoint Digital Risk Protection discovered as part of the 2019 Domain Fraud Report. Nearly all (96%) found exact matches of their brand-owned domain with a different top-level domain (TLD); for example, ".net" tacked on the end of the URL instead of ".com."

"This is a huge brand problem, both from a direct revenue standpoint and indirect loss standpoint," says Kevin Epstein, vice president of threat operations at Proofpoint. In a best-case scenario, a consumer may happen upon a blank website with a domain similar to yours. Worst-case scenario, they end up on a fake website, engage in a transaction, and their money and credit card information is sent to a cybercriminal. They're angry at the attacker – and the brand.

"I'd associate this brand, now, with something negative," Epstein continues. Spoofed domains can tarnish a business' reputation, resulting in customer loss and indirect financial impact.

Most domains are registered by people and businesses for legitimate reasons. Some are registered by fraudsters planning to launch phishing attacks, sell knock-off goods on spoofed sites, or use "typo-squatting" domains to make money off unintentional traffic for other sites. Between the first and fourth quarters of 2018, Proofpoint found the registrations of fraudulent domains rose 11%. Domains were categorized as fraudulent based on a classification engine built to analyze domain records, reputation, website content, email activity, and other factors.

"The most interesting thing to me is this change in attacker philosophy," says Epstein of this year's report. Cybercriminals have shifted from investing in highly technical attacks to more individually focused phishing attacks "happening on every street corner of the Internet." Any email can be an attempt to con you out of money, pretending to be from your boss or bank.

Social Scamming

It all comes down to the tricks of a manipulative social engineer. The rise of new TLDs has contributed to fraudulent domain registrations. Researchers saw "significant growth" in fraudulent domains outside the classic ".com," ".net," and ".org." Some of the lesser known TLDs in fraudulent domains include ".top" (#2), ".fr" (#3), ".men" (#19), and ".work" (50). European country codes are often used among criminals hoping to fool victims with fake links.

"Apparently as human beings we're sensitive more to the brand than the extension," says Epstein. "Over time, as computer users, we're less trained to ignore things after the dot."

If someone sees the name of a well-known bank in a URL, they're likely to click without noticing a .pop or .xyz at the end. This should give people pause, but well-known brands seem safe.

This can be seen in new findings from Segasec, which recently detected an increase in domain spoofing targeting customers of Walmart, Best Buy, and Wayfair. In the week leading up to Mother's Day, they noticed 188 domains related to the Walmart brand were created, up from 80 new domains two weeks prior to the holiday: walmartgiftpromo[.]com is an example. Others include bestbuy-survey[.]online, bestbuyus[.]org, and bestbuycyprus[.]eu.

"It is potentially one of the most common threat tactics," says Segasec CEO Elad Schulman. "It's aimed to mislead the weakest link, which is the end user." What's more, he adds, cybercriminals don't have to be advanced to pull this off. "This is something you can familiarize with very easily," he adds.

Some fraudulent websites have certificates, which also put victims at ease. Attackers are leaning away from plain domains and towards legitimate certificates, a trend that leads to an "error of attribution" on the part of victims. Sure, the lock symbol means the connection to the server is encrypted – but it doesn't mean the server is legitimate. People feel safe when they see the lock; as a result, they're likely to engage with these potentially malicious sites.

Think Before You Click

Rather than rely on the passive typo-squatting strategy, more attackers are directly targeting domain spoofing victims with phishing attacks. Business email compromise (BEC) is common, researchers report. Many criminals pick a large class of people to target with malicious links appearing to be from real brands, or containing keywords they think victims are likely to click.

Which terms are most common? Some consistently appeared in the top rankings; for example, "real estate," which was top for June through December, as well as "for sale," "I am," "block chain," "bit coin," and other US city names and terms related to cryptocurrency. Other tech-related terms frequently seen in domains included "server," "security," and "system."

The people targeted with these malicious emails aren't the CEO or CFO, but middle-management people who typically work with them. "It's not necessarily related to top titles," Epstein says. An attacker is more likely to succeed in tricking the CEO's assistant than the CEO, and they'll frequently peruse LinkedIn and other social platforms to figure out their targets.

It's not only email at risk for domain spoofing attacks, as Schulman points out. "We're talking about digital channels an organization has to interact with its customers," he adds. "Sometimes it's via email, sometimes it's a website, sometimes it's via application, sometimes it's across all social channels." He agrees the trend of typo-squatting is down as targeted attacks spread.

"There's no accidental stumbling upon it," he says.

Related Content:

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights