The average Digital Shadows client isn’t a small company, but the company reports in their latest Impersonating Domains Report an average client has 1,100 impersonating domains and subdomains detected on average per year.
To get to this, the digital risk protection company analysed for approximately four months over 175,000 alerts. This ended up showing that, on average, every month, about 90 alerts showed up per client. Which translated into nearly 1,100 domains per year.
In recent years the number of impersonated domain names has ballooned for a number of reasons. There were two main reasons. The first Digital Shadows found was a greater range of top-level domains since the introduction of new gTLDs, and that it is cost-prohibitive to register domain names in all these TLDs, let alone the permutations required.
The second was the technical barriers to cybercrime being reduced. “The criminal underground”, according to a Digital Shadows blog post, “has responded to the demand and offers just about everything you’d need to get access to hosting, registering domains, setting up phishing services or professionally-spoofed pages at scale, as well as lots of niche tools and specialities in-between that support these enterprises. There are lots of tutorials and other advice out there that can help you on your quest to commit fraud on the web.”
The motives for domain impersonation are mostly “money and notoriety on the criminal side.” The top reason Digital Shadows believes is to harvest credentials. “This is done by nation-state actors and criminals alike and serves various purposes. It’s more than likely to perform some measure of account takeover, whether it’s for your social media account, bank login, or employer’s online webmail portal. It may even just be for your favourite streaming service.”
“Phishing is probably the culprit, and it might be messages warning you about your account expiring or maybe even fake payment invoices that you need to check by logging in right now! It may even be just a request from a potential customer to check out a file or a colleague trying to send you a share link, and it takes you to what seems to be a Microsoft Online portal login”.
“Once credentials are harvested, they may be monetised further and sold in bulk on various marketplaces for various uses, including the sale to initial access brokers (IABs) who often traffic in the purchase and sale of administrator and remote access credentials. In the case of a nation-state actor harvesting credentials, they might use stolen credentials to gain access to critical or sensitive information that supports an ongoing espionage operation, for example.
“The following motivation shouldn’t come as any surprise, but personal information, medical data, and financial or payment data are still lucrative, especially in bulk and especially when it’s new data. A spoofed shop page might harvest credit card details, while another page pretending to be your bank might take a Social Security number or other personal information. While these offerings in singles can often sell for pennies to dollars on the dark web, they can bring in some money for criminals together in bulk.
“The final motivations are also shared by criminals and spies alike, and that’s to drop malware and use information against us. Domains with spoofed pages might look like a software update for a standard application, which hosts a remote access Trojan, for example. Or it might take the form of an embedded link in a document or, worse, an email attachment that’s a misleadingly-named file meant for further download and inspection by the user. In using information against victims, spoofed domains could redirect users to fake news sites or support similar attempts at misinformation en masse. In other cases, they may be directing traffic to so-called clickbait and similar sites attempting to make money from ad clicks.”
The guiding thoughts behind their impersonating domains research was to see if they could find trends supporting media or community reporting or uncover some exciting threads of their own.
In their research Digital Shadows found threat actors used all kinds of techniques to spoof the domain names to impersonate brands, register lookalike subdomains, website content, and even logos to complete their fraud. As a result of these campaigns, the company found targets range from harvesting credentials to delivering malware on unsuspecting victims.
The actual pages associated with some of these impersonating domains ran the entire spectrum:
- DNS and MX records attached
- Activity: parked or newly-registered
- Content: displaying some sort of web content or referencing content
- Logos: displaying logo or associated imagery
- Threat feeds: mentions on threat feed
In a few cases, they’d even ended up on a threat feed, which is how the intelligence and security communities often share indicators of compromise and other adversary data with the rest of the world.
The reason for the report from Digital Shadows is, not surprisingly, to get customers. As they believe they can protect a brand by monitoring lookalike domains better than a company can do themselves and cheaper. They believe they can help by “looking at every single domain out there and help you make a choice, based on various risk factors such as: domains that are newly registered, appearing in threat feeds, parked, or possibly even hosting content, which might even include your logos and designs. We can help you take down those domains where possible and keep an eye on those that appear risky.”
The information in this article was sourced from a Digital Shadows blog post at: digitalshadows.com/blog-and-research/why-domains-matter-impersonations-and-your-brand/. The Impersonating Domains Report can be downloaded from resources.digitalshadows.com/whitepapers-and-reports/impersonating-domains-report