Tag Archives: Phishing

ICANN Alert on Phishing Scam Email

ICANN is alerting the community to a phishing scam that involves emails sent from “sales@icann.org” sent to ICANN contracted parties.

The sales@icann.org email address, for example, is not a valid ICANN organisation email address. Contracted parties may have recently received emails from “accounting@erp.icann.org”, which is a valid ICANN org email address. If you receive an email from the “sales@icann.org” address, or any other suspicious email address, do not respond. Please forward the email in its entirety to globalsupport@icann.org.

ICANN has a resource on phishing scams at icann.org/resources/pages/phishing-2013-05-03-en.

DomainTools Webinar: DNS Mapping for Better Context on Threats

According to the FBI, U.S. businesses alone suffer from nearly $343k in damages every hour from phishing – and this number has been rising year over year for the last five years. Join Ben April, Chief Technology Officer at Farsight and Corin Imai, Senior Security Advisor at DomainTools for this 30 minute webinar on a real-world DNS forensic investigation. Starting with a single IOC (indicator of compromise), they will step through how to pivot through domain infrastructure to build intelligence of associated malicious activity.

March 26, 2019 at 10 AM PT/1 PM ET

In this webinar, you will learn:

  • How to take an IOC and pivot on supporting threat intelligence
  • Where pDNS can uncover cybercrime forensics data
  • When to leverage DomainTools and Farsight to build an investigation

To register for this free webinar, go to:
https://www.domaintools.com/resources/videos/webinar-dns-mapping-for-better-context-on-threats

Repurposed ccTLDs Showing Higher Levels of Phishing: APWG

Some of the TLDs with the highest levels of domain names used for phishing are in “repurposed” ccTLDs – those where management rights have been granted to third parties who have then commercialised the TLDs, according to the latest Phishing Activity Trends Report for the third quarter of 2018 from the Anti Phishing Working Group. Among those with the highest levels are .tk, .ml, .ga, .cf and .gq who are all operated by a Dutch company that offers domain names in those TLD for free, while .pw is operated by a company based in India. But there are also ccTLDs with a higher than expected number of phishing domain names outside this description such as .br, .ru, .in and .au.

The TLD with the most phishing domain names was unsurprisingly .com which had 922 domain names (out of a total 137.6 million), followed by .org with 80 out of 10.3 million and then .net with 78 out of 14.1 million. They were followed by .pw with 53 phishing domain names, .info (43 out of 5.0 million) and .br (41 out of 4.0 million). The first new gTLD on the list, .xyz, was seventh with 30, .ml an d.ru (28), .in and .tk (24 out of 21.5 million), .ga and .uk (23 out of 11.9 million), .cf and .gq (22), .au and .top (20 out of 3.2 and 3.9 million respectively) while .business (17 out of 63,000) and .agency and .co (15 each out of 64,000 for .agency) rounded out the top 20.

“Sometimes it is easy to discount the total volume of abuse in a TLD if the TLD hasa large number of domains in it,” said Jonathan Matkowsky of RiskIQ. “We assigned a weighted score against the total number of domains in each zone, looking at TLDs where there were at least five unique domain names used for phishing, as a way of understanding the size of the zone and the phishing prevalence in it. After discounting the number of unique hosts by the relative size of those zones, .TOP and .XYZ were still the new gTLDs that scored highest.”

There has also been a growth in websites using web addresses with https, which is supposedly more secure. APWG notes that at the end of 2016, less than 5% of phishing sites were found on HTTPS infrastructure. In the third quarter of 2018, PhishLabs saw the number of phishing web sites using SSL/TLS encryption increase to 49.4%, up from 35.2% in the second quarter.

“This is likely a result of attackers obtaining certificates for use on their own infrastructure , and in general, as more legitimate Web sites obtain SSL certificates, some of those will naturally become compromised by phishers,” John LaCour , the Chief Technology Officer of PhishLabs noted. “As of July 2018, the Google Chrome browser began to warn users that plain HTTP sit es are ‘not secure ’, and that will drive more web site owners to use HTTPS . So over time we expect that most phishing sites will use SSL certificates . Certificate authorities that offer free certificates will be increasingly abused by phishers in the future.”

DomainTools Webinar: 2019: No Oscars for the Bad Threat Actors

2018 isn’t over and we have already seen a massive increase in the number and types of cybersecurity threats from ransomware to phishing. So what will 2019 bring and what can be done to prevent the next wave of cyber attacks?

Join subject matter experts from DomainTools in a lively discussion of what’s next for information security. CTO Bruce Roberts, Director of Product Management, Tim Helming, Senior Security Advisor, Corin Imai, and Senior Data Scientist, Sean McNee will conduct a round-table discussion on their information security predictions. Highlights include:

  • Let’s Get Critical (The political process is the new critical infrastructure under attack)
  • Breaches and Woes (Change in public perception of breaches)
  • The Automation Invasion (Automation will continue to create more issues than solutions if organizations)
  • Mind the (Skills) Gap

December 11, 2018 at 10 AM PT/1 PM ET

To register for this free DomainTools webinar, go to:
https://www.domaintools.com/resources/videos/webinar-2019-no-oscars-for-the-bad-threat-actors

DomainTools Webinar: The Beginner’s Guide to Mitigating Phishing Attacks

According to the FBI, U.S. businesses alone suffer from nearly $343k in damages every hour from phishing – and this number has been going up year over year for the last five years. Phishing by definition is a fraudulent attempt to gain access to sensitive data and leverage such data for malicious purposes. Most commonly this is done by disguising malicious links to distributed malware.

In this webinar, Corin Imai, Senior Security Advisor at DomainTools will take a look at the steps to executing a phishing attack and the potential ways to help mitigate the risk.

November 14, 2018 at 10 AM PT/1 PM ET

In this webinar, you will learn:

  • Real world examples of attacks leveraging phishing vectors
  • 5 steps of executing a phishing attack – if I can do it, surely anyone can
  • 5 ways to mitigate your risk of a phishing attack

To register for this webinar, click here.

CIRA Canadian Cybersecurity Survey identifies disconnect between awareness and actions

The Canadian Internet Registration Authority (CIRA) has released its 2018 CIRA Cybersecurity Security Survey which provides an overview of the Canadian cybersecurity landscape.

For the survey, CIRA, the .ca country code top level domain (ccTLD) registry, surveyed 500 individuals with responsibility over IT security decisions at small and medium-sized businesses across Canada to learn more about how they are coping with the increase in cyber threats. The sample included both business owners and employees who manage information technology.

“A key element of building a better online Canada is ensuring Canadians have safe, secure internet access,” said Byron Holland, president & CEO, CIRA. “Through our experience in managing the .CA domain for Canadians, we hope to help lend our expertise in safeguarding Canada’s internet so that Canadian businesses can thrive online.”

In partnership with CIRA’s technology partner, Akamai Technologies, the full report has been released to coincide with Small Business Week in Canada.

“Training and awareness are critical to ensuring your business is cyber-secure,” Jacques Latour, chief security officer, CIRA. “No matter how great your IT team is, anyone with a network-connected device can be the weak point that brings your business down.”

The report’s key findings are:

  • 40 per cent of respondents experienced a cyberattack in the last 12 months. One in ten experienced 20 or more attacks.
  • Among larger businesses with 250-499 employees, the number who experienced an attack increases to 66 per cent
  • 67 per cent of respondents outsource at least part of the cybersecurity footprint to external vendors.
  • While 59 per cent of respondents said they stored personal information from customers, 38 per cent said they were unfamiliar with PIPEDA.
  • One-third of respondents indicated that the most significant impact of a cyberattack is the time and resources required to respond to the incident.
  • 88 per cent of respondents were concerned with the prospect of future cyberattacks, which resulted in 28 per cent suggesting they would add cybersecurity staff in the next year
  • Although 78 per cent were confident in their level of cyber threat preparedness, 37 per cent didn’t have anti-malware protection installed and a shocking 71 per cent did not have a formal patching policy – exposing these organizations to massive security holes
  • Only 54 per cent of small businesses provide cybersecurity training for their employees even though the most common form of malware seen by our respondents, phishing attacks (42 per cent), directly exploit employees as a point of weakness

Read the full report: https://cira.ca/2018-cybersecurity-survey-report

DomainTools Find Cybercriminals Using Typos to Spoof Top UK charities

Cybercriminals are using fraudulent domains to lure unsuspecting members of the public towards spoofs of well-known UK charities, for malicious purposes, according to the results of a DomainTools investigation.

Following on from the National Cyber Security Centre’s warning that cybersecurity poses the most serious threat to UK charities, DomainTools selected ten well-known and popular charitable organizations in the UK to analyse, and found that every charity selected was being spoofed online by cybercriminals, who often used typos in order to dupe unsuspecting Internet users. The team analysed domains associated with Cancer Research, The National Trust, NSPCC, Oxfam, The Red Cross, Salvation Army, Wateraid, Save The Children and Unicef. In total, over 170 domains were deemed high-risk for phishing, malware and other forms of cybercrime. Some examples of fraudulent domains with risk scores of 100 – the highest possible score – include:

  • fundraisecancerresearch[.]org
  • nationltrust[.]org
  • nspcv[.]org
  • oxfamsol-mail[.]be
  • redcroas[.]com
  • salvationarmycapitalregion[.]org
  • svaethechildren[.]org
  • sheltern[.]com
  • unicefpro[.]org
  • vistwateraid[.]org.

“It remains incredibly easy for anyone to purchase an available domain,” said Tim Helming, director of product management at DomainTools. “This is part of what helps keep the Internet open and democratic, but it also helps cybercriminals exploit users. In this case the spoofing of charity websites has the added benefit of exploiting people’s wish to donate to these charities, making them a particularly lucrative target.”

Explaining the method by which these websites will be introduced to Internet users, Helming explained “these domains will often be directed towards people via email or SMS phishing campaigns, which hope to encourage users to click on seemingly legitimate looking links such as those included above, which in turn begins another cycle of cybercrime. Phishing can be used by criminals simply to gain credit card or banking information, or as a gateway to install malware on a device or network, which leads to even more serious crimes such as data breaches and or identity fraud.”

DomainTools offers top tips for consumers to avoid falling foul of a spoof website:

  • Watch out for domains that have the pattern com-[text] in them. We’re so accustomed to seeing .com that we can easily overlook the extra text that’s appended to it with a dash.
  • Look for typos on the website, coupon, or link that is directing you – for example, check for extra added letters in the domain, such as Yahooo[.]com.
  • Look out for ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com.
  • Watch all website redirects by hovering over URLs to see where the link will take you.Realise that if something is too good to be true, it likely is.
  • Get into the habit of hovering your mouse over links, and then looking for a pop-up that shows what domain the link points to. Typo domains can often be exposed using this method. Chrome and Firefox both have this feature.

DomainTools: Majority of Consumers Aware of Online Publishing Scams, Yet Still May Fall Victim This Cyber Monday

[news release] DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today [8 Nov] released the findings of its 2017 Cyber Monday Phishing Survey. The survey results highlighted that two in five U.S. consumers have fallen victim to an online phishing attack, despite the fact that 91 percent are aware of the existence of these spoofed websites or emails of trusted brands. As the holiday shopping season approaches, 92 percent of all consumers shop online and about half are planning to shop online on Cyber Monday, exposing an opportunity for malicious hackers to strike. DomainTools has illustrated its key findings in an infographic.

“Cyber Monday has grown in popularity year over year, and unfortunately, so has phishing and online counterfeiting. A range of techniques are used to trick shoppers into visiting a fake website or clicking on a malicious link. This can result in a shopper unintentionally sharing financial and personal information with these criminals or even downloading ransomware,” said Tim Chen, CEO of DomainTools. “As shoppers search for Cyber Monday deals, it’s important that they remember to look closely at links and email addresses before clicking. If something seems too good to be true, it may instead be very fake and very bad.”

According to the Anti-Phishing Working Group (APWG), nearly 119,000 unique phishing sites were detected during November 2016, with over 300 individual brands targeted that month. The brands most likely to be spoofed this November likely correspond with the most popular online retailers, which according to the survey include Amazon (82%), Walmart (36%), and Target (20%). Using DomainTools PhishEye, threat hunters identified some of the most recent brand abusing domains created by attackers in an attempt to trick unassuming online shoppers, including the following:

Cyber Monday DomainTools

Consumer education remains the number one way to prevent compromises via phishing. Online shoppers should heed these tactics to safely navigate links to Cyber Monday sales that are shared via email and social media:

Be paranoid. Assume links are dangerous until decided otherwise.

Navigate directly to a company’s website instead of clicking on links in emails or social media.

Closely examine URLs and email senders for typos. Examples could include:

  • extra added letters in the domain, such as Yahooo[.]com
  • ‘rn’ disguised as an ‘m’, such as modem[.]com versus modern[.]com
  • 1’s disguised as l’s, such as wa1mart[.]com
  • added affixes, such as starbucks[.]com-latte[.]us

The DomainTools Cyber Monday Survey was conducted online between October 5-7, 2017. Survey data is available by request.

For more information on DomainTools PhishEye, please visit www.domaintools.com/products/phisheye.

About DomainTools

DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at domaintools.com or follow us on Twitter:@domaintools

This DomainTools news release was sourced from:
http://www.domaintools.com/company/press/majority-of-consumers-aware-of-online-publishing-scams-yet-still-may-fall

SIDN Fighting Abuse in .NL

SIDN-logoAbuse is all too common in top level domains. In 2016 the Anti-Phishing Working Group reports phishing occurred in 454 TLDs, including in 228 new gTLDs. So that abuse occurs in any TLD is not surprising. But how the TLD goes about fighting it, or not, can be of interest.

Recently SIDN, the registry for .nl (Netherlands) published a blog post on abuse in .nl. “Abuse is a growing problem, according to Lilian van Mierlo, [SIDN’s] Registration & Service Manager. ‘There are some types of abuse that we used to get reports about maybe ten times a year, and now we’re getting a thousand reports about. Or more! It’s not just that there’s more abuse going on. The abuse is also becoming more sophisticated. Most phishing sites used to stand out a mile, with clumsy layouts and machine-translated text. Whereas a lot of them nowadays are hard to tell apart from the real thing.’”

SIDN works in partnership with registrars, hosting service providers, consumer organisations, government agencies and bodies such as the Fraud Help Desk and others where appropriate to fight abuse.

“In recent years, anti-abuse work has been taking up more and more of my department’s time,” Lilian continues. “It was easy to see that teaming up with others active in the field made sense. Collaboration is organised through Support4Abuse20 (“support for abuse to zero”). And it means we’re able to fight abuse on three fronts. We tackle phishing and malware through abuse204.nl, we act to get fake webshops taken down, and we respond to botnets via the Abuse Information Exchange.”

Explaining Abuse204.nl, the article explains:
“Abuse204.nl (abuse to zero for .nl) is an initiative designed to clamp down on phishing and malware. At the heart of the system is a feed provided by Netcraft, an international company that tracks malware and phishing. Netcraft collates abuse reports and checks their validity. A monitoring system then automatically e-mails the abuse reporting address of any domain linked to phishing or malware. If the domain doesn’t have a dedicated abuse reporting mailbox, all the contacts for the domain name are mailed. The aim being to get a message through the right person in the chain as soon as possible. R&S keeps watch over the system to see whether the automated e-mails trigger a response. In many cases, the registrar or hosting firm will intervene when they get an alert. If that doesn’t happen, we ask the registrars whether we can help. Where necessary we’ll follow that up with a reminder. Since we started abuse204.nl, we’ve managed to cut the average time-to-live of phishing and malware sites substantially.”

“Fake webshops have been around for years, but recently they’ve been getting more common. Even in the .nl domain, sadly. It’s a simple scam: offer attractive goods for sale, but never send them to the buyers, or only send fakes. Interestingly, sham webshops often use domain names that don’t match what they’re supposedly selling. So you might get shoes being sold using an address that looks as if it belongs to a housing advice service. The logic seems to be that a domain name that’s been in use before will feature higher in search results. The strategy is helped by the fact that other genuine sites often still have links to a previously used domain. And the more visitors the scammers can attract, the more they can earn. There isn’t a lot that we can do about fake webshops. But that doesn’t stop us doing what we can. We check the registration data of domain names used for suspect webshops, because it often turns out to be false. The registrant might be a non-existent person, for example. Or a real person who has nothing to do with the registration. Giving false information is against our terms and conditions, and that gives us leverage. We ask the registrant to provide valid details, and if they don’t we cancel the registration. So the fake webshop can’t make use of the name.”

The post also explains the Abuse Information Exhange that is used to fight botnets and how it’s vital to act quickly.

As a result, .nl is “one of the most secure internet domains in the world”.

“If we can keep it that way, all the effort’s worthwhile,” van Mierlo says. “But we have to be realistic: it’s impossible to eliminate abuse completely. Crooks are getting smarter all the time and we will always be one step behind. Cybercrime is even being marketed as a service these days. But none of that should deter us from doing all we can to make .nl less attractive to scammers.”

read the blog post in full on the SIDN website, see:
https://www.sidn.nl/a/internet-security/a-fight-on-three-fronts

2016 World’s Worst Year for Phishing. Ever! Says APWG. With Attacks on 195,000 Domain Names.

Phishing attacks increased by 65% in 2016 over 2015 to be the worst year for phishing in history according to APWG’s new Phishing Activity Trends Report [pdf]. According to the report the total number of phishing attacks in 2016 was 1,220,523.

The end of 2016 was also an opportunity to reflect how phishing has grown over the years. In the fourth quarter of 2004, the APWG saw 1,609 phishing attacks per month. In the fourth quarter of 2016, the APWG saw an average of 92,564 phishing attacks per month — an increase of 5,753 percent over 12 years. The growth in phishing attacks over the past ten years has generally increased each year, indicating a consistent trend. Forthcoming APWG reports will provide additional dimensions of data for more analysis.

“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations,” said APWG Senior Research Fellow and iThreat VP Greg Aaron. “For that reason, phishing remains both popular and effective. Also, the APWG’s numbers for 2106 just measure broad-based attacks against consumer brands. The numbers don’t attempt to catalog spear-phishing, which is highly targeted phishing that targets only a few specific people within a company. Truly, phishing is more pervasive and harmful than at any point in the past.”

There were at least 255,065 unique phishing attacks worldwide, according to the report, an increase of over 10% from the 230,280 attacks identified in 2015. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.

The attacks occurred on 195,475 unique domain names. This is the most APWG have recorded in any year since they began these reports in 2007. The number of domain names in the world grew from 287.3 million in December 2014 to 329.3 million in December 2016.

Of the 195,475 domains used for phishing, 95,424 domain names were believed to be registered maliciously by phishers. This is an all – time high, and almost three times as many as the number found in 2015. A little over half of these registrations were made by Chinese phishers. The other 100,051 domains were almost all hacked or compromised on vulnerable Web hosting. This means that nearly half of all domains that hosted phishing sites were maliciously registered.

Seventy – five percent of the malicious domain registrations were in just four TLDs : .COM (with 58% of the malicious domains, .CC (14%), .PW (3%), and .TK (3%) and more than 90% of malicious domains were found in just 14 TLDs. The TLDs in places 5 to 14 were .info, .net, .ga, .top, .cf, .ml, .cn, .gq, and .ve. And the registrars these domain names were registered with were dominated by Chinese registrars.

In addition, 6,373 attacks were detected on 5,378 unique IP addresses , rather than on domain names. (For example: http://97.74.228.191/walmart.com/) There were no phish of any kind observed on IPv6 addresses.

The APWG counted 679 targeted brands. This dropped from 783 in 2015. Phishers are still creating kits dedicated to attacking both popular targets and new targets.

Phishing occurred in 454 top level domains (TLDs). 228 were new generic TLDs launched since 2013.

One – hundred and eighty – six of the 195,475 domain names were internationalised domain names (IDNs). None involved homographic attacks, but some displayed deceptive messages in the translated domain names.

Axur, a Brazilian company that concentrates on protecting companies and their users in Brazil, found that fraudsters in Brazil are using both traditional phishing and social media to defraud Internet users. They are also using technical tricks to make it harder for responders to stop theses scams and filter them before they reach end users. “Criminals are re-inventing themselves all the time,” said Fabio Ramos, CEO of Axur. “We’ve seen a decrease in the numbers of regular phishing attacks – and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”

APWG member RiskIQ examined how phishing victims are fooled by phishers – not by the address in the browser bar, but by hyperlinks (which must be hovered over to even see the destination domain), URL shorteners, which mask the destination domain, or brand names inserted elsewhere in the URL.

“A relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name—whether at the second-level or in the fully-qualified domain name,” says Jonathan Matkowsky, VP for intellectual property & brand security at RiskIQ. This is evidence that phishers do not need to use deceptive domains names to fool Internet users into visiting their sites.

To download the APWG Phishing Activity Trends Report, see:
http://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf