What is domain impersonation? It is one of the easiest, most frustratingly common ways that cybercriminals trick us, and I’ll get to the technical explanation later.
In fact, domain impersonation attacks are getting so subtle that I, a cynical veteran of the cybersecurity industry, nearly fell for one just last month. On one particular site, an item I was considering purchasing was priced over 70% less than I had found anywhere else. I didn’t know the retailer, but my wife heard of it and told me their prices are typically similar to those on other online marketplaces. That’s what clued me in — if it seems too good to be true, it is. I didn’t click because my Spidey Sense kicked in just soon enough to tell me that there was no way I was getting a deal, even if the URL looked familiar.
That day, I dodged a domain impersonation bullet. Here are some tips, tricks, and pointers from Fortra’s 2023 Domain Impersonation Report so you can do the same. The report covers findings from the first half of this year.
What Is Domain Impersonation?
Like the name suggests, domain impersonation is when a threat actor mimics a legitimate site with a spoof site of the same name, or one very similar. In a rush, we gloss over the details and catch the most important word, forgiving or overlooking the rest. It could be “[email protected]”, “[email protected]” or any other look-alike. Then we click on the link in the malicious email and end up on an attacker’s website, which looks like a legitimate site. From there, we might enter our credentials or input credit card information to buy a product that will never come. That’s when they’ve got us.
Look-alike Domains Are Trending Up
According to the report, the average brand was impersonated by no less than 40 look-alike domains between January and June of this year. Like I mentioned, this is largely done by substituting letters with other letters or even symbols, as in:
The first is correct. The second substitutes the L with a vertical line symbol. The third substitutes the L with the capital letter I. There can be other variations of the letter L when one uses Cyrillic letters as well.
Even though companies are being spoofed dozens of times over, 86% of those look-alike domains hosted no relevant content. This means that, while the spoof site looked suspicious (given the name alone), it didn’t actually post anything malicious. Many times, it was just used to serve ads. One reason is that threat actors are “flying right” to establish the domain name’s history and reputation, two attributes used by web filters to decide if something is malicious. A URL with no reputation and a long history (benign) is a more valuable spoof site in the long run because it is clean and trusted. That decreases the chances it will get flagged and increases chances that that the criminals can safely use it as a lethal phishing site later. They’re playing the long game.
Phishing via Domain Spoofing
We also discovered that 3 out of 4 look-alike sites with malicious content are used directly for phishing, as opposed to a cryptocurrency scam, counterfeit, or general malicious activity. Stolen credentials continue to be one of the top entry vectors for a criminal according to the 2023 Verizon Data Breach Investigations Report, so the connection makes sense.
Like I stated, a benign URL will likely get used because it increases the chances of bypassing existing web security controls. In this case, the threat actor hopes the victim lets their guard down long enough to enter their credentials into this “trusted” site, which will then unknowingly provide an entryway into the network for the attacker.
So, what kind of domains should we be on the lookout for? When it comes to scouring our inboxes, watch out for locations. Country code top-level domains (ccTLD) make up the majority of URLs used in phishing campaigns, with nearly 46% of the volume. Some of the top ones include:
- .PL – Poland
- .CO – Colombia
- .ID – Indonesia
- .FR – France
Of the bunch, .PL grew by a whopping 250% while .FR increased by an astounding 700%, so watch out for those.
Additionally, criminals constantly evolve and refine their attacks to make domain-based spoofing even more effective. ChatGPT allows them to create phishing emails using perfect spelling and grammar in just about any language. Now, combine a perfectly crafted email with a region-specific URL and you get incredibly personal targeting that vastly improves an attacker’s chances.
eCommerce and Site Security Best Practices
Countries haven’t cornered the market on top-level domains, though. Other new TLDs include ecommerce leaning domains like .app and .shop.
If you are an ecommerce site or plan to sell things online, you may want to consider purchasing as many TLDs as you can (assuming they are available) to spare yourself potential trouble down the road. So, whether you used them or not, you’d own “widgetworld.io”, “widgetworld.net”, “widgetworld.shop”, and more. Get everything from .com to .shop and .info, making the cybercriminals choose the next greener pasture instead of yours. Also, educate your users. Let them know which domains are yours, and which are not.
This is just a high-level view of the findings we gathered in our latest report. Domain impersonation attacks are rampant because they are working. To combat them, security teams need to gain visibility into the behavior of lookalike domains and monitor them for incriminating evidence using domain impersonation protection solutions like Fortra’s Agari. That way teams can implement DMARC reject on all domains and automatically mitigate threats. Only then will criminals move on to the next easiest target — the one that doesn’t monitor their domains.