Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime
Tracking the Targets of 'Cybersquatting' Attacks
Users of Financial and E-Commerce Websites Are Frequent VictimsSo-called “cybersquatting” attacks are surging, with financial and e-commerce websites – including those of PayPal, Royal Bank of Canada, Bank of America and Amazon – among the most frequent targets, according to Palo Alto Networks' Unit 42.
See Also: SIEM Wishlist: Top 5 Reasons Security Teams Can’t Wait to Upgrade
Cybersquatting is a type of fraud in which a minor change is made in a domain name to confuse a consumer into believing they are visiting a legitimate website. The Unit 42 analysis found that in December 2019 alone, 13,857 squatting domains were registered, an average of 450 per day. Almost 19% of these delivered malicious malware or phishing attacks, and just over 36% are considered high-risk because they are associated with malicious URLs or utilize bulletproof hosting.
The goal of these attacks is to extract login credentials or payment card data from their victims, says Zhanhao Chen, a senior staff researcher at Unit 42.
Cybercriminals leverage a brand's credibility to attract more users that can be scammed. One such example is PayPal. Cybercriminals attach keywords like 'secure' and 'verify,' to the end of PayPal, giving the impression it's an official PayPal website, Chen tells Information Security Media Group.
The report points out organizations of all sizes are targeted in cybersquatting scams. Chen says cybercriminals might view a smaller bank, for example, as less able to defend its domain.
Why Squatting Attacks Work
Cybercriminals know most website visitors don't pay attention to URLs, and the number of potential fake domains that can be created “is almost infinite," according to the report.
"Cybersquatting is an effective way to take advantage of user error and carelessness. Second, it's cheap for cybercriminals to come up with new squatting domains and register them," Chen says.
One way to combat the risk is for companies to register some of the more obvious domain names that could be used for cybersquatting, Chen notes.
"Second, they can leverage the Anticybersquatting Consumer Protection Act (ACPA) or ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP) to take hold of the domains or have them taken down. Third, they can contract a cybersecurity vendor that continuously tracks squatting domains," Chen says.
The Techniques
Malicious actors are using a variety of techniques to trick consumers into believing a site is legitimate. The best known is typosquatting, where a domain is created using a well-known brand name that is misspelled in a manner likely to be missed by the average person.
"Typosquatters intentionally register misspelled variants (such as whatsalpp[.]com) of target domain names (whatsapp[.]com) to profit from users’ typing mistakes or to deceive users into believing that they are visiting the correct target domain," according to the Unit 42 report.
Other variants include:
- Combosquatting: When popular trademarks are combined with words such as “security" (netflix-payments[.]com);
- Homographsquatting: When domains take advantage of internationalized domain names, or IDNs, where Unicode characters are allowed (microsofŧ[.]com);
- Soundsquatting: Taking advantage of words that sound like variants of popular domains (4ever21[.]com for forever21[.]com);
- Bitsquatting: When domains differ in one character from the targeted legitimate domain (micposoft[.]com);
- Levelsquatting: Using domains that give the impression that they are controlled by a legitimate company (safety.microsoft.com.mdmfmztwjj.l6kan7uf04p102xmpq[.]bid).
Managing Editor Scott Ferguson contributed to this report.