Virtual squatting with cybersquatting
Cybersquatting attacks mimic the domains of well-known brands like Facebook, Apple, Amazon, and Netflix in order to deceive and defraud consumers.
A squatter is the English word for squatter and cybersquatters are not too strict about legality either. Squatting domains is intended to confuse users into believing that the targeted brands (like Netflix) own those domain names (like Netflix-payments [.] Com), or to take advantage of users’ typographical errors (like WhatsApp [.] Com for WhatsApp). Squatting domains are widely used for attacks.
Palo Alto Networks’ squatting detection system discovered that 13,857 squatting domains were registered as of December 2019, an average of 450 per day. The researchers found that 2,595 (18.59 percent) occupied domain names are malicious and often spread malware or carry out phishing attacks. 5,104 (36.57 percent) occupied domains that were examined pose a high risk to the users who visit them. There is thus evidence of an association with malicious URLs within the domain or the use of bullet-proof hosting.
Palo Alto Networks ranked the top 20 most abused domains in December 2019 based on the adjusted malware rate, which means that a domain is either associated with many squatting domains or most of those squatting domains are proven are malicious. The researchers found that domain squatters prefer profitable destinations such as mainstream search engines and social media, financial, shopping, and banking websites. Users become targets for phishing and scams to steal sensitive credentials or money.
From December 2019 until today, researchers have observed a multitude of malicious domains with different goals:
- Malware Distribution: A Samsung- related domain hosts the Azorult malware designed to steal credit card information.
- Command-and-Control (C2): Domains related to Microsoft attempt to carry out C2 attacks to compromise an entire network.
- Re-bill Scam: Several Netflix-related phishing websites are running fraudulent bills. In doing so, they first offer a small initial payment for a subscription to a product like weight loss pills. However, if users don’t cancel their subscription after the promotional period, their credit cards will be charged a much higher cost, typically $ 50 to $ 100.
- Potentially Unwanted Program Domains related to Walmart and Samsung distribute potentially unwanted programs such as spyware, adware or a browser extension. They usually make unwanted changes like changing the default page of the browser or hijacking the browser to insert advertisements.
Of note, the Samsung domain looks like a legitimate Australian educational news website.
- Technical Support Scam: Microsoft-related domainsattempt to trick users into paying for fake customer support.
- Reward Scam: A domain related to Facebook scams users with rewards such as free products or money. To get the prize, users have to fill out a form with their personal information like date of birth, phone number, occupation, and income.
- Domain Parking: A domain pointing to RBC Royal Bank uses a popular parking service, ParkingCrew, to generate a profit based on the number of users landing on the website and clicking on the advertisement.
- Palo Alto Networks researchers examined domain squatting techniques such as typosquatting, combo squatting, level squatting, bit squatting, and homograph squatting. Malicious actors can use these techniques to spread malware or run fraud and phishing campaigns.
- To track down squatting domains, Palo Alto Networks has developed an automated system with which emerging campaigns from newly registered domains as well as from passive DNS (pDNS) data can be recorded. Palo Alto Networks identifies malicious and suspicious squatting domains and assigns them to the appropriate categories, e.g. phishing, malware, C2, or grayware.
Palo Alto Networks recommends that companies block and closely monitor their traffic, while consumers should make sure they are entering domain names correctly and verify that the domain owners can be trusted before visiting websites.
In summary, domain squatting techniques take advantage of the fact that users rely on domain names to identify brands and services on the Internet. These squatting domains are widely used for activities like phishing, malware and PUP distribution, C2, and various scams. A high rate of malicious and suspicious usage has been observed among squatting domains. Therefore, continuous monitoring and analysis of these domains is necessary to protect users.
Palo Alto Networks monitors newly registered domains and newly observed hostnames from pDNS and zone files to track emerging squatting campaigns. The automatic pipeline publishes the domains it detects to URL Filtering and DNS Security using the appropriate category, including malware, phishing, C2 or grayware. When analyzing the squatting ecosystem, the researchers found that domain squatters preferred certain types of target domains, registrars, hosting services, and certification authorities.
The following attributes are common to dangerous squatting domains:
Domain names targeting popular finance, shopping, and banking domains.
Domains that frequently use abused registrars and hosting services.
Domains that do not have fully validated SSL certificates. Therefore, Palo Alto Networks advises all users to be careful when handling these domains.