Masked Sites Conceal Malicious Tricks Instead of Shopping Treats

Spoofed domains routinely target online shoppers to steal sensitive data according to Salt Lake City based Venafi, and a cybersecurity adviser warned credit union members are vulnerable as well.

Venafi, which provides machine identity protection, analyzed suspicious domains targeting the top 20 retailers in five key markets: the U.S., U.K., France, Germany and Australia. Their research revealed an explosion in the number of potentially fraudulent domains and they target every online retailer studied.

Cyberattackers create fake domains by substituting a few characters in the URLs. Because they point to malicious online shopping sites that mimic legitimate, well-known retail websites, it has become increasingly difficult for customers to detect the bogus domains. Additionally, given that many of these malicious pages use a trusted Transport Layer Security certificate, they appear to be safe for online shoppers who unknowingly provide sensitive account information and payment data thereby making them susceptible to phishing attacks and ID theft.

“Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique,” Jing Xie, senior threat intelligence analyst for Venafi, said. “Because malicious domains now must have a legitimate TLS certificate to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates. Despite significant advances in the best practices followed by certificate issuers, this is a really bad idea.”

Key research findings:

• The total number of certificates for lookalike domains is more than 200% greater than the number of authentic retail domains.
• Major retailers present larger targets for cybercriminals. One of the top 20 U.S. retailers has over 12,000 look-alike domains targeting their customers. Among the top 20 online German retailers, there are almost four times more look-alike domains than valid domains.
• The growth in lookalike domains appears connected to the availability of free TLS certificates. Venafi said 84% of the lookalike domains studied use free certificates from Let’s Encrypt.

“No organization should rely exclusively on certificate authorities to detect suspicious certificate requests,” Xie continued. For example, cyberattackers recently set up a look-alike domain for NewEgg, a website with over 50 million visitors a month. The spoofed domain used a trusted TLS certificate issued by a certification authority who followed all the best practices and baseline requirements. This phishing website helped cybercriminals steal account and credit card data for over a month before security researchers shut it down.

Although Venafi did not specifically cover financial services in this research they have extensive experience with finserv organizations and strongly suspect attackers target them as well using lookalike domains with valid TLS certificates. “Phishing sites that target PayPal, for example, are an epidemic. While there has been much less international coverage on small and regional financial institutions and credit unions, they are excellent targets for attackers looking to trick customers into providing valuable account data,” Xie warned. “As a matter of fact, smaller and regional firms can be more at risk because they have fewer resources focused on dealing with these kinds of problems.”

Venafi advised as the holiday shopping season approaches, there likely will be an increase in lookalike domains. The cybersecurity firm recommended several steps to protect their customers:

1. Search and report suspicious domains using Google Safe Browsing, an industry anti-phishing service that identifies and blacklists dangerous websites.
2. Report suspicious domains to the Anti-Phishing Working Group, an international voluntary organization that focuses on limiting cybercrime perpetrated through phishing.
3. Add Certificate Authority Authorization to the DNS records of domains and subdomains. CAA lets organizations determine which CAs can issue certificates for domains they own.
4. Leverage software packages to search for suspicious domains. Copyright infringement software may help retailers find malicious websites, stopping the unauthorized use of their logos or brands.

“Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future,” Xie concluded. “In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs.”