Digital Shadows published new research revealing that in the last four months, each of its clients experienced on average 360 domains impersonating their company and brand name – nearly 1,100 per year, on average. It also found that commercial phishing kits are commonly available in criminal marketplaces, many on the so-called ‘dark web’ for as little as $50 – cybercriminals just pick the brand they want to target, choose the domain or subdomain, and pay the fee to get their fraudulent website up and running.
In just the last four months, the Digital Shadows’ Photon Research Team flagged over 175,000 impersonating domains raised to its clients over four months of 2021. It analyzed five sectors in detail. At 20% of the total, financial services are the most impacted, followed by food & beverage (12%), technology (11%), insurance (6%) and healthcare (4%) and ‘other’ at 53%.
Financial Services was not just the most targeted sector but additionally had the highest likelihood of being used for criminal purposes. For instance, 87% of the domains analyzed had a DNS record associated with it which will make it appear more ‘official’. Furthermore 50% had MX records assigned to them, making them ready to send and receive phishing emails associated with that domain. Some 66% are hosting content which can include logos or other imagery designed to exploit a brand and their customers.
The food and beverage sector experienced a higher number of alerts per customer than any other with an average of almost 900 risky or impersonating domains over the four-month dataset analyzed (equivalent to 2700 per year). The research also found that this sector is the most likely to have domains with complete webpages associated with them, which are more likely to be used for brand impersonation. For instance, some 93% have a DNS record, 77% include content and 54% are set up with MX records.
According to the Internet Corporation for Assigned Names and Numbers (ICANN) there are some 1500 top level domains (TLDs) which can be bought and sold. This includes the most widely known extensions such as .com .org and .gov but also hundreds of less commonly used such as .pizza, .loans .health as well as extensions for every country in the word. This makes staying on top of domain registrations almost impossible for even the largest organizations.
Stefano De Blasi, threat researcher at Digital Shadows explains: “Our research found that setting up at impersonating domains is now easier than ever, and phishing kits and tutorials―both widely available on criminal forums―lower the access barrier even more. The domain name registration system is a ‘free for all’ and open to abuse. Domain name registrars will not ask any questions of anyone registering a similar URL to a brand and they have a list of 1,500 TLDs to choose from. It’s not practical for even the largest of organizations to buy every permutation of their brand(s). It’s also a difficult situation to monitor since our research found that very few suspected fake domains appear on threat feeds collated by security professionals.”
To help mitigate the issue, Digital Shadows recommends that organizations have a system in place to monitor for alterations of an original domain. A monitoring solution will inform organizations when new similar-looking domains are registered and update their security teams about any change in that website.
