Scammers target cybersecurity brands
Cybersquatting, typosquatting and phishing now target the largest cybersecurity brands.
Today, cybersquatting and related machinations with Internet domain names become a very significant problem for the Internet and its users. OpenDNS claims that cyber squatters are becoming more active during US presidential campaign, trolling almost every candidate with hijacked or altered domain names. Celebrities like Mark Zuckerberg, also fall victims of domain fraudsters.
The World Intellectual Property Organization (WIPO) reports continuous growth of domain cybersquatting, while cybercriminals are aggressively using typosquatted domains to compromise and infect inattentive users with malware turning their mobile devices and computers into zombies. Ponemon Institute has calculated that annual cost of phishing for an average organization is more than $3.7 million. Meanwhile, Microsoft’s latest Security Intelligence Report says that phishing and related malicious activities are skyrocketing.
Cybersecurity Industry Brands Under Fire
Last week our attention was attracted by the SC Magazine publication “Scammers impersonate legit cyber-security companies” speaking about fraudulent domains pretending to be legitimate cybersecurity company.
We decided to perform a quick research to understand how important the problem actually is. For this purpose, we analyzed domains of the leading cybersecurity companies from the NASDAQ’s NQCYBR index, as well as few private but well-known cybersecurity companies. We used our Domain Security Radar for this purpose, a free online service designed to detect cybersquatting, typosquatting and phishing domains for a particular brand or Internet domain.
Among numerous cybersquatted and typosquatted domains we have found, we can distinguish five main categories of domains:
- Domain Squatting
Domain is registered, but is not used, or hosts an empty website.
- Traffic Theft
Domain is registered and is being used to redirect visitors to third-party website(s).
- Brand Theft
Domain is registered, website leverages or simulates the original brand, or a part of it, to associate with the legitimate brand, while offering its own goods and services.
- Malicious Activities
Domain is registered and is being used for phishing, redirection to competitor’s website, malware delivery or any other harmful or unlawful activities.
Purpose of the domain registration is not clear or cannot be confirmed.
The most frequent case is traffic theft, malicious domain usage takes the second place, domain squatting goes after:
Diagram 1: Domains usage statistics
From Innocent Squatting to Malware Infection
Country or altered domains of the famous cybersecurity brands, like "akamai.ru", "junipernetworks.cn", "kasperskysupport.com" or "ciscogroup.com" are being squatted by scammers who try to resell them, parasitizing on the original brand value.
Some of the domains with visual mutations, like "junlper.net" (that will look exactly like the original brand name in CAPS) was used for phishing in the past, however now seems to be operated by Kaspersky (according to IP history) that probably uses it to gather threat intelligence information.
Other domains try to create an impression of being a legitimate part of the brand. Owned by a private person with aol.com email and PO Box address "baesystemsstore.com" hosts a web shop selling some goods not related to the original brand.
Some of the domains, like "lifelock.org", which is registered via proxy, is live and even has a valid SSL certificate, however has nothing to do with the original brand. The website in question seems to resell the original LifeLock services via their affiliate program, using the following track URLs pointing to the original LifeLock's website:
Similar story is with "paloaltonetworks.cz" that redirects users to a website of one of the Fortinet resellers, a direct competitor to Palo Alto Networks. Owned by a private company in Praha, the domain has nothing to do with Palo Alto brand.
More dangerous cases are websites like "trendmicrow.com" that collects personal data of Trend Micro customers pretending to be Trend Micro support. A Symantec's domain with typo "sytmantec.com" redirects users to random websites, hosting adult content and malware.
Here is a detailed statistics for each of the cybersecurity companies:
|Total Alerts||Test Results|
|Palo Alto Networks||24||View|
Ilia Kolochenko, High-Tech Bridge’s CEO, says:
“Unfortunately, lack of international cooperation and jurisprudence enable fraudsters to make easy money on various illegal or at least unethical operations with domains. Even cybersecurity companies are being targeted these days, not only financial institutions or luxury brands.
The biggest concern is that relatively harmless techniques such as typosquatting and cybersquatting are now being aggressively used in pair with phishing and drive-by-download attacks.
At High-Tech Bridge, as a part of our continuous effort to make Web safer, we have created Domain Security Radar service to enable anyone to track illicit activities against a brand or a domain name.”