In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Scammers target cybersecurity brands

Wednesday, May 18, 2016 By Read Time: 4 min.

Cybersquatting, typosquatting and phishing now target the largest cybersecurity brands.


Introduction

Today, cybersquatting and related machinations with Internet domain names become a very significant problem for the Internet and its users. OpenDNS claims that cyber squatters are becoming more active during US presidential campaign, trolling almost every candidate with hijacked or altered domain names. Celebrities like Mark Zuckerberg, also fall victims of domain fraudsters.

The World Intellectual Property Organization (WIPO) reports continuous growth of domain cybersquatting, while cybercriminals are aggressively using typosquatted domains to compromise and infect inattentive users with malware turning their mobile devices and computers into zombies. Ponemon Institute has calculated that annual cost of phishing for an average organization is more than $3.7 million. Meanwhile, Microsoft’s latest Security Intelligence Report says that phishing and related malicious activities are skyrocketing.


Cybersecurity Industry Brands Under Fire

Last week our attention was attracted by the SC Magazine publication “Scammers impersonate legit cyber-security companies” speaking about fraudulent domains pretending to be legitimate cybersecurity company.

We decided to perform a quick research to understand how important the problem actually is. For this purpose, we analyzed domains of the leading cybersecurity companies from the NASDAQ’s NQCYBR index, as well as few private but well-known cybersecurity companies. We used our Domain Security Radar for this purpose, a free online service designed to detect cybersquatting, typosquatting and phishing domains for a particular brand or Internet domain.

Among numerous cybersquatted and typosquatted domains we have found, we can distinguish five main categories of domains:

  • Domain Squatting

    Domain is registered, but is not used, or hosts an empty website.

  • Traffic Theft

    Domain is registered and is being used to redirect visitors to third-party website(s).

  • Brand Theft

    Domain is registered, website leverages or simulates the original brand, or a part of it, to associate with the legitimate brand, while offering its own goods and services.

  • Malicious Activities

    Domain is registered and is being used for phishing, redirection to competitor’s website, malware delivery or any other harmful or unlawful activities.

  • Unknown

    Purpose of the domain registration is not clear or cannot be confirmed.

The most frequent case is traffic theft, malicious domain usage takes the second place, domain squatting goes after:

Domains usage statistics
Diagram 1: Domains usage statistics


From Innocent Squatting to Malware Infection

Country or altered domains of the famous cybersecurity brands, like "akamai.ru", "junipernetworks.cn", "kasperskysupport.com" or "ciscogroup.com" are being squatted by scammers who try to resell them, parasitizing on the original brand value.

Some of the domains with visual mutations, like "junlper.net" (that will look exactly like the original brand name in CAPS) was used for phishing in the past, however now seems to be operated by Kaspersky (according to IP history) that probably uses it to gather threat intelligence information.

Other domains try to create an impression of being a legitimate part of the brand. Owned by a private person with aol.com email and PO Box address "baesystemsstore.com" hosts a web shop selling some goods not related to the original brand.

Some of the domains, like "lifelock.org", which is registered via proxy, is live and even has a valid SSL certificate, however has nothing to do with the original brand. The website in question seems to resell the original LifeLock services via their affiliate program, using the following track URLs pointing to the original LifeLock's website:
'https://store.lifelock.com/enrollment?promocode=ORG30&cid=aff_fingerflip_'

Similar story is with "paloaltonetworks.cz" that redirects users to a website of one of the Fortinet resellers, a direct competitor to Palo Alto Networks. Owned by a private company in Praha, the domain has nothing to do with Palo Alto brand.

More dangerous cases are websites like "trendmicrow.com" that collects personal data of Trend Micro customers pretending to be Trend Micro support. A Symantec's domain with typo "sytmantec.com" redirects users to random websites, hosting adult content and malware.

Here is a detailed statistics for each of the cybersecurity companies:

Total AlertsTest Results
Akamai62View
Domain Squatting1,6%
Traffic Theft85,4%
Brand Theft8%
Malicious Activities5%
Unknown0%
AVG43View
Domain Squatting2,3%
Traffic Theft83,7%
Brand Theft0%
Malicious Activities14%
Unknown0%
BAE Systems32View
Domain Squatting0%
Traffic Theft75%
Brand Theft3,1%
Malicious Activities21,9%
Unknown0%
Barracuda Networks124View
Domain Squatting8%
Traffic Theft88,7%
Brand Theft0%
Malicious Activities3,3%
Unknown0%
Check Point104View
Domain Squatting12,5%
Traffic Theft87,5%
Brand Theft0%
Malicious Activities0%
Unknown0%
Cisco172View
Domain Squatting20,4%
Traffic Theft72,7%
Brand Theft0%
Malicious Activities6,4%
Unknown0,5%
Cyberark17View
Domain Squatting0%
Traffic Theft100%
Brand Theft0%
Malicious Activities0%
Unknown0%
F5 Networks32View
Domain Squatting0%
Traffic Theft96,8%
Brand Theft0%
Malicious Activities3,2%
Unknown0%
FireEye 29View
Domain Squatting6,9%
Traffic Theft89,6%
Brand Theft0%
Malicious Activities3,5%
Unknown0%
Fortinet56View
Domain Squatting7,1%
Traffic Theft89,2%
Brand Theft0%
Malicious Activities3,7%
Unknown0%
Gemalto13View
Domain Squatting7,6%
Traffic Theft77,2%
Brand Theft0%
Malicious Activities7,6%
Unknown7,6%
Imperva14View
Domain Squatting0%
Traffic Theft92,8%
Brand Theft0%
Malicious Activities7,2%
Unknown0%
Infoblox44View
Domain Squatting0%
Traffic Theft100%
Brand Theft0%
Malicious Activities0%
Unknown0%
Juniper Networks65View
Domain Squatting4,6%
Traffic Theft90,8%
Brand Theft0%
Malicious Activities4,6%
Unknown0%
Kaspersky59View
Domain Squatting3,3%
Traffic Theft86,4%
Brand Theft0%
Malicious Activities8,7%
Unknown1,6%
LifeLock47View
Domain Squatting0%
Traffic Theft91,4%
Brand Theft4,2%
Malicious Activities4,4%
Unknown0%
NetScout Systems26View
Domain Squatting0%
Traffic Theft92,3%
Brand Theft0%
Malicious Activities7,7%
Unknown0%
Palo Alto Networks24View
Domain Squatting4,1%
Traffic Theft83,3%
Brand Theft0%
Malicious Activities12,6%
Unknown0%
Proofpoint19View
Domain Squatting0%
Traffic Theft84,2%
Brand Theft0%
Malicious Activities15,8%
Unknown0%
Qualys25View
Domain Squatting0%
Traffic Theft88%
Brand Theft4%
Malicious Activities8%
Unknown0%
Radware42View
Domain Squatting0%
Traffic Theft97,6%
Brand Theft0%
Malicious Activities2,4%
Unknown0%
Rapid717View
Domain Squatting0%
Traffic Theft88,2%
Brand Theft0%
Malicious Activities11,8%
Unknown0%
Splunk43View
Domain Squatting2,3%
Traffic Theft88,3%
Brand Theft0%
Malicious Activities9,4%
Unknown0%
Symantec83View
Domain Squatting2,4%
Traffic Theft75,9%
Brand Theft0%
Malicious Activities21,7%
Unknown0%
Trend Micro11View
Domain Squatting0%
Traffic Theft54,5%
Brand Theft0%
Malicious Activities36,3%
Unknown9,2%
Secureworks14View
Domain Squatting0%
Traffic Theft78,5%
Brand Theft0%
Malicious Activities14,4%
Unknown7,1%

Ilia Kolochenko, High-Tech Bridge’s CEO, says:

Unfortunately, lack of international cooperation and jurisprudence enable fraudsters to make easy money on various illegal or at least unethical operations with domains. Even cybersecurity companies are being targeted these days, not only financial institutions or luxury brands.

The biggest concern is that relatively harmless techniques such as typosquatting and cybersquatting are now being aggressively used in pair with phishing and drive-by-download attacks.

At High-Tech Bridge, as a part of our continuous effort to make Web safer, we have created Domain Security Radar service to enable anyone to track illicit activities against a brand or a domain name.


High-Tech Bridge Security Research Team regularly writes about web and mobile application security, privacy, Machine Learning and AI.

User Comments
Add Comment

Ask a Question