On average, each month, a company sees 90 domains impersonating their business. These fake pages are set up by cybercriminals or even state-sponsored threat actors to conduct fraud. The financial sector is at the most significant risk, a report by digital risk protection company Digital Shadows showed.
Digital Shadows Photon Team analyzed a data set of more than impersonating domains raised to its clients over four months of 2021. Researchers found that each client saw around 90 domains mocking their company and brand name. That is nearly 1,100 impersonating domains per year, on average.
“Setting up one of these impersonating domains is now easier than ever, and phishing kits and tutorials ― both widely available on criminal forums ― lower the access barrier even more. With commercial phishing and site-building kits, like those offered by an online marketplace 16Shop, cybercriminals can pick the brand they want to target, choose the domain or subdomain, and pay as little as $50 to get their fraudulent website up and running,” researchers claim.
Financial services organizations face the most significant threat from impersonating domains. Healthcare and technology sectors are also heavily affected by this type of fraud.
Cybercriminals typically set up impersonating web pages to mimic legitimate, trusted organizations and conduct hostile activity. Attackers attempt to predict what typos people tend to make while typing a URL and then buy those misspelled domains to attract unintended visitor traffic and often conduct malicious activity.
Why impersonate a domain?
The most common objective of setting up an impersonating domain is to collect an employee’s or customers’ credentials. Fake web pages contain brand names and logos and some data-entry forms to be filled by the victim. Typically, such domains are the landing pages of links included in phishing emails or SMS messages sent to the victim to request to reset expired passwords.
Criminals then can use access to sensitive accounts for simple things as cable TV subscriptions, VPNs, adult websites, or hang on to it, gather as many credentials as possible, and sell it to the highest bidder in the dark market. Personally identifiable information and financial data can be highly lucrative and are always in high demand on underground marketplace sites, Digital Shadows claim.
“We’ve observed a growing number of impersonating domains targeting cryptocurrency exchange services in the past few months. This trend isn’t shocking, given the high-profile presence of cryptocurrency in 2021; cryptocurrency wallets are highly valuable, and the market is volatile, making it a prime target for cybercriminals. We’ve noticed a teeming pool of phishing techniques to access wallets and drain them,” researchers noted in the paper.
Cybercriminals and nation-state actors sometimes also impersonate a domain to drop malware. This technique has proven to be working.
“For example, security researchers observed the Vietnamese state-sponsored advanced persistent threat (APT) group OceanLotus creating and operating websites that would drop malware on the machines of site visitors, even as they gathered information about them. The OceanLotus campaign showed a degree of operational sophistication: Most of the websites’ content comprised legitimate news articles; only a few specific URLs redirected to malicious content,” Digital Shadows noted.
Periods of heightened uncertainty, such as presidential elections or the pandemic, give threat actors many opportunities to conduct social engineering campaigns through misinformation. Stressed and curious people can easily fall victim to such attacks.
What is more, impersonating domains can bring a huge added perk - access to a target network that can open the door to a broader malicious campaign.
“Initial access brokers (IABs) often serve as the bouncers to that door by enabling access for the right price. They advertise access to the networks of vulnerable organizations they’ve attained, selling it to other threat actors, predominantly on criminal forums. This kind of access gives the buyer a conduit ― often via remote desktop protocol (RDP) or compromised VPN ― to unleash malicious activity on the victims’ networks,” researchers explained.
More from CyberNews:
Subscribe to our newsletter