Short-lived domain names, domains that are often only registered for a few hours, are a boon for cybercriminals and their phishing activities. Phishing is a huge cost to brands large and small, and even individuals. And short-lived domains, often registered in certain top-level domains where domains are either given away or with a low registry fee and bought in bulk through certain registrars.
The retail industry is particularly targeted with short-lived domains masquerading as popular brands and retail outlets, either with similar looking domain names or websites selling counterfeit goods. The individuals who fall for phishing scams by submitting information, or those who inadvertently install malicious applications, are the same people who contribute to a billion-dollar retail economy worldwide. They’re a key part of the phishing lifecycle.
A recent State of the Internet report from Akamai Technologies titled Phishing – Baiting the Hook looks at how phishing lures in its targets with what the report describes as “lures” and “landings”. “A lure gets the victim’s attention, by way of a warning, an urgent request, or some other message invoking a sense of alarm or concern. Once the lure works, the victim needs to land, and that is where the final phase of the attack happens.”
“The landing can be anything, including malicious attachments or links, a perfect clone of a bank’s website, a retail portal, or a simple form requesting information in exchange for some type of prize or reward.”
Most landing elements in any given phishing attack involve a platform, better known as a kit. For their report, Akamai focussed on phishing kits.
There are 2 types of phishing that Akamai describe: generic phishing attacks, of which botnets are part, which are a numbers game where the criminal blasts their lure out to thousands — sometimes tens of thousands — of potential victims; and spear phishing attacks that usually only target one person or a group (such as a retailer’s customer base or a group of activists). Sometimes spear phishing attacks target a whole company and are mistaken for generic phishing attacks at first. What sets them apart from generic attempts, however, are the granular details. Spear phishing is commonly seen in nation-state attacks, corporate espionage campaigns, and fraudulent financial attacks in which the ultimate goal isn’t basic information gathering, but something more destructive or consequential.
And here’s where domain names come into phishing. The report explains “sometimes phishing kits are uploaded to a compromised website. When this happens, the attacker has exploited a vulnerability in the website’s CMS or on the server itself. Hijacking a domain like this to host a phishing kit takes advantage of the URL’s positive reputation and age, which enables the attacker to remain hidden longer. In other instances, the criminal will choose to purchase a domain and hosting package of their own.”
The report notes how “age is important when phishing URLs are considered. Newly created domains — those that are less than a month old — are often flagged as suspicious by security products.”
Explaining how criminals take advantage of short-lived domains, researchers track domain registrations and report domains frequently if they raise any red flags. The criminals take advantage of top-level domain (TLD) sales at a given registrar, buying in bulk and rotating through their collection during a given phishing run. This allows them to keep operating even if one of their domains — or several of them — are taken down or flagged.
The financial benefits can be significant. The report notes how “in instances like these, a domain that lasts for a few days could yield hundreds of victims, but even those that only last a few hours still return net positive results to the criminal. This is because after the initial outlay of expenses (domains, phishing kits, and perhaps hosting), a criminal only needs a few victims to get their money back. Everything after that is pure profit.”
There’s a race that goes on between the criminals and security teams looking to shut down their operations. “Although security teams report phishing URLs regularly, some criminals choose web hosts and domains where those reports are simply ignored. Yet, as the data shows, most kits have a short life, and the window of opportunity for most phishing kits is growing smaller.”
“Over a 60-day period, Akamai observed more than 2,064,053,300 unique domains commonly associated with malicious activity. Of those, 89% had a lifespan of less than 24 hours, and 94% had a lifespan of less than three days.”
“Considering the phishing domains, notable short-lived TLDs such as .gq, .loan, and .tk have a median lifespan of 24 hours and mean lifespan of less than two days. Looking at the data, the availability of cheap name registration on TLDs such as these is a boon to criminals; it makes detection more difficult because the names live in traffic so briefly.
“The high number of .com domains with short lifespans can be attributed to names used for botnet traffic, with large numbers of new names used daily (most of which are not registered and so do not resolve).”