- by David Goldstein -
Almost 14,00 domain names were registered by cybercriminals in December 2019 that appeared to be related to existing domain names or brands, with the intent of profiting from user mistakes. This is known as cybersquatting.
In a report from Palo Alto Networks’ Unit 42, the security company’s squatting detector system discovered 13,857 squatting domains were registered in the month, an average of 450 per day. Palo Alto Networks found 2,595 (18.59%) squatted domain names were malicious, often distributing malware or conducting phishing attacks, and 5,104 (36.57%) cybersquatting domains studied presented a high risk to users visiting them, meaning they have evidence of association with malicious URLs within the domain or are utilising bulletproof hosting.
In their report released in September 2020, Palo Alto Networks ranked the Top 20 most abused domains in December 2019 based on an adjusted malicious rate, which means that a domain is either a target of many squatting domains or most of these squatting domains are confirmed malicious. They found cybersquatters prefer profitable targets, such as mainstream search engines and social media, financial, shopping and banking websites. When visiting these sites, users are often prepared to share sensitive information, which opens them up to phishing and scams to steal sensitive credentials or money if they can be deceived into visiting a squatting domain instead.
The top brand found to be the target of the malicious cybersquatters was PayPal.com with an “adjusted malicious rate” of around 70% followed by Apple.com (58%), RoyalBank.com, Netflix.com, LinkedIn.com and Amazon.com, all with an “adjusted malicious rate” of around 38%. In their top 20 domains, the only non-.coms were panda.tv, shopee.tw and suddenlink.net, all with an “adjusted malicious rate” of around 22%.
There were 8 types of malicious domains observed by Palo Alto Networks observed from December 2019 to August 2020: phishing, malware distribution, Command and Control (C2), re-bill scams, potentially unwanted programmes (PUP), technical support scams, reward scams and even domain parking.
Among these there were 6 types of squatting techniques: typosquatting (domain names deliberately registered with typographical errors), combosquatting (combining popular trademarks with words such as “security,” “payment” or “verification”), homographsquatting (taking advantage of internationalised domain names), soundsquatting (domains taking advantage of homophones or words that sound alike), bitsquatting (domains have a character that differs in one bit or character) and levelsquatting (include the targeted brand’s domain name as a subdomain).
In their concluding summary, Palo Alto Networks note cybersquatting techniques leverage the fact that users rely on domain names to identify brands and services on the internet. These squatting domains are often used for nefarious activities, including phishing, malware and PUP distribution, C2 and various scams. A high rate of malicious and suspicious usage among squatting domains was observed. As a result they recommend continuous monitoring and analysis of these domains to protect users.
Palo Alto Networks also recommends enterprises block and closely monitor traffic from these abused domain names, while consumers should make sure that they type domain names correctly and double-check that the domain registrants are trusted before entering any site.