Malicious URLs increasingly spoofing popular online sites

According to a new security report from Palo Alto Networks threat intelligence team – Unit 42 – cybercriminals have been increasingly mimicking domains of major brands including Facebook, Apple, Amazon and Netflix, to scam consumers over the past few months.

From Dec 2019 to date, 13,857 squatting domains were registered with Unit 42 finding that more than 55 per cent of those being malicious or high-risk to users.

Among the Top 20 abused domains included brands such as Amazon India, Apple, Microsoft, Facebook and Shopee Taiwan.

How it works

Users on the internet rely on domain names like www.facebook.com , www.shopee.sg , www.lazada.com , and www.amazon.sg , to find brands, services, professionals and personal websites.

To take advantage of this, cybercriminals have been cybersquatting where they register domain names that appear related to existing domains or brands, with the intent of profiting from user mistakes.

It was noticed that there were different goals to the malicious URLs:

• Phishing: A domain mimicking Amazon (amazon-india.online) set up to steal user credentials, specifically targeting mobile users in India.
• Malware distribution: A domain mimicking Samsung (samsungeblyaiphone.com) hosting Azorult malware to steal credit card information.
• Command and control (C2): Domains mimicking Microsoft (microsoft-store-drm-server.com and microsoft-sback-server.com) attempting to conduct C2 attacks to compromise an entire network.
• Re-bill scam: Several phishing sites mimicking Netflix (such as netflixbrazilcovid.com) set up to steal victims’ money by first offering a small initial payment for a subscription to a product like weight loss pills. However, if users don’t cancel the subscription after the promotion period, a much higher cost will be charged to their credit cards, usually US$50-100.
• Potentially unwanted program (PUP): Domains Samsung (samsungpr0mo.online) distributing PUP, such as spyware, adware or a browser extension. They usually perform unwanted changes, like changing the browser’s default page or hijacking the browser to insert ads. Of note, the Samsung domain looks like a legitimate Australia educational news website.
• Technical support scam: Domains mimicking Microsoft (such as microsoft-alert.club) trying to scare users into paying for fake customer support.
• Reward scam: A domain mimicking Facebook (facebookwinners2020.com) scamming users with rewards, such as free products or money. To claim the prize, users need to fill out a form with their personal information such as date of birth, phone number, occupation and income.
• Domain parking: A domain mimicking RBC Royal Bank (rbyroyalbank.com) leveraging a popular parking service, ParkingCrew, to generate profit based on how many users land on the site and click the advertisements.

Staying safe and secure

Staying safe isn’t just an option. It is the only way forward if you want to be able to continue transacting online.

We spoke to Vicky Ray, Principal Researcher at Unit 42, Palo Alto Networks for some recommendations that consumers can follow: 

• Check for any possible typos in URLs and domain names
• Be extra careful when online advertisements redirect you to different landing pages -  they may look legitimate but could very well be using one of the cybersquatting techniques as described in the blog.
• Do not trust a website just because it has a certificate from a trusted certificate authority (CA). Many malicious campaigns are using legitimate certificates from well-known CAs.
• Be cautious for campaigns which may seem too good to be true
• If in doubt, verify domains/URLs on various online WHOIS lookup services to check on registration data.
• Always utilise two-factor authentication/multi-factor authentication (2FA/MFA) if the option is available from the service provider.

This article was first published in Hardware Zone.