Attackers using squatting domains of major brands to scam consumers

squatting domains attacks
Image by Skorzewiak/

Cybercriminals take advantage of the essential role that domain names play on the internet by registering names that appear related to existing domains or brands, with the intent of profiting from user mistakes, known as cybersquatting. While cybersquatting is not always malicious toward users, squatting domains are often used or repurposed for attacks.

The Palo Alto Networks squatting detector system, under Unit 42, the threat intelligence team, discovered that 13,857 squatting domains were registered in December 2019, an average of 450 per day. The team found that 2,595 (18.59%) squatted domain names are malicious, often distributing malware or conducting phishing attacks, and 5,104 (36.57%) squatting domains studied present a high risk to users visiting them, meaning they have evidence of association with malicious URLs within the domain or utilizing bulletproof hosting. 

Palo Alto Networks also ranked the Top 20 most abused domains in December 2019 based on adjusted malicious rate, which means that a domain is either related to many squatting domains or most of these squatting domains are confirmed malicious. It is found that domain squatters prefer profitable targets, such as mainstream search engines and social media, financial, shopping and banking websites, where users are targets for phishing and scams to steal sensitive credentials or money.

Figure 1: Top 20 most abused domains in December 2019

From December 2019 to date, Palo Alto Networks observed a variety of malicious domains with different objectives:

  • Phishing: A domain related to Wells Fargo (secure-wellsfargo[.]org) targeting customers to steal customers’ sensitive information, including email credentials and ATM PINs. Also, a domain related to Amazon (amazon-india[.]online) set up to steal user credentials, specifically targeting mobile users in India.
  • Malware distribution: A domain related to Samsung (samsungeblyaiphone[.]com) hosting Azorult malware to steal credit card information.
  • Command and control (C2): Domains related to Microsoft (microsoft-store-drm-server[.]com and microsoft-sback-server[.]com) attempting to conduct C2 attacks to compromise an entire network.
  • Re-bill scam: Several phishing sites related to Netflix (such as netflixbrazilcovid[.]com) set up to steal victims’ money by first offering a small initial payment for a subscription to a product like weight loss pills. However, if users don’t cancel the subscription after the promotion period, a much higher cost will be charged to their credit cards, usually US$50-US$100.
Figure 3a: A fake Netflix main page hosted on netflixbrazilcovid[.]com
Figure 3b: Deceptive social engineering reward email.
  • Potentially unwanted program (PUP): Domains related to Walmart (walrmart44[.]com) and Samsung (samsungpr0mo[.]online) distributing PUP, such as spyware, adware or a browser extension. They usually perform unwanted changes, like changing the browser’s default page or hijacking the browser to insert ads. Of note, the Samsung domain looks like a legitimate Australia educational news website.
Figure 4: A fake virus scanning page after clicking on a warning message from samsungpr0mo[.]online
  • Technical support scam: Domains related to Microsoft (such as microsoft-alert[.]club) trying to scare users into paying for fake customer support.
Figure 5: A technical support scam page hosted on microsoft-alert[.]club
  • Reward scam: A domain related to Facebook (facebookwinners2020[.]com) scamming users with rewards, such as free products or money. To claim the prize, users need to fill out a form with their personal information such as date of birth, phone number, occupation and income.
Figure 6: An application form on facebookwinners2020[.]com requesting personal information.
  • Domain parking: A domain related to RBC Royal Bank (rbyroyalbank[.]com) leveraging a popular parking service, ParkingCrew, to generate profit based on how many users land on the site and click the advertisements.

The researchers of Unit 42 studied domain squatting techniques including typosquatting, combosquatting, level-squatting, bitsquatting and homograph-squatting. Malicious actors can use these techniques to distribute malware or to conduct scams and phishing campaigns. 

To detect squatting domains, Palo Alto Networks developed an automated system to capture emerging campaigns from newly registered domains, as well as from passive DNS (pDNS) data. We identify malicious and suspicious squatting domains and designate them to the appropriate categories (such as phishing, malware, C2 or grayware). Protections against domains classified in these categories are available in multiple Palo Alto Networks security subscriptions, including URL Filtering and DNS Security.

Palo Alto Networks recommend that enterprises block and closely monitor their traffic, while consumers should make sure that they type domain names correctly and double-check that the domain owners are trusted before entering any site. For more tips on how to protect against cyberattacks, read here.

For more details of this research, please visit the Unit 42 blog.

Related article: 86,600+ malicious COVID-19 domains registered in seven weeks

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.