Monday, 9 May 2022

Branded domains are the focal point of many phishing attacks

As a long-established online attack strategy, phishing remains a popular tool for fraudsters because of its effectiveness. The Anti-Phishing Working Group reported more than 300,000 distinct phishing attacks in December 2021 - more than three times the number reported in early 2020, and the highest monthly total ever identified[1].

Classic phishing, where Internet users are driven to fraudulent sites designed to collect log-in credentials or other personal information, is still used extensively to access customer accounts or corporate systems, or to engage in identity theft. One recent study suggested around two thirds of phishing campaigns are geared towards credential theft[2]. However, other variants, such as business e-mail compromise (BEC) attacks or money-transfer scams, have also emerged over time. A significant proportion of phishing activity is also used to distribute malware (including ransomware), either through malicious e-mail attachments, or the use of infected phishing landing pages - indeed, phishing is now recognised as the primary means of delivering malicious payloads[3,4].

Central to many phishing attacks is an associated domain name, used either in the construction of a convincingly deceptive e-mail delivery ('from') address, for hosting the phishing site, or both. A key element of a successful attack is making the fraudulent content look like it originates from a trusted brand. One way to do that is by registering a domain name containing the name, or a variation, of the target brand. A 2021 study of the configurable sections of phishing site URLs - which also included consideration of keyword use in the subdomain portion, as well as in the domain names themselves - found that the most frequently used keyword across all analysed phishing sites was 'amazon'[5].

Phishing domain analysis

This section presents an analysis of approximately 2,000 phishing takedowns carried out by CSC’s Anti-Fraud Team across its customer base during 2021, covering both e-mail address and phishing site deactivations. Enforcements cover both phishing attacks (65.6% of cases) and advance-fee frauds (34.4%) targeting brands in over 20 industry verticals.

For each phishing case, we consider the domain used in the attack to determine whether the name of the targeted brand appears in the phishing domain name (i.e. this excludes consideration of whether the brand name appears in an alternative location in the phishing site URL, such as the subdomain name). The results of this analysis are shown in Figure 1.

Figure 1: Proportion of phishing domain names incorporating the targeted brand name, plus the type of match.

The analysis shows that just over half the cases (50.4%) do not feature the name of the targeted brand in the phishing domain name, either using a brand reference elsewhere in the URL, or using an entirely brand-independent URL, which in some cases could be a compromised site[6]. The other half (49.6%) make use of a brand-specific domain name to construct a deceptive URL. In most of these cases (41.7% of the total), the exact brand name is used, while the remainder feature a brand variant or misspelling. The types of variations observed are:

  • Added character(s) ('Added' in Figure 1) - One or more additional characters are inserted into the brand name. Frequently this comprises the addition of a hyphen between parts of the brand name.
  • Abbreviation ('Abbreviation') - The domain uses a truncated form of the brand name or acronym, designed to be recognisable to a human reader.
  • Replaced character(s) ('Replaced') - One or more characters in the brand name are replaced by another character (or combination of characters). Often, the character is visually similar to that which it replaces. Some of the most visually convincing replacements observed in the dataset were:
    • w  → vv
    • m → rn
    • g → q
    • y → v
    • l (lower-case L) → 1 or I (upper-case i)
    • i → l (lower-case L)
  • Removed character ('Removed') - A single character is removed from the brand name being referenced.
  • Transposed elements ('Transposed') - A pair of characters in the brand name or individual components (e.g. words) of the brand name are swapped with each other.
  • Other typo variants ('Other typo') - Another type of misspelling or a combination of the above approaches has been used.

Across the dataset, more than 160 distinct domain name extensions are represented, with the top 10 including several new generic top-level domains (new gTLDs) (Figure 2). This is consistent with previous studies that established many of these extensions are frequently associated with untrustworthy sites[7,8].

Figure 2: Top 10 domain-name extensions (TLDs) represented in the dataset of phishing domains

Case study: domain registration trends associated with phishing activity targeting a banking group

Across Q4 2020 and Q1 2021, CSC identified a large number of domain registrations associated with a sizeable, coordinated phishing campaign targeting a FTSE-100 multi-brand banking group. The primary attack vector was via SMS messaging (a.k.a. smishing), and the campaign used a series of brand-specific domain names that resolved to fake branded websites soliciting customer log-in credentials. CSC determined that the sites were part of a large-scale attack by a single entity, or a group of connected entities, based on similarities in registration dates, keyword permutations and URL structure, plus common use of privacy protection services. At the time of analysis, the domains resolved to a mixture of live and inactive sites, suggesting each phishing site may only have been active for a short period.

The campaign moved from one brand (Brand A), being targeted primarily in October and November 2020, to a second brand (Brand B), with a smaller peak in activity around February 2021. The numbers of domains used in these attacks were sufficiently large that the campaign dominated the overall pattern of total third-party domain registrations for the brands across the period in question (Figure 3).

Figure 3: Daily total numbers of detected domain registrations (and seven-day centred rolling averages) for two brands associated with a FTSE-100 banking group, between September 2020 and June 2021

Proactive monitoring and enforcement as part of a comprehensive security programme can help defend against phishing attacks

The above observations raise significant implications regarding the requirements for an effective phishing detection service. First, a key component is the detection of brand-specific domain names, as shown by the fact that almost half the domains analysed in our initial dataset incorporate a brand reference in the domain name. The simplest domain detection products only attempt to identify names containing exact matches to the brand name concerned, but as our analysis shows, some 16% of the branded phishing domains actually reference a brand variant, rather than the exact brand name. This may be a deliberate decision by the fraudsters to try to circumvent detection efforts, and it highlights the need for a comprehensive solution able to tackle these variations. CSC’s 3D Domain Monitoring service has been designed with these requirements in mind, covering detection of a range of brand variants, including fuzzy matches (incorporating character replacements and use of non-Latin homoglyphs) and Soundex (homophone or metaphone) variations (i.e. domains that are pronounced similarly), across a wide range of domain name extensions.

However, even comprehensive domain detection is only part of the solution. Just over half the phishing attacks in our dataset do not use brand-specific domain names, showing that a truly effective phishing detection product must also incorporate other data sources. CSC’s Fraud Protection service also makes use of spam traps and honeypots, and other data feeds like customer abuse mailbox data and webserver logs. This information is fed into our machine-learning-driven correlation engine that detects fraudulent sites by analysing URL patterns and comparing site content with known predictors of fraudulent content. A final key element is the inclusion of a 24×7 enforcement capability to ensure rapid takedown of fraudulent content.

References

[1] https://docs.apwg.org/reports/apwg_trends_report_q4_2021.pdf

[2] https://cofense.com/annualreport

[3] https://www.cisa.gov/stopransomware/general-information

[4] https://www.cscdbs.com/assets/pdfs/Domain_Security_Report_2021.pdf

[5] https://www.daj.jp/en/about/release/2021/0922_01/

[6] https://www.phishlabs.com/blog/most-phishing-attacks-use-compromised-domains-and-free-hosting/

[7] https://circleid.com/posts/20210908-credential-hinting-domain-names-a-phishing-lure

[8] https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/

This article was first published on 9 May 2022 at:

https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

No comments:

Post a Comment

Phishing trends 2024 - and a look at some new data for domain threat quantification

Overview This year's annual phishing report by Internet technology consultants Interisle [1] has provided a number of key insights into...