BLOG POST
Following a recent report by Trellix[1] about bogus websites posing as antivirus providers, we have conducted a landscape review of domains beginning with the names of major antivirus and antimalware providers. The analysis considers all examples where the second-level domain name (SLD) - i.e. the part to the left of the dot - consists only of the brand name, or where any keywords from a set of high-relevance keywords are also present.
New-gTLD extensions feature heavily within the list of 1,440 domains, with .live (106 domains), .online (48), .xyz (33), .site (22) and .shop (19) being the most popular. New-gTLDs are commonly associated with high rates of infringement and abuse, and give rise to particular security concerns in the technology sector, where many of the extensions have specific relevance[2].
The review identified a number of high-concern websites posing direct potential threats, such as those offering (potentially malicious) downloads and instances of user credential collection (i.e. potential phishing). Other identified infringement types included e-commerce sites, offers of discount codes and information sites. Significant numbers of domains where the SLD consisted just of the brand name were also found to be potentially infringing.
Given that this study focuses solely on a small subset of the full range of potentially infringing sites, the number of threatening findings is concerning. This analysis highlights the importance of proactive programmes of brand protection, incorporating a policy of defensive domain registrations (to address the issue of 'brand-only' SLD examples). Other advisable initiatives include greater clarity by brand owners on the identity of their official sites (perhaps involving the use of dot-brand extensions) and engagement with 'fraudcasting' schemes, to push out browser warnings for fraudulent sites.
This specific case of infringements targeting antivirus brands is an interesting one - essentially an instance of 'gamekeeper turned game'. The very nature of these brands is such that consumer trust is a key element (in addition to technical effectiveness), so the emergence of these types of attack poses a real risk to brand reputation and value.
References
[1] https://www.trellix.com/blogs/research/a-catalog-of-hazardous-av-sites-a-tale-of-malware-hosting/
[2] https://www.iamstobbs.com/opinion/un-.zip-ping-and-un-.box-ing-the-risks-associated-with-new-tlds
This article was first published on 4 June 2024 at:
* * * * *
WHITE PAPER
Introduction
A recent report by cybersecurity service provider Trellix[1] highlighted the detection of three fake sites posing as official antivirus providers. In all cases, these sites were offering the download of purported security products, but were actually distributing malicious applications, which aimed to access confidential data, steal information or mine cryptocurrency[2]. As of the time of writing (29-May-2024), only one of these sites (bitdefender-app[.]com) was still active (Figure 1), though all three still generated browser messages warning of dangerous content.
Figure 1: The fake site at bitdefender-app[.]com, as of 29-May-2024
Analysis
As an investigation into the scale of this type of issue, we consider the landscape of domains with names beginning with any one of 16 of the top antivirus and antimalware providers[3,4,5]. It is also worth noting that none of the other potentially threatening examples presented in this article were found to generate browser warnings, an additional factor of concern regarding the potential for exposure of consumers to infringing or harmful content. Analysis is based on zone-file information from ICANN's CZDS service, available for 1,087 gTLDs (domain extensions).
The analysis yielded a dataset of over 14,000 domains, though this will include 'false positives' such as instances where the brand strings appear as sub-strings of longer terms, and references to the brand name in an unrelated context. Accordingly, for the first round of filtering, we considered only those domains where the second-level domain name (SLD) string (i.e. the part of the domain name to the left of the dot) consisted only of the brand name, or where any of the following high-relevance keywords were present in the domain name: virus; malware; secur*, app, download, update, login, scan, protect, enterprise, activat*, defend, online, setup, instal*. This generated a candidate set of just over 1,900 high-relevance domain names. From these, we next removed any which appeared to be under the control of the official brand owner in question, on the basis of the use of an enterprise-class registrar and/or re-direction to a definitively official website. This leaves a set of 1,440 probable third-party domains of potential concern. Significant numbers of these domains utilise new-gTLD extensions, noted in many previous studies as being associated with high rates of infringement and abuse[6]; the new-gTLD extensions with more than 10 domains in the dataset are: .live (106), .online (48), .xyz (33), .site (22), .shop (19), .pro (17), .store (13), .zip (11), .click (11), and .deals (11).
Of the 1,440 sites, 439 generate a live website response, according to an automated site-visitor script (though this is likely to be a conservative estimate, since some websites will generate a false-negative response - e.g. if the site is slow to respond).
Amongst the live sites, a range of content types were identified, including instances of unrelated third parties apparently legitimately using the same brand name (particularly where the brand is a relatively generic acronym, such as AVG, or a common name, such as Norton), cases of misdirection to unrelated content (including gambling-related or other undesirable content in some cases), and sites monetised through the inclusion of pay-per-click links, or by displaying pages offering the domain name for sale. There is also the potential for any of these sites to be activated with more significant content at a later date.
However, the sites currently of highest concern are those displaying official branding, or referencing the brand name in a context relevant to the business area of the brand in question. Some of these sites may be (possibly official, but potentially unauthorised) distributors (Figure 2) or other affiliated organisations (e.g. mcafee[.]education, which re-directs to mcafeeinstitute[.]com).
Figure 2: Example of a purported official distributor's website (avgverlengen[.]nl, re-directed from avg[.]partners and avg[.]tips)
A number of others have the appearance of legitimate sites, but may be fake - in many cases, a definitive determination is difficult, which is clearly unsatisfactory from a customer confusion point of view. One of the categories of highest concern are those sites where the SLD consists just of the brand name, as these present (if non-legitimate) the highest potential for confusion with genuine sites. The dataset includes a number of such examples, including avast[.]partners, bitdefender[.]digital, bitdefender[.]icu, bitdefender[.]lat, emsisoft[.]lat, eset[.]ovh, f-secure[.]store, surfshark[.]click, and totalav[.]xyz (Figure 3) which, if not official sites under the control of the respective brand owners, pose a serious concern.
Figure 3: Examples of sites whose legitimacy is unclear (with all five examples registered via privacy protection service providers), and where the SLD consists just of the brand name: bitdefender[.]icu; eset[.]ovh; f-secure[.]store; surfshark[.]click; totalav[.]xyz
Widening out to the larger set of domains which feature additional keywords of relevance, sites featuring a range of content types were identified. These include examples of (potentially non-legitimate or unauthorised) sites featuring e-commerce content (e.g. avastantivirus[.]pro (re-directs to datav[.]fr), bitdefenderantivirus[.]space, kasperskyantivirus[.]space, nortonantivirus[.]space (all re-direct to software-defender[.]com), malwarebyteschannelstore[.]com, avgonline[.]com, bitdefenderonline[.]com, bitdefenderperu[.]com, malwarebytessoftware[.]com, nortondefenderhub[.]com, norton-setup[.]com), offering coupons, vouchers or discount codes (e.g. bitdefenderantiviruscoupon[.]com), offering product information (e.g. malwarebytesnew[.]com, mcafee-activate[.]xyz, mcafeecom-activatesetup[.]com, mcafeecom-setup[.]com, vipre-antivirus[.]com, avastupdates[.]com, norton-com-setup[.]live, norton-setup[.]net – which actually directs users to a third-party site at fox2[.]kr) and sites making other general claims of affiliation (e.g. bitdefender-indonesia[.]com, bitdefenderkorea[.]com). (Figure 4).
Figure 4: Example of an e-commerce site (avgonline[.]com), a site offering discount codes (bitdefenderantiviruscoupon[.]com), and an information site (mcafeecom-activatesetup[.]com)
However, the examples of greatest concern, from the point of view of posing direct potential threats, are those offering downloads (which may be malicious) (e.g. surfsharkvpnapp[.]com, kasperskydownload[.]com, mcafeedownload[.]com, spybot-freedownload[.]com, spybot-free-download[.]com, avastlogins[.]com (re-directs to a URL on loneseo[.]tongxinfl[.]cn)) or collecting user credentials (i.e. potential phishing) (e.g. esetprotect[.]cloud, nortonsetup[.]cloud, nortonsetup[.]xyz, trendmicrosetup[.]online) (Figure 5).
Figure 5: Examples of sites offering downloads (surfsharkvpnapp[.]com and avastlogins[.]com) and sites collecting user credentials (nortonsetup[.]cloud and trendmicrosetup[.]online)
It is also worth noting that three of these sites (for example) - nortonsetup[.]cloud, nortonsetup[.]xyz and trendmicrosetup[.]online) - all have a very similar appearance and appear likely to have been generated from a common site template (perhaps as part of a single coordinated campaign by a particular individual infringer). This assertion is strengthened by the facts that all three are registered via 'Privacy Protect, LLC' with Hostinger Operations, UAB as registrar, and all three reference the same hyperlink (http[://]gmpg[.]org[/]xfn[/]11) in the metadata sections of the HTML of the websites. These types of insights are key to the process of 'clustering', a means of drawing links between infringements, and forming the basis for the potential for factors such as building cases of bad-faith and allowing for efficient bulk takedown actions[7].
Discussion
The numbers of results identified in this simple study (considering only 16 antivirus brands, and looking only at branded domain names where the brand name appears at the start) indicates that the scale of the issue of antivirus infringements, scams and fake sites is likely to be considerable, and certainly comprises far more examples than the handful of sites reported in the original article.
These findings highlight not only the importance of care being taken by consumers, but also the necessity for brand owners - particularly in industries where digital security is such a central concern - to employ comprehensive brand protection programmes comprising monitoring, analysis and enforcement. Defensive domain registrations are also likely to play a significant part of this picture, as shown by (for example) the significant numbers of potential infringements where the second-level domain name consists just of the brand name; for key TLDs, these types of domain names should certainly be kept under the control of the brand owners in question.
Another point to take away is the importance of organisations communicating the identity of their official site(s) clearly to their customer base, and educating them on the risks of engaging with other unapproved entities. Increased adoption of dot-brand domain-name extensions may be a key part of this solution. Finally, it would also be advantageous for brand owners to more extensively explore schemes to proactively push out alerts to browsers, whenever fake sites are detected or reported[8].
References
[1] https://www.trellix.com/blogs/research/a-catalog-of-hazardous-av-sites-a-tale-of-malware-hosting/
[2] https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.html
[3] https://www.security.org/antivirus/best/
[4] https://www.techradar.com/best/best-malware-removal
[5] The monitored brand strings were: "^totalav", "^surfshark", "^norton", "^kaspersky", "^mcafee", "^bitdefender", "^trend-?micro", "^avast", "^eset", "^vipre", "^malwarebytes", "^f-?secure", "^avira", "^avg", " ^emsisoft", and "^spybot", where '^' denotes that the string must appear at the start of the domain name, and '?' denotes that the previous character (in these cases, where appropriate, a hyphen) is optional.
[6] 'Patterns in Brand Monitoring' by D.N. Barnett, Chapter 9: 'Domain landscape analysis' [awaiting publication]
[7] 'Patterns in Brand Monitoring' by D.N. Barnett, Chapter 6: 'Result "clustering"' [awaiting publication]
[8] https://circleid.com/posts/20231205-can-we-get-more-eyes-on-britains-largest-scam-watch-list
This article was first published as an e-book on 4 June 2024 at:
.jpg)
No comments:
Post a Comment