Energy-crisis-related scams highlight how bad actors seek to capitalise on global events

Fraudsters can be counted on to be quick to take advantage of those who may be struggling, and the latest example is the cost-of-energy crisis. Our uncovering of related scams in the UK follows numerous previous studies illustrating how real-world events can trigger associated spikes in online infringement activity, including efforts focused on the invasion of Ukraine^[1] and the pandemic^[2]. 

Events such as the war in Ukraine and associated supply-chain issues have triggered huge rises in the cost of energy, resulting in support programmes being introduced by governments. In the UK, for example, the Energy Price Guarantee^[3] (which reduces energy unit costs to consumers) and Energy Bills Support Scheme^[4] (providing an automatic energy payment rebate), come into effect in this month, in addition to energy price caps for corporations. 

In response to these initiatives, bad actors have instigated a range of phishing campaigns designed to harvest users' personal information, under the guise of soliciting applications for participation into the schemes.

In the two examples shown below, we identified SMS messages of a similar style (sent on 26 September), directing users to phishing sites hosted on the domains via-rebate-scheme[.]com and energy bills-support[.]com. 

Figure 1: Examples of SMS messages directing users to phishing sites related to the UK Energy Bill [sic] Support Scheme

The two domains in question had been registered in the previous few days (25 and 21 September, respectively), and both had redacted whois records. Neither of the sites was active by the time of analysis (on 26 September). 

Searches for reports of other scams featuring similar text revealed that several additional domain names had also been utilised in scams of this type, with a selection of examples listed below:

• energy-bill-online[.]com
• energy-bill-support[.]com
• energybills-rebate[.]com
• my-energybill-online[.]com
• mygov-energy-help[.]com
• online-energybill-rebate[.]com
• rebate-application[.]com
• support-rebatescheme[.]com
• energy[.]bill-rebate[.]com

The majority of these sites were inactive by the date of analysis; however, two of the above domains were found still to resolve to active sites – displaying very convincing lookalikes of the government's official 'gov.uk' sites, including webforms prompting for the input of names, dates of birth, mobile numbers, and addresses.

Figure 2: Phishing site content visible on fake UK government domains mygov-energy-help[.]com and rebate-application[.]com (live as of 26 September 2022)

Considering the above observations, we utilised our monitoring technology to look for patterns in the registration of domains with names containing the strings ‘energy’ and ‘rebate’, in the period to 26 September. Analysing the raw data, we found that there has been continuous activity (in terms of the registration, re-registration and lapse of relevant domain names) across the preceding year, with numerous 'noisy' peaks and troughs, and no obvious trends. 

This is perhaps unsurprising given the generic nature of the keywords under consideration, and the numerous different ways they can be utilised in domain names unrelated to the programmes and scams of interest. However, our tools allow us to look at specific match types, and thereby drill down more closely into examples which are more likely to be of direct relevance. Accordingly, we next considered only those domain names containing a 'word match' for the keywords 'rebate', 'energy', 'energybill' or 'energybills' (i.e. those domains where these terms appear in isolation, or are separated from the remainder of the domain name by hyphens - i.e. similar patterns to those appearing in the known examples of the scam domains listed above). 

For 'energy' domains, this still yields a rather noisy dataset. However for the (somewhat more distinctive) keyword 'rebate', there is a much clearer ramp-up in activity in the latter part of September 2022, in the lead-up to the launch of the related UK government scheme.

Figure 3: Five-day centred rolling averages of the total daily number of registrations (including re-registrations) of domains with names containing 'energy' (top) and 'rebate' (bottom) (as 'word matches'), between March and September 2022

Of the 39 distinct 'rebate' (word-match) domains registered in the final two weeks of the analysis period, a significant proportion featured additional keywords suggesting that they may have been registered with similar scams in mind - seven referenced 'energy', six 'scheme', three 'application' and two 'claim'. 

This dataset included three additional domains (energy-bill-rebate[.]com, mytax-rebate-application[.]com and rebate-applications[.]com) resolving to active 'gov.uk' branded phishing sites as of 26 September, together with several more which (though inactive) still featured the 'gov.uk' favicon. Six further examples featured browser-level warnings that they had previously featured 'dangerous' content. 

Five of the domains were found to have been both registered and then lapsed within the two-week period (with delays of between one and five days between the two events).

These observations once again highlight how real-world events can trigger peaks in infringement activity by bad actors wishing to take advantage of difficult situations for their own financial gain, at the expense of their victims. 

The phishing campaigns highlighted in this analysis make use of domains which are specifically registered for use in the campaign, and are typically used only for a short period (potentially in an attempt to circumvent detection and takedown efforts), before being allowed to lapse. 

Phishing activity generally is most effectively detected through the implementation of product sets - which incorporate use of spam traps and honeypot accounts, and other feeds such as brand-owner webserver logs - as a complement to other detection methodologies. 

However, the findings presented here also highlight how nimble infringers can be and, for example in the case of organisations and not-for-profits involved in responding to crisis and global events, why it is important to ensure particular vigilance when mission-related incidents occur. 

References

[1] https://www.cscdbs.com/blog/how-to-manage-the-online-effects-of-the-ukraine-war/

[2] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/

[3] https://www.gov.uk/government/publications/energy-bills-support/energy-bills-support-factsheet-8-september-2022

[4] https://www.gov.uk/guidance/getting-the-energy-bills-support-scheme-discount

This article was first published on 17 October 2022 at:

https://www.worldtrademarkreview.com/article/energy-crisis-related-scams-highlight-how-bad-actors-seek-capitalise-global-events

The continued rise of phishing and the case of the customisable site

As noted in previous CSC studies^[1,2,3], phishing continues to be an extremely popular threat vector with bad actors and shows no signs of subsiding - in part, because of the COVID-19 pandemic and the rise in popularity of remote working. Indeed, the most recent figures from the Anti-Phishing Working Group (APWG)^[4,5] show that the numbers of phishing attacks are higher than ever before, with the quarterly total of identified unique phishing attacks exceeding 1 million for the first time in Q1 2022, and over 600 distinct brands attacked each month.

Figure 1: Total monthly numbers of unique phishing attacks from Q1 2018 to Q2 2022, as reported by APWG^[6]

An earlier report by APWG^[7] noted that over 80% of phishing sites were found to be employing SSL (secure socket layers) or TLS (transport layer security) certificates (allowing use of HTTPS) - an increase from around 5% at the end of 2016 - and 90% of these certificates had been issued by free providers, such as cPanel and Let's Encrypt.

Furthermore, Interisle's 2022 Phishing Landscape study^[8,9] reported the detection of over 1.1 million phishing attacks between April 2021 and April 2022, with over 2,000 brands targeted, but the majority targeting just 10 top brands. Overall, 69% of attacks made use of specifically registered domains, with the attacks disproportionately concentrated on new generic top-level domains (gTLDs). Additionally, a small number of registrars dominate the malicious registrations. Around 41% of domains reported for phishing were found to have been used within 14 days of their registration, and most of these were reported within 48 hours.

Modern phishing is driven by the desire for credential theft and business impersonation, but it is also increasingly recognised as the gateway for launching malware and ransomware attacks, which often lead to serious compromises of corporate systems and other security issues, such as DNS (domain name system) attacks.

The customisable phishing site

Central to many phishing attacks is the use of a fraudulent lookalike site mimicking the appearance of the official site of the brand being targeted - often including a log-in form prompting the input of sensitive customer information which thereby falls into the hands of the fraudster. In a classic phishing attack, the site will impersonate a specific brand, and cybercriminals will send e-mails to a wide group of users driving them to the site. This strategy uses the assumption that a certain portion of the recipients will be genuine customers of the targeted brand and may be fooled.

However, over the last two years, CSC has noted the emergence of a much more egregious style of phishing site, the appearance of which is dynamically tailored to the specific recipient in each case and can successfully target a much broader portion of recipients from a single campaign.

An example was first identified in February 2020, using a URL of the form https://[fraudsite.com]/[directory]/?usr=[string], where 'string' was a series of apparently random characters. The site appeared to target the user of a specific corporate e-mail address relating to a brand owner, with the address pre-populated into the log-in form on the page. The background of the site displayed a framed version of the official company website, giving the appearance that the user was logging into their own corporate site. All of this content appeared to be hard-coded into the HTML of the phishing site.

However, closer inspection revealed that the content actually appeared to be dynamically generated, with the string in the URL comprising a Base64-encoded version (a standard method of converting binary data, such as a string of standard ASCII characters, into an alternative text format) of the recipient e-mail address.

To determine how the phishing site handled this information in practice, a modified URL was generated, replacing the previous Base64 string with an encoded version of a CSC employee e-mail address. This produced the page shown in Figure 2, for which the HTML source code again appeared to be hard coded when viewed.

Figure 2: A version of the phishing site constructed by modifying the string in the original URL, showing how it would appear if targeted towards the user of a specific CSC corporate e-mail address (obfuscated in the screenshot for privacy purposes)

The implication is that the site is presumably running a script to dynamically generate the HTML of the page, based on the content of the Base64 string within the URL. This provides the potential to generate a very convincing, customised phishing attack whereby, given a recipient e-mail address, the fraudulent site is configured to display a framed version of the host domain of the e-mail address, overlain by a log-in box pre-populated with that address. Consequently, the same phishing e-mail could potentially be sent to large numbers of e-mail addresses, with no further requirement to customize the e-mail or the corresponding phishing site to the recipients in question - beyond ensuring that a Base64-encoded version of the recipient e-mail address is appended to the link in the phishing e-mail in each case (which could easily be automated via use of a script).

It was also established that the behaviour of the site appears to be dependent on exactly how and where it is viewed, with the site appearing inactive when viewed in a virtual machine environment. This type of configuration has previously been noted as a technique used by fraudsters to thwart forensic analysis of their sites by security professionals, who often work in virtual environments.

It is also notable that this type of site would be very difficult to detect using traditional brand monitoring approaches. Aside from the fact that the site may have been set up as an unindexed island site, intended to be accessed only via links in spam e-mails, there is potentially no reference to any brand in the site content itself, with brand-specific content being generated dynamically in the HTML only when a specific URL is accessed. In this type of case, detection would be dependent on the ability of CSC's anti-fraud engine, working in conjunction with web referrer information provided by the brand owner, to identify when the phishing site draws information from the brand owner's official site when the framing process is carried out.

A study in July 2022^[10,11] reported the identification of an extremely similar style of attack, in this case using a bit-for-bit mirror of the official site of the brand being targeted.

Conclusions

These findings highlight the importance of a comprehensive phishing detection and enforcement programme, able to identify threats of a variety of types. Detection should incorporate domain monitoring (to identify phishing sites where the brand name - or a variant - is included in the domain name) and Internet monitoring (to identify other fraudulent sites linked from content indexed by search engines) components. However, other data sources - such as spam traps and honeypots, and other data feeds like customer abuse mailbox data and webserver logs - should also be used to identify phishing sites that are unindexed or feature content that is more dynamically generated.

However, even this is only part of the solution. As noted above, phishing attacks often form the basis for subsequent malware attacks or other security incursions. Accordingly, a robust security posture should also include the deployment of a range of domain security measures - such as those offered by an enterprise-class registrar - to protect critical corporate domains. It is also advisable for brand owners to avoid the use of service providers who allow unsavoury practices such as typosquatting, domain name auctions, and name spinning (the sale of domains containing brand variations) - all of which can facilitate phishing attacks.

References

[1] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

[2] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/going-phishing-countering-fraudulent-campaigns

[3] https://www.cscdbs.com/blog/going-phishing-countering-fraudulent-campaigns-2/

[4] https://docs.apwg.org/reports/apwg_trends_report_q1_2022.pdf

[5] https://docs.apwg.org/reports/apwg_trends_report_q2_2022.pdf

[6] https://apwg.org/trendsreports/

[7] https://docs.apwg.org/reports/apwg_trends_report_q2_2021.pdf

[8] https://interisle.net/PhishingLandscape2022.html

[9] https://interisle.net/PhishingLandscape2022.pdf

[10] https://www.darkreading.com/endpoint/apt-phishing-mirrors-landing-pages-credential-harvesting

[11] https://www.avanan.com/blog/mirroring-actual-landing-pages-for-convincing-credential-harvesting

This article was first published on 4 October 2022 at:

https://www.cscdbs.com/blog/the-continued-rise-of-phishing-and-the-case-of-the-customizable-site/

Also published at:

https://circleid.com/posts/20221010-the-continued-rise-of-phishing-and-the-case-of-the-customizable-site

Four steps to an effective brand protection programme

by Elliott Champion and David Barnett 

Internet use has become ever more pervasive. With around five billion global users^[1], it generates an economy of around 15%^[2] of global GDP (gross domestic product)^[3]  - around $15 trillion, and a figure which is growing 2.5 times faster than GDP itself. This makes the Internet an attractive channel for infringers.

Phishing and other fraud tactics, selling counterfeit goods online, and digital piracy are primary areas of concern. Unauthorised branded content use, traffic misdirection, false affiliation claims, or negative comment and activism are also significant issues. All of these can directly affect a brand's revenue, reputation and value.

This makes a comprehensive, holistic brand protection programme crucial for any brand owner, including monitoring to identify potentially damaging third-party content, and using enforcement strategies to take down infringing material. A brand protection programme should also cover a range of online channels like Internet content, branded domain names, social media, mobile apps, e-commerce marketplaces, etc., as these areas are becoming increasingly interlinked, providing different environments where the same kinds of infringements happen.

An effective enforcement programme not only addresses issues directly affecting company revenue, but also makes a protected brand a less attractive target for criminals. Furthermore, it helps protect customers and official online partners, can positively affect brand reputation and value, satisfies regulatory requirements, and can be a pre-requisite for retaining intellectual property (IP) protection.

Below we outline a four-step process for the effective and efficient implementation of a holistic brand protection programme.  

1. Evaluate the landscape and establish goals

Step one is to determine where any problems lie, and what to focus on. An initial brand snapshot or landscape audit will establish this, conducting a series of brand-related searches across all relevant channels. A marketplace sweep is also beneficial, as it looks at the numbers of results returned in response to brand-specific searches on a range of key e-commerce marketplaces. Results can be prioritised via threat scoring, clustering technology (to identify serial or high-volume infringers), web-traffic analysis, sales volume information, and so on.

It is essential to ensure that the focus areas of any programme align with the organisation's business plan and strategic goals. These might relate to geographic areas where the company has operations (or is planning to expand), and the channels where it has online presence. We advise appointing a digital governance team, including representatives from marketing, IP and legal, security, and domain operations, to ensure that brand protection is a collaborative interdepartmental effort.

It is also necessary to review the organisation’s IP protection portfolio to ensure that relevant brand terms are protected (e.g. trademarks registered in the appropriate product classes and geographic jurisdictions). Having the correct IP protection is vital for an effective enforcement programme. It is also useful to have an overview of official websites and partners, so they can be added to an 'allow' list for monitoring, and any pre-existing compliance issues can be addressed. If this information is unavailable, compiling such lists can be an objective of the monitoring programme.

Finally, it is vital to set out the overall goals of the brand protection initiative in advance, to measure its effectiveness. This can be as simple reducing infringements - that is, removing significant numbers of them from the top e-commerce marketplaces and social media sites, or cleaning search engine results to eliminate infringements appearing on the first page. It may also be relevant to see an increase in web traffic to official channels or to pre-empt infringement activity against planned new product or brand launches.

2. Monitor critical online channels

Having established the key focus areas, the next step is to agree on monitoring parameters. This includes determining which channels and platforms to monitor and assessing which search terms to use. The minimum requirement is to search for the brand name itself - essentially mirroring customer searches - to identify the most visible content. It is often useful to search for content featuring brand variants like typos, abbreviations, and character replacements. This helps capture content where the infringer has deliberately not used the exact brand name in order to evade detection, or used confusing or deceptive brand variations. Additionally, it may be necessary to configure search terms incorporating other brand terms or industry- or product-specific keywords. This helps identify relevant material when the brand name itself is a generic term. Conversely, some monitoring services use exclusion keywords, where content is actively ignored if terms are found that imply the brand name is being used in a non-relevant context.

It is essential to extract as much rich data as possible from the webpages and listings identified through monitoring, because it allows findings to be prioritised and triaged effectively, and then clustered to identify key targets and infringers. Data extraction can be done in several ways, including rules-based analysis of page content, scraping to extract relevant data from known locations on a page (especially effective on e-commerce marketplaces, social media sites, mobile app stores etc., where the page structure is known in advance), or using an API (application programming interface) provided by the monitored site. With e-commerce marketplace listings, for example, relevant data points include seller information, item quantity and supply, price, item description, etc. Aggregated historical data for individual sellers - like numbers of previous infringements and enforcement history- can also provide a measure of overall seller risk. Finally, in cases of particular concern, carrying out detailed entity investigations can build a fuller picture of a particular seller or organisation's online profile and associated activities.

Furthermore, visible characteristics (e.g. counterfeit indicators) in the product image can help determine whether a listing is infringing. This can be achieved using both automated image analysis and manual inspection by an analyst.

It is generally also useful to ensure that the visible page content for any relevant results is recorded using snapshots or page caching; it provides evidence of the presence of an infringement at the point of discovery.

3. Enforce using the most impactful strategies

A key element of a brand protection programme is removing infringing content that would otherwise result in lost revenue for a brand, or damage its integrity and reputation. To avoid a 'whack-a-mole' approach, identifying and tackling the highest value targets first and then using the most efficient takedown method - which varies depending on the channel, platform, and the nature of the infringement - creates the greatest impact.

Certain platforms have specific IP protection programmes to remove brand-damaging content (e.g. AliProtect for Alibaba Group sites and VeRO for eBay). Clever use of these programs can help achieve greater impact, like aggregating takedowns in batches to take advantage of a marketplace's 'three strikes' policy, and result in quicker seller suspension. Some platforms also have good-faith programmes where brand owners or their representatives can achieve rapid takedowns by having a low false-positive rate in submitted infringements. The Amazon Brand Registry and Brand Gating schemes are examples of programmes where brand owners can proactively reduce the appearance of infringements.

For other Internet content, having a toolkit of enforcement approaches is beneficial - from low-cost, low-complexity, rapid primary actions, like cease-and-desist notices, through secondary tactics like host-level content removals or registrar- or registry-level suspensions, up to longer-term, complex tertiary approaches like domain-dispute processes and legal actions. In some cases, other techniques like payment gateway suspensions or search engine de-listings may be appropriate. Having a range of enforcement options allows a brand owner to select the most cost-effective and efficient approach, reserving others for escalation. Some of the more complex dispute or acquisition options may only be appropriate when the brand owner wants to reclaim a domain for their own use.

Other supplementary actions can help build the most efficient and impactful enforcement programme, e.g. test purchases to prove a product is counterfeit, engagement with local law enforcement, or establishing reseller policy agreements.

4. Evaluate impact and realign strategies

As a brand protection programme matures, brand owners can evaluate its impact using a variety of techniques, many of which measure the financial return-on-investment (ROI) of the actions taken. This calculation can involve the total value of infringing goods removed from e-commerce marketplaces, the total amount of web traffic received by infringing sites, or both. Determining the amount of lost revenue that is reclaimable after successful enforcement is key to demonstrating ROI. For e-commerce de-listings, for example, this considers the conversion rate of customers who will buy a legitimate item when the counterfeit version is made unavailable. This conversion rate depends on the item's price^[4] -  or more specifically, the price differential between the genuine item and a counterfeit. Conversely, with a successful domain acquisition, the traffic for the infringing site can be re-directed to the brand owner's official website (and thereby monetised) once the domain is added to the brand owner's official portfolio^[5,6].

Following a successful enforcement programme, brand owners can also directly measure other positive results, including increases in web traffic and sales volumes for their official network of sites, resellers, and partners. It may also be possible to see a clean presence on search engines and other platforms, with no infringing content returned for brand-specific searches.

Knowing how a brand is being referenced online through a monitoring solution can have other less tangible benefits, even where enforcement is not possible. For example, intelligence on negative customer comments allows brand owners to make informed decisions on their marketing and product development strategies. Monitoring can also uncover issues like brand confusion and brand dilution^[7].

Combining a brand protection programme with factors like customer education and the use of product verification tools also protects the consumer base from exposure to non-legitimate products and content. Overall, this can have a positive impact on trust levels, and ultimately on the intrinsic value of the brand.

Reviewing the process and realigning strategies in response to observations, trends, or changes in business strategy is also beneficial. New channels or platforms may emerge, or additional takedown techniques may become available (e.g. the introduction of a new IP protection programme). A brand owner may introduce new brands and products, change their geographic footprint, or increase their portfolio of protected IP, e.g. through registering new trademarks. Infringement patterns may also change over time, as sellers move to different marketplaces or change the way they describe the products (sometimes in response to the enforcement actions of the brand owner). Finally, the emergence of new technologies or significant world events can also affect the infringement landscape^[8,9].

Any of the above factors can necessitate changes to how a holistic brand protection programme is executed, to keep it focused, relevant, and effective. For this reason, the approach should always be circular and iterative, with brand owners keeping a close eye on activity and trends, and constantly evolving their methods to respond to any changes.

References

[1] https://www.statista.com/statistics/617136/digital-population-worldwide/

[2] https://www.worldbank.org/en/topic/digitaldevelopment/overview

[3] https://data.worldbank.org/indicator/NY.GDP.MKTP.CD

[4] https://circleid.com/posts/20220726-calculating-the-return-on-investment-of-online-brand-protection-projects

[5] https://www.worldtrademarkreview.com/anti-counterfeiting/return-investment-proving-protection-pays

[6] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

[7] https://securityboulevard.com/2022/07/online-brand-abuse-is-a-cybersecurity-issue/

[8] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/

[9] https://www.cscdbs.com/en/resources-news/supply-chain-report-form/

This article was first published on 27 September 2022 at:

https://www.cscdbs.com/blog/four-steps-to-an-effective-brand-protection-program/

Also published at: 

https://circleid.com/posts/20221005-four-steps-to-an-effective-brand-protection-program

Registration patterns of deceptive domains ('www' and 'http' domains)

A key requirement for a bad actor wanting to launch a brand attack is the registration of a carefully chosen domain name. The most convincing infringements frequently use a domain name which is deceptively similar to that of the official site of the target brand. This allows a variety of attacks to be executed, including phishing attacks - where the domain is used to host a lookalike site or produce a deceptive sender address for e-mails - and other kinds of brand infringement where users are misdirected to fake sites via mistyped URLs or search engine manipulation.

One well established threat vector in the creation fraudulent websites is the use of strings like 'www' or 'http' within the domain name itself - e.g. registering domains such as www-google.com or httpgoogle.com to impersonate the legitimate site (i.e. www.google.com or http://google.com).

CSC carried out a study in August 2022 using its 3D Domain Monitoring technology to consider patterns of activity in domain registrations for names beginning with 'www' or 'http' over the preceding one-year period. The analysis includes identification of newly registered domains (N), re-registered domains (R) or dropped (i.e. lapsed) domains (D). Each instance of these activities for a particular domain is referred to as an 'event'.

Findings

Between August 2021 and August 2022, more than 230,000 events were identified for 'www' domains, and more than 12,000 for 'http' domains. Figure 1 shows the continuous activity across the one-year period, with numerous peaks and troughs.

Figure 1:  Daily numbers of new registrations (N), re-registrations (R) and dropped (D) domains, for domain names beginning with 'http' (left axis; blues / dark grey) and 'www' (right axis; red / yellow / light grey)

Among the full dataset, a number of specific keyword strings were found to appear as the second-level domain names (the part of the domain name to the left of the dot) multiple times. They represent either repeated lapses and re-registrations of particular domain names, or the registration of distinct domains with the same second-level domain name but different top-level domain (TLD) extensions - so-called 'cousin' domains. Of these keyword strings, several referenced well-known brand names, or variations or typos of those names, indicating an intention to target the brand in question, as shown in Tables 1 and 2.

Keyword string	No. registration / drop events
www-roblox	21
www-lcloud	16
www-apple	15
wwwgoogle	13
www-avito	12
www-citizens	11
www-yandex	10
www-torproject	10
www-icloud	10
www-blablacar	10
www-bitstamp	10
www1royalbank	10

Table 1: Most frequently occurring brand-specific keyword second-level domain names in the dataset of 'www' domains

Keyword string	No. registration / drop events
https-skinbaron	9
https-www-ruraivla-com-lsum-main	8
httpsgoogle	7
https-csmoney	7
httpgoogle	7
http18comic	7
httpsstreamlabs	6
https-googlecom	6
https-httpsgoogle	6
httpsgoogledotcom	6
httpsgoogleplay	6
https--google	6
httpsgoogle-com	6
httpsgooglecom	6
httpsecuregoogle	6
httpsdealersvwcredit	6
https-anydesk	6
httpqgoogle	6
httpagoogle	6
httpcredito-app-nubank	6
http2google	6

Table 2: Most frequently occurring brand-specific keyword second-level domain names in the dataset of 'http' domains

Tables 3 and 4 show the top TLDs represented within the dataset.

TLD	No. registration / drop events
.com	204,795
.xyz	6,233
.net	4,411
.org	3,008
.top	1,646
.vip	1,423
.info	950
.fr	937
.online	714
.uk	676

Table 3: Top 10 TLDs represented in the dataset of events for 'www' domains

TLD	No. registration / drop events
.com	8,284
.xyz	1,267
.net	429
.org	388
.live	228
.online	180
.info	170
.uk	160
.fr	154
.site	150

Table 4: Top 10 TLDs represented in the dataset of events for 'http' domains

Unsurprisingly, .com dominates the dataset, reflecting both the continued popularity of the TLD, and its extensive use in official domain names of the brands being impersonated. However, a range of new generic TLDs (gTLDs) such as .xyz, .top, .vip, .online, .live, and .site also feature in the lists, consistent with previous observations that these extensions are popular with fraudsters^[1,2,3].

Infringements targeting top brands

CSC also analysed the frequency of registration and drop events for 'www' and 'http' domain names incorporating any of the top 10 most valuable company brands in 2022^[4], on the assumption that these are likely to be attractive targets for bad actors. The findings are shown in Table 5.

Brand string	No. registration / drop events ('www' domains)	No. registration / drop events ('http' domains)
apple	212	43
google	143	120
amazon	114	19
microsoft	14	6
tencent	0	0
mcdonalds	8	2
visa	58	10
facebook	38	31
alibaba	7	4
vuitton	1	0
TOTALS	595	235

Table 5: Numbers of registration and drop events for domains containing the names of the top 10 most valuable company brands in 2022

The associated keywords also present in the domain names may give further insight into the intentions of those registering the domains. For example, in the dataset of 255 'apple' domain events, we frequently see certain keywords, their variants or misspellings, that may indicate phishing activity, including 'login' (13 instances), 'support' (47) and 'activate' (17).

Significantly, of the 564 active, unique domains containing any of the top 10 brand names taken from the dataset above, 16% feature active MX records, meaning they are configured to send or receive e-mails, another indicator that they may have been registered for use in phishing campaigns.

Looking at the content of the websites among the brand-specific dataset, the majority of domains were inactive by the time of analysis, although several had been flagged as dangerous or deceptive at the browser level, suggesting they may have previously hosted fraudulent sites. Others included pay-per-click links, monetising the misdirected web traffic attracted to these sites, and potentially driving users to competitor sites. Some of the sites also display banner advertisements to gambling-related or adult sites. Figure 2 shows three examples of websites found to feature live, infringing content.

Figure 2: Live fraudulent or infringing websites hosted on 'www' or 'http' domains, targeting Apple (a potential phishing site), Microsoft, and Facebook.

Conclusions

Over one year, CSC’s 3D Domain Monitoring technology identified nearly a quarter of a million registration or drop events of domains designed to be deliberately deceptive, by virtue of the inclusion of the strings 'www' or 'http' at the start. A significant proportion of these appear to target specific brands, with 830 of the events corresponding to just the 10 most valuable brands.

Several domains were found to resolve (or previously resolved) to infringing content, while 16% of the domains relating to the 10 most valuable brands were configured with active MX records. This indicates they may have been registered for their e-mail function - an indicator of possible phishing campaigns.

These findings highlight the importance of brand owners employing an active domain monitoring and enforcement programme. CSC's 3D Domain Monitoring technology can detect the registration, re-registration, and dropping of domain names containing brand terms and other keywords of interest - including variants like fuzzy matches and character replacements - across a wide range of extensions. This enables brand owners to identify and mediate the risks associated with infringing third-party domain registration activity.

References

[1] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

[2] https://circleid.com/posts/20210908-credential-hinting-domain-names-a-phishing-lure

[3] https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/

[4] https://en.wikipedia.org/wiki/List_of_most_valuable_brands

This article was first published on 24 August 2022 at:

https://www.cscdbs.com/blog/registration-patterns-of-deceptive-domains/

Also published at:

https://circleid.com/posts/20220913-registration-patterns-of-deceptive-domains

Online brand abuse is a cybersecurity issue

(Contributed article)

Over the last two years, there has been a huge shift in the way consumers and users engage with businesses, with a significantly heavier emphasis on online Internet-based activities and presence. Businesses are paying attention to these changes, but so are cybercriminals and other malicious actors. In fact, the Internet Crime Complaint Center (IC3) reported a 65% increase in global exposed losses between July 2019 and December 2021, partly due to the increase in virtual business as a result of the pandemic. We see companies with trusted brands have customers that will engage with them for years. Cybercriminals want to take advantage of this, resulting in an understandable increase in Internet-based crimes and infringers looking to abuse trusted brands and their reputations. This can lead to consumers losing confidence in these brands and derailing the interactions meant for the trusted organisations, resulting in lost revenue and business opportunities.

Track online abuse issues

Historically, many companies used a variety of methods to track abuse issues (such as fraud and counterfeiting) and brand sentiment, but the recent increase in online activities necessitates an even stronger emphasis on online brand protection. There also needs to be an evolution in how companies implement their online brand protection programmes, as traditional methodologies cannot keep up with the rate of online brand abuse. In fact, many companies do not understand the depth of the challenges and the growth in the number of channels where this infringing activity takes place.

Organisations spend lots of time and money building a trusted brand - all of which can be stripped away in a short time by the fallout of online crime. The best way for companies to protect their brand is to implement an online brand protection programme that combines online monitoring (to identify infringing content) and enforcement activities (to remove said content). Complementary solutions, like the use of blocking networks - which can incorporate partnerships with browser producers, ISPs and other security information and event management service providers (SIEMs) - to block fraudulent websites from Internet users, can also help to create a more comprehensive approach. Using these methods to track and remediate activity by infringers should also run alongside a programme of secure domain name management, allowing the brand owner to administer and protect their own official domain portfolio.

Some of the key benefits of implementing an online brand protection programme are:

• Identifying online brand-related criminal activity
• A comprehensive brand protection programme can help to identify instances of online fraud (e.g. phishing or the trade in stolen credentials), the sale of counterfeit goods and other intellectual property breaches (e.g. brand name misuse to mislead customers and drive web traffic to third-party content).

• Identifying other online brand references
• Understanding how your brand is being used - and abused - by third parties is both important and valuable in its own right. It can raise awareness of issues like potential brand confusion, brand dilution and brand usage breaches, which could affect the value of your brand.

• Identifying negative customer comments or boycott activity and reputation management
• Frequent negative commentary can impact your trusted brand value or public perception of your brand. This content is tough to remove from the Internet, as it is protected by freedom of speech; however, being aware of the negative comments can prove valuable to brand owners, giving them the opportunity to put out an appropriate counter-message or to change their product strategy as a means of counteracting the negative buzz. The most important thing is to take some action, but without being too heavy-handed and thus running the risk of being labelled a 'brand bully'.

Monitoring solutions for trusted brands

A comprehensive monitoring solution should use a range of approaches. General Internet content can be monitored using a combination of search-engine queries, web crawling, and direct searches of known sites of interest. Branded domain names can be identified through zone-file analysis and other techniques, with the most sophisticated technologies able to detect brand variations - for example, misspellings and other fuzzy matches - and use artificial intelligence (AI) technology to detect trends and build links between infringements.

Strategies and tactics

There are a variety of enforcement strategies and tactics that an organisation can use. The first thing to do is have a checklist / toolkit approach, which includes a standardised, easily scalable list of activities that can be undertaken to address infringements. This approach allows the trusted brand owner to use simple, low-cost approaches as an initial step, while reserving more complicated or costly options as escalation routes if initial takedown attempts are unsuccessful. This process can start with identifying the infringement, verifying its source and then, if appropriate, sending a cease-and-desist letter to the criminal saying "we've uncovered your illegal activity; please stop and take this down".

If there is no response to these initial enforcement tactics, companies should then think about escalation approaches - including notices to registrars or hosting providers - and then ultimately consider dispute resolution or legal options. Platforms like social media sites and e-commerce or mobile app marketplaces may also have their own built-in IP protection programmes that can be leveraged. In other cases, alternative actions like search engine de-listings or payment gateway suspensions may be appropriate. It is best to have a range of approaches available, but always start by taking down the high-impact targets. Companies often do not realise it is not necessary to take everything down - be tactical by starting with the ones that hurt your brand the most and have the largest audience.

As more platforms are created, brand protection and brand insights are more important than ever. Brand leaders should receive reports on a daily, weekly and monthly basis to understand the nature of the activity that can damage your organisation - and, most importantly, what needs to be done to actively protect your trusted brand.

This article was first published on 22 July 2022 at:

https://securityboulevard.com/2022/07/online-brand-abuse-is-a-cybersecurity-issue/

"Do you see what I see?" - Geotargeting in brand infringements

by Lan Huang and David Barnett

Geotargeting is a well-established online technique for delivering tailored web content based on a user's geographic location. From an Internet technology point of view, this is usually based on the user's IP address, which is converted to a physical location through a standard look-up process performed by network infrastructure.

Geotargeting is commonly used by websites for several legitimate reasons, including providing users with relevant advertising and other content, or restricting the distribution of content to particular countries or regions in compliance with IP rights restrictions. However, geotargeting (or geoblocking) is increasingly being used by bad actors with their infringing websites. The sites may be configured so the infringing content (e.g. counterfeit goods sales) is only accessible in certain countries. Similarly, sites may be configured such that the content is visible only at certain times, on certain days, or can vary dependent on the web browser used.

Outside those locations (or times), sites may resolve to unrelated content, like gambling-related or adult material, or websites for third-party companies. In some cases, affiliate links on these pages can be sources of additional revenue for their owners beyond their core purpose, i.e. the distribution of the infringing content. Generally, the main purpose of the geotargeting technique is to circumvent detection by the real brand owner, their brand protection service provider, or to frustrate enforcement efforts.

Common geotargeting implementation methods

There are several ways to implement geotargeting, the most common of which include:

• Use of a .htaccess configuration file on the webserver of the site in question to restrict access to the content by certain IP addresses
• Use of Javascript in the website source code specifying that access from certain countries should be restricted
• In this case, the geoblocking takes place on the client side (in the web browser); this type of blocking can be implemented using a suitable plug-in when the site is constructed without requiring any specific technical knowledge

Most often these tools are used for legitimate purposes, including security (e.g. blocking traffic from suspected automated bots), search-engine optimisation (e.g. customisation of site content by location), or compliance (e.g. where content may be illegal in certain jurisdictions). However, as discussed previously, use of these techniques has become increasingly popular with fraudsters who use them to avoid detection and thereby increase the uptime for their infringing content.

Enforcement implications

Enforcement action against geotargeted content can be difficult because the Internet service providers (ISPs) through which the takedowns are made may not be able to see the offending content. A successful takedown is generally reliant on the brand owner being able to provide the ISP with information relating to the IP address(es) or geographic regions from which the infringing content is accessible and the screenshot of the said content.

At times, it may be not possible for users who first accessed the infringing content to provide the required information - such as the IP address(es) mentioned above, or the screenshot of the infringing site. This is not uncommon, and there are investigation tools that can be used to support evidence preservation for takedown as described below.

Investigation of geotargeted content: A case study of an infringing website

Investigating a site using geotargeted content requires the investigator to bypass the geoblocking, which is generally most easily achieved using tools to mask their location (i.e. their IP address, or the location from where their web queries are originating). This can be done by using a virtual private network (VPN), a proxy server, or SmartDNS (domain name system).

However, if it is possible to establish that the geoblocking or content re-direction has been implemented using Javascript - which can be confirmed using any of a range of free, third-party tools - the geoblocking can usually at least partially be circumvented by disabling Javascript in the browser.

To illustrate, the following example shows a geotargeted counterfeit site identified by CSC as infringing against a luxury goods brand. The website - [brand]-store.org - appears to be tailored to the Japanese market, and the Google abstract for the site shows what appears to be the intended content, with Japanese text translated as 'Fall / Winter New Down Women's / Men's Cheap Mail Order' (Figure 1).

Figure 1: Google abstract for the geotargeted counterfeit site

Conversely, when the site is viewed from the UK, the user is instead re-directed to a restricted access page on a third-party domain (Figure 2).

Figure 2: Re-direction destination page for the geotargeted counterfeit site when viewed from the UK

However, if Javascript is disabled in the browser, the re-direction no longer takes effect. In this case, the blocking of Javascript meant that the website content did not display properly; however, by viewing the webpage source code, we were able to verify the presence of the counterfeit site content. An extract is shown in Figure 3, where the Japanese page title translates as '[Brand] Outlet Store Official Site - 2021 New Fall / Winter Down Women's / Men’s Cheap Online Store - [Brand] Outlet Store Official Site'.

Figure 3: Extract of the HTML source code of the geotargeted counterfeit site

Completing the investigation, the content of the site can be viewed by modifying the HTML to remove the Javascript command causing the re-direct and opening the resulting document in a browser (Figure 4).

Figure 4: Content of the geotargeted counterfeit site shown by rendering the edited HTML source code directly in a browser

This article was first published on 24 May 2022 at:

https://www.cscdbs.com/blog/do-you-see-what-i-see-geotargeting-in-brand-infringements/

Also published at:

https://circleid.com/posts/20220531-do-you-see-what-i-see-geotargeting-in-brand-infringements

Branded domains are the focal point of many phishing attacks

As a long-established online attack strategy, phishing remains a popular tool for fraudsters because of its effectiveness. The Anti-Phishing Working Group reported more than 300,000 distinct phishing attacks in December 2021 - more than three times the number reported in early 2020, and the highest monthly total ever identified^[1].

Classic phishing, where Internet users are driven to fraudulent sites designed to collect log-in credentials or other personal information, is still used extensively to access customer accounts or corporate systems, or to engage in identity theft. One recent study suggested around two thirds of phishing campaigns are geared towards credential theft^[2]. However, other variants, such as business e-mail compromise (BEC) attacks or money-transfer scams, have also emerged over time. A significant proportion of phishing activity is also used to distribute malware (including ransomware), either through malicious e-mail attachments, or the use of infected phishing landing pages - indeed, phishing is now recognised as the primary means of delivering malicious payloads^[3,4].

Central to many phishing attacks is an associated domain name, used either in the construction of a convincingly deceptive e-mail delivery ('from') address, for hosting the phishing site, or both. A key element of a successful attack is making the fraudulent content look like it originates from a trusted brand. One way to do that is by registering a domain name containing the name, or a variation, of the target brand. A 2021 study of the configurable sections of phishing site URLs - which also included consideration of keyword use in the subdomain portion, as well as in the domain names themselves - found that the most frequently used keyword across all analysed phishing sites was 'amazon'^[5].

Phishing domain analysis

This section presents an analysis of approximately 2,000 phishing takedowns carried out by CSC’s Anti-Fraud Team across its customer base during 2021, covering both e-mail address and phishing site deactivations. Enforcements cover both phishing attacks (65.6% of cases) and advance-fee frauds (34.4%) targeting brands in over 20 industry verticals.

For each phishing case, we consider the domain used in the attack to determine whether the name of the targeted brand appears in the phishing domain name (i.e. this excludes consideration of whether the brand name appears in an alternative location in the phishing site URL, such as the subdomain name). The results of this analysis are shown in Figure 1.

Figure 1: Proportion of phishing domain names incorporating the targeted brand name, plus the type of match.

The analysis shows that just over half the cases (50.4%) do not feature the name of the targeted brand in the phishing domain name, either using a brand reference elsewhere in the URL, or using an entirely brand-independent URL, which in some cases could be a compromised site^[6]. The other half (49.6%) make use of a brand-specific domain name to construct a deceptive URL. In most of these cases (41.7% of the total), the exact brand name is used, while the remainder feature a brand variant or misspelling. The types of variations observed are:

• Added character(s) ('Added' in Figure 1) - One or more additional characters are inserted into the brand name. Frequently this comprises the addition of a hyphen between parts of the brand name.
• Abbreviation ('Abbreviation') - The domain uses a truncated form of the brand name or acronym, designed to be recognisable to a human reader.
• Replaced character(s) ('Replaced') - One or more characters in the brand name are replaced by another character (or combination of characters). Often, the character is visually similar to that which it replaces. Some of the most visually convincing replacements observed in the dataset were:
• w  → vv
• m → rn
• g → q
• y → v
• l (lower-case L) → 1 or I (upper-case i)
• i → l (lower-case L)
• Removed character ('Removed') - A single character is removed from the brand name being referenced.
• Transposed elements ('Transposed') - A pair of characters in the brand name or individual components (e.g. words) of the brand name are swapped with each other.
• Other typo variants ('Other typo') - Another type of misspelling or a combination of the above approaches has been used.

Across the dataset, more than 160 distinct domain name extensions are represented, with the top 10 including several new generic top-level domains (new gTLDs) (Figure 2). This is consistent with previous studies that established many of these extensions are frequently associated with untrustworthy sites^[7,8].

Figure 2: Top 10 domain-name extensions (TLDs) represented in the dataset of phishing domains

Case study: domain registration trends associated with phishing activity targeting a banking group

Across Q4 2020 and Q1 2021, CSC identified a large number of domain registrations associated with a sizeable, coordinated phishing campaign targeting a FTSE-100 multi-brand banking group. The primary attack vector was via SMS messaging (a.k.a. smishing), and the campaign used a series of brand-specific domain names that resolved to fake branded websites soliciting customer log-in credentials. CSC determined that the sites were part of a large-scale attack by a single entity, or a group of connected entities, based on similarities in registration dates, keyword permutations and URL structure, plus common use of privacy protection services. At the time of analysis, the domains resolved to a mixture of live and inactive sites, suggesting each phishing site may only have been active for a short period.

The campaign moved from one brand (Brand A), being targeted primarily in October and November 2020, to a second brand (Brand B), with a smaller peak in activity around February 2021. The numbers of domains used in these attacks were sufficiently large that the campaign dominated the overall pattern of total third-party domain registrations for the brands across the period in question (Figure 3).

Figure 3: Daily total numbers of detected domain registrations (and seven-day centred rolling averages) for two brands associated with a FTSE-100 banking group, between September 2020 and June 2021

Proactive monitoring and enforcement as part of a comprehensive security programme can help defend against phishing attacks

The above observations raise significant implications regarding the requirements for an effective phishing detection service. First, a key component is the detection of brand-specific domain names, as shown by the fact that almost half the domains analysed in our initial dataset incorporate a brand reference in the domain name. The simplest domain detection products only attempt to identify names containing exact matches to the brand name concerned, but as our analysis shows, some 16% of the branded phishing domains actually reference a brand variant, rather than the exact brand name. This may be a deliberate decision by the fraudsters to try to circumvent detection efforts, and it highlights the need for a comprehensive solution able to tackle these variations. CSC’s 3D Domain Monitoring service has been designed with these requirements in mind, covering detection of a range of brand variants, including fuzzy matches (incorporating character replacements and use of non-Latin homoglyphs) and Soundex (homophone or metaphone) variations (i.e. domains that are pronounced similarly), across a wide range of domain name extensions.

However, even comprehensive domain detection is only part of the solution. Just over half the phishing attacks in our dataset do not use brand-specific domain names, showing that a truly effective phishing detection product must also incorporate other data sources. CSC’s Fraud Protection service also makes use of spam traps and honeypots, and other data feeds like customer abuse mailbox data and webserver logs. This information is fed into our machine-learning-driven correlation engine that detects fraudulent sites by analysing URL patterns and comparing site content with known predictors of fraudulent content. A final key element is the inclusion of a 24×7 enforcement capability to ensure rapid takedown of fraudulent content.

References

[1] https://docs.apwg.org/reports/apwg_trends_report_q4_2021.pdf

[2] https://cofense.com/annualreport

[3] https://www.cisa.gov/stopransomware/general-information

[4] https://www.cscdbs.com/assets/pdfs/Domain_Security_Report_2021.pdf

[5] https://www.daj.jp/en/about/release/2021/0922_01/

[6] https://www.phishlabs.com/blog/most-phishing-attacks-use-compromised-domains-and-free-hosting/

[7] https://circleid.com/posts/20210908-credential-hinting-domain-names-a-phishing-lure

[8] https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/

This article was first published on 9 May 2022 at:

https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/