Cybersecurity firm Palo Alto Networks’ latest research, threat actors have been cybersquatting in popular domains in order to deceive unsuspecting victims. It found more than 2,000 domain squatters distributing malware or conducting phishing attacks.
The purpose of squatting domains is to confuse users into believing that the targeted brands (such as Netflix) own these domain names (such as netflix-payments[.]com) or to profit from users’ typing mistakes (such as whatsalpp[.]com for WhatsApp).
While cybersquatting is not always malicious toward users, it is illegal in the United States, and squatting domains are often used or repurposed for attacks.
Palo Alto Networks unveils ML-powered next-generation firewall
Unit 42 discovers over 300 COVID-19-themed malware in public cloud environments
Discovery of squatting domains
A squatting detector system discovered that 13,857 squatting domains were registered in December 2019, an average of 450 per day.
“We found that 2,595 (18.59%) squatted domain names are malicious, often distributing malware or conducting phishing attacks, and 5,104 (36.57%) squatting domains we studied present a high risk to users visiting them, meaning they have evidence of association with malicious URLs within the domain or are utilizing bulletproof hosting,” the Palo Alto Networks said in a statement.
Domain squatting techniques
The Palo Alto Networks studied domain squatting techniques including typosquatting, combosquatting, level-squatting, bitsquatting and homograph-squatting.
“A high rate of malicious and suspicious usage among squatting domains was observed. Therefore, continuous monitoring and analysis of these domains are necessary to protect users,” it said.
“Palo Alto Networks monitors newly registered domains and newly observed hostnames from pDNS and Zone files to capture emerging squatting campaigns. Our automatic pipeline publishes the domains it detects to URL Filtering and DNS Security using the appropriate category, including malware, phishing, C2 or grayware,” it added.
The cybersecurity firm also ranked the most abused domains in December 2019 based on adjusted malicious rate, which means that a domain is either a target of many squatting domains or most of these squatting domains are confirmed malicious.
“We found that domain squatters prefer profitable targets, such as mainstream search engines and social media, financial, shopping and banking websites,” it added.
When visiting these sites, users are often prepared to share sensitive information, which opens them up to phishing and scams to steal sensitive credentials or money if they can be deceived into visiting a squatting domain instead.
Automated system to detect squatting domains
The cybersecurity firm developed an automated system to capture emerging campaigns from newly registered domains, as well as from passive DNS (pDNS) data in order to detect squatting domains.
It recommends that enterprises block and monitor traffic from these domains, while consumers should make sure that they type domain names correctly and double-check that the domain owners are trusted before entering any site.