Christmas Warning: Threat Actors Impersonate your Favorite Brands to Attack, Finds CSC

Written by

In the run-up to Christmas, one of the busiest times for online shopping and e-commerce, we are likely to see a spike in fraudulent domain name registrations.

Domain provider CSC analyzed threatening domains targeting 10 of the biggest brands in the world in a report published on December 6, 2022. These include Amazon, Walmart, McDonald’s, Tencent, Google, Microsoft, Apple and Facebook.

Of 8480 identified unique third-party domain names in their dataset, CSC found that 56% were linked to a live webpage, some of which offered “a range of high-concern content types, including fraud issues like potential phishing sites, and other brand infringements,” according to the report.

Also, 66% of the identified third-party domain names used domain privacy services, “indicating an intention by the owner to mask their identity,” and 35% were configured with active mail exchange (MX) records, “indicating their ability to send and receive emails, making them capable of launching phishing attacks,” the report reads.

While all of these three methods could hint at nefarious motivations, Ihab Shraim, CSC’s CTO, told Infosecurity that various domain name alteration techniques were “often smart and sometimes tricky to detect.”

Aside from the regular typosquatting, the act of changing, withdrawing or adding a character from the original domain name, 3% of the fraudulent third-party domain names used legitimate domains in a fraudulent way to trick users.

“For instance, as the US government uses websites with the whitehouse.gov domain name only, some threat actors registered whitehouse[dot]com or whitehouse[dot]org, which seem harmless but in reality, are fraudulent,” Shraim said.

The report shows a spike in new domain name registrations in April 2022.

Daily numbers of new registrations (N), re-registrations (R) and dropped (D) domains with names with a close match to any of the ten brand names under consideration. Source: CSC
Daily numbers of new registrations (N), re-registrations (R) and dropped (D) domains with names with a close match to any of the ten brand names under consideration. Source: CSC

“At the beginning of 2022, the restrictions on social distancing started declining in the US, meaning that people would travel more and buy more. And in the US, April is the month tax returns are given back, which means those people have money to buy things. This, combined with the ‘back-to-normal’ period, meant people were going to buy even more – something threat actors anticipated and created more fraudulent domain names to lure some of these buyers,” Shraim explained.

CSC will release a similar work with a regional focus in the next few months.

What’s hot on Infosecurity Magazine?