Like many organizations before it, Intuit has recently been releasing a series of security notices warning QuickBooks users against . When it comes to the phishing vehicles used, the level of sophistication isn’t mind-blowing or novel. The phishing emails come from cybersquatting domains, such as intuit-solution[.]com, fucaxcapital[.]com and alpha-invest[.]net. sophisticated phishing attacks They bank on the appeal of legitimate businesses to lure in victims, which is seen daily on the Domain Name System (DNS). In our 2022 Business Impersonation Landscape Report, where we analyzed the domain footprint of 29 Fortune 500 companies and 20 top CEOs, we found more than 49,000 highly targeted cybersquatting properties added in the past year. An alarming 12.32% of the properties have been flagged as malicious. You may view the detailed findings by downloading the from our website or check an overview of the results in this post. white paper Sophisticated Business Impersonation in the DNS Highly targeted cybersquatting properties, in this context, do not only refer to threat actors impersonating companies via look-alike domains but also include the use of text strings that increase their chances of reeling victims in. We determined three types of business impersonation properties, namely: : This pertains to digital properties that use the names of company executives. In September 2021, we studied the and found several that turned out to be malicious, including sundarpichai[.]com, brianmoynihan[.]com, and kevinjmurphy[.]com. There remain some suspicious findings this year, although not as many as the previous year, consistent with a report that business email compromise (BEC) attacks impersonating internal employees have decreased from 60% of all attacks in 2021 to 48% in the first half of 2022. CEO impersonation domain footprint of the top 100 CEOs recent This is signified by domains and subdomains potentially imitating critical departments or functions of an organization, such as marketing, support, finance, security, and recruitment. Some examples would include csamazonsupport[.]com or jpmorgan-finance[.]com, both of which figured in malware or phishing campaigns. Company department impersonation comprised 22% of the total number of web properties in the study and about 21% of the malicious domains and subdomains. Company department or function impersonation: In this type of business impersonation, threat actors use keywords that induce urgency in the victims, alongside the target companies’ names. These strings include “recovery,” “verify,” “sale,” “pay,” “login,” “sign in,” “register,” “update,” and “auth.” Urgency-based impersonation made up 79% of the total number of malicious domains found in the study. Examples of the malicious properties include ca-amazon-recovery[.]com, wells-fargo-login-notice[.]com, tesla-presale[.]net and verifiercompte-netflix[.]com. Urgency-based impersonation: The chart below shows the breakdown of malicious cybersquatting properties based on the text strings identified above. Fortune 500 Impersonators: Connections and Content We analyzed the WHOIS records and DNS connections of the cybersquatting domains and found: The active DNS connections and registrant countries mostly pointed to the U.S. The other countries accounting for most of the domain registrations and resolutions include Canada, the Netherlands, the U.K., Germany, and France. Location: PDR Ltd. managed the bulk of the properties, accounting for 38% of the domain registrations. The rest of the top 10 registrars include GoDaddy, Mark Monitor, Namecheap, Network Solutions, NameSilo, Amazon, CoCCA Registry Services, and REGRU. Registrar: The leading ISP was Amazon (27%), with Cloudflare, Google, HYAS, DigitalOcean, Microsoft, Linode, Sharktech, Fastly, and OVH completing the top 10. According to Spamhaus, some of these ISPs account for the highest number of spam and botnet infections as of 9 June 2022. Internet service provider (ISP): Our screenshot analysis revealed questionable content hosted on the cybersquatting properties, including login pages, such as those shown below. Web content: Business impersonation continues to harm organizations’ reputations and regular Internet users. While detecting the threat in emails, text messages, and social media posts can help, proactively seeking out cybersquatting domains as soon as they get added to the DNS can give companies an edge. If you’re interested in checking the full results of this study and learning more about the cybersquatting domains identified, feel free to . We are also available to discuss research collaboration ideas. contact us

Alongside

Amazon

Google

HYAS

Intuit

Microsoft

Netflix

Target

Tesla

6 Domain Name Registration Drivers in Q2 2022

5 Best Website Categorization Tools

Check our Enterprise API Packages.

Nominated for 2022 - HackerNoon Contributor of the Year - Data

Too Long; Didn't Read

DNS Business Impersonation: What’s the Landscape Like in 2022

DNS Business Impersonation: What’s the Landscape Like in 2022

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

A Comprehensive Guide to Geolocation APIs for Cybersecurity Professionals

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

A Comprehensive Guide to Geolocation APIs for Cybersecurity Professionals

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps