Intuit recently released a series of security notices warning QuickBooks users against phishing attacks. Intuit-solution.com, fucaxcapital.com and alpha-invest.net bank on the appeal of legitimate businesses to lure in victims. In our 2022 Business Impersonation Landscape Report, we found more than 49,000 highly targeted cybersquatting properties added in the past year. Urgency-based impersonation made up 79% of the total number of malicious domains found in the study.
Like many organizations before it, Intuit has recently been releasing a series of security notices warning QuickBooks users against sophisticated phishing attacks. When it comes to the phishing vehicles used, the level of sophistication isn’t mind-blowing or novel. The phishing emails come from cybersquatting domains, such as intuit-solution[.]com, fucaxcapital[.]com and alpha-invest[.]net.
They bank on the appeal of legitimate businesses to lure in victims, which is seen daily on the Domain Name System (DNS). In our 2022 Business Impersonation Landscape Report, where we analyzed the domain footprint of 29 Fortune 500 companies and 20 top CEOs, we found more than 49,000 highly targeted cybersquatting properties added in the past year.
An alarming 12.32% of the properties have been flagged as malicious. You may view the detailed findings by downloading the white paper from our website or check an overview of the results in this post.
Sophisticated Business Impersonation in the DNS
Highly targeted cybersquatting properties, in this context, do not only refer to threat actors impersonating companies via look-alike domains but also include the use of text strings that increase their chances of reeling victims in. We determined three types of business impersonation properties, namely:
- CEO impersonation: This pertains to digital properties that use the names of company executives. In September 2021, we studied the domain footprint of the top 100 CEOs and found several that turned out to be malicious, including sundarpichai[.]com, brianmoynihan[.]com, and kevinjmurphy[.]com. There remain some suspicious findings this year, although not as many as the previous year, consistent with a recent report that business email compromise (BEC) attacks impersonating internal employees have decreased from 60% of all attacks in 2021 to 48% in the first half of 2022.
- Company department or function impersonation: This is signified by domains and subdomains potentially imitating critical departments or functions of an organization, such as marketing, support, finance, security, and recruitment. Some examples would include csamazonsupport[.]com or jpmorgan-finance[.]com, both of which figured in malware or phishing campaigns. Company department impersonation comprised 22% of the total number of web properties in the study and about 21% of the malicious domains and subdomains.
- Urgency-based impersonation: In this type of business impersonation, threat actors use keywords that induce urgency in the victims, alongside the target companies’ names. These strings include “recovery,” “verify,” “sale,” “pay,” “login,” “sign in,” “register,” “update,” and “auth.” Urgency-based impersonation made up 79% of the total number of malicious domains found in the study. Examples of the malicious properties include ca-amazon-recovery[.]com, wells-fargo-login-notice[.]com, tesla-presale[.]net and verifiercompte-netflix[.]com.
The chart below shows the breakdown of malicious cybersquatting properties based on the text strings identified above.
Fortune 500 Impersonators: Connections and Content
We analyzed the WHOIS records and DNS connections of the cybersquatting domains and found:
- Location: The active DNS connections and registrant countries mostly pointed to the U.S. The other countries accounting for most of the domain registrations and resolutions include Canada, the Netherlands, the U.K., Germany, and France.
- Registrar: PDR Ltd. managed the bulk of the properties, accounting for 38% of the domain registrations. The rest of the top 10 registrars include GoDaddy, Mark Monitor, Namecheap, Network Solutions, NameSilo, Amazon, CoCCA Registry Services, and REGRU.
- Internet service provider (ISP): The leading ISP was Amazon (27%), with Cloudflare, Google, HYAS, DigitalOcean, Microsoft, Linode, Sharktech, Fastly, and OVH completing the top 10. According to Spamhaus, some of these ISPs account for the highest number of spam and botnet infections as of 9 June 2022.
- Web content: Our screenshot analysis revealed questionable content hosted on the cybersquatting properties, including login pages, such as those shown below.
Screenshot of amazonbillsupport[.]info
Screenshot of ims-na1[.]adobelogin[.]com[.]network
Business impersonation continues to harm organizations’ reputations and regular Internet users. While detecting the threat in emails, text messages, and social media posts can help, proactively seeking out cybersquatting domains as soon as they get added to the DNS can give companies an edge.
If you’re interested in checking the full results of this study and learning more about the cybersquatting domains identified, feel free to contact us. We are also available to discuss research collaboration ideas.