The average business sees almost 90 domains impersonating their business per month – that’s approximately 1100 domains per year on average. These fraudulent domains are set up by cybercriminals and sometimes even by threat actors sponsored by states to carry out such activities.
A report by a digital risk protection company called Digital Shadows showed that the industry that is most at risk of such fake domains is the financial sector. The Photon Team of Digital Shadows analyzed a sample set of impersonating domains over 4 months of 2021, and found that each client was victim to at least 90 fake domains per month impersonating their brand name and company.
According to researchers, setting up such fake domains is now easier than ever, especially due to the wide availability of phishing kits and tutorials. With enabling websites like 16Shop, an online marketplace for such criminal activities, fraudsters can now pick the brand they want to impersonate and get their fake website ready to go in just $50.
These cybercriminals often predict the typos people tend to make while searching for a particular name, and then buy domains with the misspelled name to mislead visitors. These impersonating websites are often used to conduct malicious activities. Financial organizations and healthcare are often the ones facing the most risk of being affected by such activities.
Why would anyone want to impersonate a domain?
The most common goal of impersonating websites is to collect user credentials – for example, some fake websites contain brand logos and require visitors to fill out a form. These websites are usually landing pages for phishing emails that include links to reset expired passwords or claim a prize.
This information is then used by malicious parties to access cable TV subscriptions, adult websites, and other user-sensitive material. Sometimes this data is also sold to the highest bidder in the dark market. Financial data and personal information, in particular, are always in high demand in underground marketplace websites and go for huge bid amounts.
Digital Shadows researchers noted that there was a growing number of impersonations of cryptocurrency exchange services in the past few months. And given the high-profile and trillion-dollar market value of cryptos, this trend isn’t surprising. Crypto wallets contain extremely sensitive data and the market is highly volatile, making them the perfect target for phishing.
Some cybercriminals and state actors also impersonate websites to drop malware on the machines of unsuspecting visitors. This technique was observed by researchers for the Vietnamese state-sponsored group called OceanLotus. OceanLotus would create websites that contained legitimate news articles and a few URLs that redirected to malicious content. This malware would be dropped on users’ machines and used to gather information about them. Digital Shadows noted that this operation showed sophistication in the way it was handled.
Threat actors also get a chance to conduct social engineering campaigns by spreading wrong information during periods of heightened uncertainty, such as elections. Stressed and curious people are the ones most vulnerable to such activities.
Impersonating domains can also provide access to a target network that further allows threat actors to conduct a broader criminal campaign.