Boom in Lookalike Retail Domains

Boom in Lookalike Retail Domains

New research into domains registered with a trusted TLS certificate has found lookalike domains outnumber legitimate retails sites by more than 2:1.

In a study conducted by researchers at Venafi, suspicious domains targeting 20 major retailers in the US, UK, France, Germany, and Australia were analyzed. Researchers found over 100,000 lookalike domains that use valid TLS certificates to appear safe and trustworthy. 

Threat actors use fake domains, cunningly rendered to appear legitimate, to steal personal data and financial information from unsuspecting online shoppers. The domains are created using URLs that vary by only a few characters from the addresses used by the genuine stores they are imitating.   

According to Venafi’s research, growth in the number of lookalike domains has more than doubled since 2018. Among the top 20 online German retailers, researchers detected almost four times more lookalike domains than authentic domains.

In America, just one of the country's top 20 retailers had over 12,000 lookalike domains being used to con its customers. 

Researchers tied the increase in lookalike domains to the availability of free TLS certificates, such as the ones available from Let's Encrypt, which were used by 84% of the lookalike domains. 

Jing Xie, senior threat intelligence analyst for Venafi, said: "No organization should rely exclusively on certificate authorities to detect suspicious certificate requests. For example, cyber attackers recently set up a lookalike domain for NewEgg, a website with over 50 million visitors a month. The lookalike domain used a trusted TLS certificate issued by the CA who followed all the best practices and baseline requirements. This phishing website was used to steal account and credit card data for over a month before it was shut down by security researchers."

Researchers urged online retailers to protect their customers by searching for suspicious domains and reporting them to the anti-phishing service Google Safe Browsing and to the Anti-Phishing Working Group (APWG). 

Researchers see no end to the profitable practice of domain spoofing. 

"Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future," concluded Xie. "In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs. This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates."

Source: Information Security Magazine