Research into the proliferation of fraudulent domains affecting the cybersecurity industry by web security experts High-Tech Bridge has uncovered some startling results, with a string of household names being impersonated online.
High-Tech Bridge researchers have analyzed domains of the leading cybersecurity companies from the NASDAQ’s NQCYBRindex, as well as few private but well-known cybersecurity companies, and uncovered a host of fake domains designed to fool users – sometimes with malicious intent.
High-Tech Bridge researchers used their free online service Domain Security Radar, which is designed to detect cybersquatting, typosquatting and phishing domains for a particular brand or Internet domain.
Country or altered domains of the famous cybersecurity brands, like “akamai.ru“, “junipernetworks.cn“, “kasperskysupport.com” or “ciscogroup.com” are being squatted by scammers who try to resell them, parasitizing on the original brand value.
Of 26 well-known security manufacturers and vendors, Cisco came out top in the Domain Security Radar test, with an impressive 172 alerts, while Trend Micro fared best in pure volume terms, with a mere 11 alerts.
However, Trend Micro had been targeted by one of the worst domains – a malicious domain “trendmicrow.com“, created to collect personal data from Trend Micro customers by pretending to be a Trend Micro support site. Similarly, a Symantec domain with typo “sytmantec.com” still redirects users to random websites, hosting adult content and malware.
Ilia Kolochenko, High-Tech Bridge’s CEO, said: “Unfortunately, lack of international cooperation and jurisprudence enable fraudsters to make easy money on various illegal or at least unethical operations with domains. Even cybersecurity companies are being targeted these days, not only financial institutions or luxury brands. The biggest concern is that relatively harmless techniques such as typosquatting and cybersquatting are now being aggressively used in pair with phishing and drive-by-download attacks.”
“At High-Tech Bridge, as a part of our continuous effort to make Web safer, we have created Domain Security Radar service to enable anyone to track illicit activities against a brand or a domain name”, he continued.
In an astonishing 85% of cases, the fraudulent security industry domains were designed to steal traffic, with the minority (7%) intended to conduct more nefarious activities , and a mere 6% were intended to domain squat.
Some of the domains discovered were based on visual mutations, like “junlper.net” (intended to look like the original brand name in CAPS) – although this particular example was used for phishing in the past, but now appears to be operated by Kaspersky (according to IP history) who probably use it to gather threat intelligence information.
Other domains attempt to create an impression of being a legitimate part of the brand. Owned by a private person with aol.com email and PO Box address “baesystemsstore.com” hosts a web shop selling some goods not related to the original brand.
Some of the domains, like “lifelock.org“, which is registered via proxy, is live and even has a valid SSL certificate, however has nothing to do with the original brand. The website in question seems to resell the original LifeLock services via their affiliate program.
A similar situation affects Palo Alto Networks, who are being targeted by “paloaltonetworks.cz“, a domain that redirects users to a website of one of the Fortinet resellers, a direct competitor to Palo Alto Networks. Owned by a private company in Praha, the domain has nothing to do with Palo Alto brand.
The full results of the Domain Security Radar scan are here: https://www.htbridge.com/blog/
Domain Security Radar is a free online service that allows businesses and individuals to detect malicious domain activities targeting their domain name, brand or digital identity. This includes potential Cybersquatting, Typosquatting and Phishing.