Cyber Monday 2018: Analyzing the DNS to Uncover Threats to Businesses and Consumers
November 25, 2018
In its annual Cyber Monday report, FairWinds reviews the impact of typosquatting on 50 top internet retail brands and their audiences. The most notable insights that FairWinds uncovered in its 2018 analysis are that:
- Domain parking platforms that host malicious content and seek to distribute malware are much more prevalent
- Squatters are adding mail servers and wildcard email harvesting mechanisms to confusingly similar domain names in order to harvest information
- Brands are turning to retail registrars as a cost-effective way of housing recovered infringements
- 8% of typo domains that brands own remain security threats because the DNS are, or could easily be, controlled by unrelated parties
As the internet continues to evolve and expand, brands engaging in commerce online must adapt to account for changing trends in order to remain ahead of malicious squatters and protect their customers.
In order to track and identify trends over time, FairWinds has used the same underlying data set of 4,667 misspelled permutations of brand domains in .COM.
The registration status of most of the domain names did not change since last year; there were just 50 status changes:
- 25 domains that had been previously taken by a 3rd party became available; and
- 25 domains that had also been previously taken are now owned by the brand.
Of the 25 domains that are now in brand-owners’ hands, Wayfair, Nordstrom, AutoZone, Game Stop, and Target have been the most active in correcting their problem with cybersquatting over the past 12 months.
Looking at the universe of 2,426 brand-owner controlled domains in the dataset, the most popular corporate registrar is CSC with 19% (including NetNames/Ascio) followed by MarkMonitor with 10%. However, a somewhat surprising finding was that over 69% of brand-owned typos in .COM are held at a low-cost registrar. This is in large part due to the practice of a domain-recovery provider that frequently parks the domains it secures for clients at GoDaddy. Just over half of brand-owned .COM typos are with GoDaddy registrar on behalf of Bed, Bath & Beyond, Finish Line, and The Home Depot among others.
Owners of typosquatted domains are more likely to move their domains between/among registrars than are legitimate domain owners, who tend to be loyal to a particular registrar. In the past 12 months 855 domains, 19.4% of all typosquatted domains, changed registrar. Registrars with the highest number of changes include Media Elite Holdings Limited (+336%), Internet Domain Services BS Corp (-47.8%), and Above.com Pty Ltd. (-16.8%).
The goal of registrar cycling may be to prolong the cybersquatting activities by obstructing enforcement, evading detection, and/or seeking lower registration fees and higher domain-parking payouts.
Across 2,426 typo domains we reviewed that are owned by the expected brands, 91% are hosted by a trusted entity. The majority are either hosted in-house (19%) or by a trusted third party (72%), which includes their primary registrar and enterprise DNS partners such as Verisign, AT&T, and AWS.
Slightly more than 8% of typo domains that brands own are hosted by what would appear to be unrelated entities. In one case, 166 typos of a particular brand are delegated to a host identified by an available domain name. In these instances, the domains reflect the brand owner in WHOIS, but are currently serving malicious content, or could easily be switched-on for malicious purposes including sending and receiving email and displaying harmful web content.
In the case of the unregistered DNS host domain, once a bad actor notices and takes advantage of the situation, they would control 166 clones of the company’s main corporate domain and the violation would be relatively undetectable since nothing “new” would have showed up in WHOIS.
Resolution & Use
Malicious use of a domain name is increasingly to send email meant to look official, or to receive email intended for another for the purpose of capturing intelligence.
Across a representative sample of the 1,963 “taken” domains in the 2018 dataset, 57.7% had MX records listed in their zone file. This is troubling as the presence of MX records signal a mail server is set up to send and receive email for a domain. A cybersquatter can set up a catch-all record and receive any email message sent to email@example.com and it would appear that over half of the typo domains controlled by third parties in this study may have this capability.
In Spring of 2018 Steve Levy, domain enforcement counsel for several FairWinds clients, described Automated Rapid Redirection to Malware (ARRM) to attendees of a FairWinds Beyond the Dot conference in Cambridge, MA. ARRM hosting presents a dynamic set of possible results for a single domain. Results include redirection to the website of the infringed brand or a competing brand site (both with affiliate IDs to capture commissions on purchases), presentation of a recommended “Adobe Flash update” that is likely-to-be malware, and a range of phishing ploys.
At other times, and almost always when a visitor has accessed the same domain more than once in a 24-hour period, ARRM-hosted domains present pay-per-click (PPC) ads that generally don’t raise alarms among brand-protection professionals. The fact that ARRM-hosted domains present different results based on the visitor’s IP address makes clear the platform operator wishes to avoid attention from brand protection and law enforcement professionals.
Comparing the 2017 and 2018 FairWinds Cyber Monday domain name analyses, the number of domains hosted on DNS usually or frequently serving ARRM results increased from 80% to 87% of taken domains.
Advance Auto Parts, Crate & Barrell, Dick’s Sporting Goods, Kate Spade, LL Bean, Northern Tool, Urban Outfitters, and Victoria’s Secret are among the brands with the highest percent of ARRM across their total number of .COM typo infringements. In all of these cases, greater than 90% of infringing .COM typos are hosted on the ARRM platform.
In terms of opportunity, the brand and customer protection elements are clear, but with 87% hosting ARRM content across 1,963 “taken” .COM typos, it’s not practical for a brand owner to address them all.
Traffic is the best objective indicator of value when looking across similarly-resolving infringements, and as we have seen before most infringements do not receive detectable levels of traffic. The top 20 domains, the most visited 1.02% of all 1,963 taken typos, garner 37.5% of total detectable traffic across the dataset. A full 70% of the traffic to the top-20 most frequently visited typo variations are associated with Amazon, Best Buy, Costco, and Walmart typo domains. Adidas, Bass Pro Shops, Carter’s, Dillard’s and Nasty Gal round out the group of top-20 typo infringements of the 50 leading internet retailers we analyzed.
Given the scope and scale of this study, there is a clear case for brands to take targeted action to address typo domains that threaten their information security, reduce their profits, and erode their customers’ trust in them.