Domain Poisoning:
More Old Wine in a New
Cardboard Box
As reported by Bleeping Computer, June 13, 2023, "A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022." Researchers at security vendor, Bolster, first discovered what it is called a "Brand Impersonation Campaign." Using a technique that has been around for decades now, the criminals behind these scams have used "typosquatting" techniques to create cleverly crafted derivations of the URLs for over 100 popular brands. A good definition of typosquatting comes from Setcigo Store.
Typosquatting, also known as URL hijacking, occurs when people buy intentionally misspelled or slightly different domain names that closely resemble a legitimate brand’s website.
One early, yet still infamous, example of typosquatting was that of GOGGLE[.]COM. [Ed. note: I have added the brackets to the bogus URLs to ensure they cannot be clicked from herein.] Google went so far as to bring suit against the registrant of the bogus domain. Google now owns goggle[.]com, and it is no longer a threat. Although the fake domain name "is still on some blocklists because of this," reported James Iles, in Domain Name Wire, October 20, 2022.
The current campaign involves "fraudulent websites targeting more than 100+ popular clothing, footwear, and apparel brands," as Bolster's searchers had discovered. In total over 6,000 popular brand names were found to have close, but not exact, appearing domain names registered. Over 3,000 active domains were found on the Internet associated with this scam. Furthermore, Bolster also reported that the bogus domains were "hosted by two specific internet service providers, Packet Exchange Limited and Global Colocation Limited. It is worth noting that both providers have a negative reputation for fraud risk."
Each bogus domain name followed a similar pattern "of combining the brand name with a random country name, followed by a generic top-level domain (TLD)." CloudFlare offers an easy to understand definition of top-level domain (TLD): "a TLD is everything that follows the final dot of a domain name," with ". com" being the most familiar TLD.
Bolster's report offered samples of the fake domains it found that were derivations of Puma Shoes. Here is the URL for Puma Shoes in the USA (via Bing): https://us.puma.com/us/en/men/shoes. ".COM" is the TLD. There is no country code. And for Puma in Mexico, Bing was its usual helpful self. "You can find Puma shoes in Mexico on their official website at https://mx.puma.com/1. You can also visit their English website at https://mx.puma.com/en/2." Again, no country code, and nothing after the TLD in the root domain name.
Now carefully examine the bogus registered URL that Bolster found mimicking, but was no where exactly, the Puma Mexico URL: "pumaenmexico[.]com[.]mx". There are several examples of this in the Bolster report.
What has made this particular domain squatting attack so successful is that crooks behind the scam are using Search Engine Optimization (SEO) techniques to advance their scam. The SEO aspect of this attack is why "these brand impersonation scam sites have managed to exist for a considerable period of time, to the extent that when users search for the brand name, these impersonation sites appear as the second or third result on popular search engines like Google," Bolster's research showed. The longer a domain name has existed, the more likely that url will appear in higher rankings from search engines. Many of these domains were registered two or more years ago, "allowing for aged domains that in some cases greatly increases their rank to the second or third result in Google search for many brand-related keywords." CrowdStrike offers a simple definition of SEO Poisoning.
SEO poisoning is a technique used by threat actors to increase the prominence of their malicious websites, making them look more authentic to consumers. SEO poisoning tricks the human mind by assuming the top hits are the most credible and is very effective when people fail to look closely at their search results.
Concerning SEO Poisoning, MITRE | ATT&CK states, "Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation."
What has made the current scam so successful is that the fake links have appeared in Google Sponsored Ad search results, which appear at the top of the list that is returned after a search. As Bolster described the situation:
The implications of these deceptive sites ranking high in search engine results are particularly concerning for non-tech-savvy users. Such individuals may be at a greater risk of falling victim to these scams since they might trust the search engine results and assume the fraudulent sites to be legitimate.
Customers who are fooled by Customers who overlook the fact that these websites are not official brand sites often end up falling into the trap. They enter their email, password, and credit card details, unknowingly compromising their personal information as well.
Adding that since the fake site might show up high in the search rankings, it is understandable that web surfers who are not aware of the attack and the techniques employed will be duped into entering into a transaction.
BleepingComputer, more brave and better financed than moi, actually visited some of the bogus sites mentioned. BleepingComputer reported that the sites visited were "not hastily built clones, as they feature realistic "About Us" pages, include contact details, the order pages work as expected, and are generally tricky to identify as suspicious." Some even accepted orders. When BleeingComputer asked Bolster about the transactions going forth to completion and product delivery, Bolster's researchers replied, "that the sites either never ship the products customers pay for or ship Chinese knockoffs."
As regular readers of The Dispatches know, and as my clients know, this reporter has been preaching the sermon of "Know Thy URL" for years now. On July 7, 2022, I posted "The anatomy of an address: There is more than what meets the eye." Here I break down the different parts of a URL. I have posted about how to use Domain Name Lookup, also on November 6, 2022, to offer some guidance on how get information about a URL. I posted that same day that I strongly recommended that all Outlook email should be first opened in Text Only mode in order to clearly see any and all links and URLs that may be in the body of the email. Each of these postings were intended as mitigations against the very real possibility that at any time anyone could be duped into clicking on a Compromising Hyperlink like those discussed herein.
These posts of mine fall right into what is CrowdStrike's first mitigation technique.
User Security Training and Awareness
User security training
and awareness are critical in combating SEO poisoning attempts.
Organizations may lower the chances of falling prey to these attacks by
training staff on safe browsing practices, phishing awareness, and
effective endpoint security measures.
History teaches us that Eternal vigilance is the price of liberty. Eternal vigilance is also what one needs to be safe online. Recent history teaches us not believe anything that appears online without some verification of its authenticity. We cannot solely rely on a piece of software to protect us. Nor can we rely on any filters to keep out the miscreants and their warez. To protect ourselves online use that most sensitive filter for sorting out fact from fiction; friend from foe; reality from illusion. I say now, and have said for years, rely on The Miracle of Human Intelligence to be safe online. And don't get fooled by that oldest devil around, The Curse Human of Stupidity.
Knowledge Is Power.
By any other name would smell as sweet.
— Romeo and Juliet, Act 2 Scene 2
¯\_(ツ)_/¯
Gerald Reiff