sb-eu logo
Story image

Venafi uncovers suspicious retail lookalike domains using valid certificates

18 Nov 2019

Machine identity protection solutions provider Venafi has released research on the explosion of lookalike domains, which are often used to steal sensitive data from online shoppers.

The company analysed suspicious domains targeting 20 major retailers in the US, UK, France, Germany and Australia and found over 100,000 lookalike domains that use valid TLS certificates to appear safe and trusted.

According to Venafi's research, growth in the number of lookalike domains has more than doubled since 2018, outpacing legitimate domains by nearly four times.

Key findings from the research include:

  • The total number of certificates using lookalike domains is more than 400% greater than the number of authentic retail domains.
  • Major retailers are important targets for cyber-criminals.
  • One of the top US retailers has over 49,500 lookalike domains targeting their customers.
  • There are over six times more lookalike domains than valid domains among the top 20 online UK retailers.
  • Over half (60%) of the lookalike domains studied use free certificates from Let's Encrypt.

As online shopping continues to grow, so does the targeting of consumers through malicious lookalike domains.

Cyber-attackers create fraudulent domains by substituting a few characters in the URLs.

Because they point to malicious online shopping websites that closely mimic legitimate, well-known retail websites, it makes it increasingly difficult for customers to detect fake domains.

Additionally, given that many of these malicious pages use a trusted TLS certificate, they appear to be safe to online shoppers who unknowingly provide sensitive account information and payment data.

As the holiday shopping season approaches, the number of lookalike domains targeting online shoppers will multiply.

Online retailers that discover malicious domains can take several steps to protect their customers, including:

  • Search and report suspicious domains using Google Safe Browsing. Google Safe Browsing is an industry anti-phishing service that identifies and blacklists dangerous websites. Retailers can report a suspicious domain online.
  • Add Certificate Authority Authorization (CAA) to the DNS records of domains and subdomains. CAA lets organisations determine which CAs can issue certificates for domains they own. It is an extension of the domain's DNS record and supports property tags that let owners set CA policy for entire domains or for specific hostnames.
  • Leverage technology solutions to search for suspicious domains. Brand protection services may help retailers find malicious websites and stop the unauthorised use of their logos or brands. Solutions that also provide anti-phishing functionality can help aid in the search for lookalike domains.
  • Detect malicious certificates using Certificate Transparency. All publicly trusted machine identities, such as TLS certificates, are published to open logs. Monitoring and analysing these logs enable organisations to detect lookalike domains and certificates before they are used in attacks against customers.

"We continue to see rampant growth in the number of malicious, lookalike domains used in predatory phishing attacks," says Venafi senior threat intelligence researcher Jing Xie.

"This is a result of the push to encrypt more and potentially all web traffic, a trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection.

“Most businesses and many retailers don't have the updated technology in place to find these malicious sites and remove them to protect their customers."

Story image
Former Salesforce, Microsoft security exec to lead Zoom security team
Zoom has announced the appointment of former Microsoft and Salesforce executive Jason Lee as its new chief information security officer. More
Story image
Why DX is not complete without a transformed security architecture
Secure Access Services Edge (SASE) is the process by which core WAN edge capabilities like SD-WAN, routing, and WAN optimisation at branch locations are integrated with cloud-based security services like secure web gateways, firewall-as-a-service, cloud access security brokers, and more.More
Story image
Inteview: Mimecast security expert on why email attacks are more successful than ever
Techday spoke to Mimecast Australia principal technical consultant Garrett O’Hara, who walks through why security experts are becoming increasingly pessimistic about email-borne attacks.More
Story image
US oil & energy providers hit by plunging market cap in 1H 2020
As the COVID-19 coronavirus pandemic continues to lead many market sectors into turbulence, the energy sector has not escaped unscathed.More
Story image
New channel leader for LogicMonitor APAC
Swapnil Shah heads to LogicMonitor after holding key roles at global systems integrators Infosys and Tech Mahindra.More
Story image
CrowdStrike recognised as leading endpoint security vendor on global scale
IDC's report shows that CrowdStrike demonstrated a 2018-2019 growth rate of 99% and close to doubled its market share, while the market shares of the top three vendors in the corporate endpoint segment declined.More