With the fast growth of online shopping, a new research report from Venafi shows hackers are also increasing their efforts to steal confidential shopper data using look-alike domains.

Venafi researched look-alike domains

Global cybersecurity firm Venafi analyzed suspicious domains targeting the top 20 retailers in the US, UK, France, Germany, and Australia.

Cyber attackers create fake domains by substituting a few characters in a legitimate URL website address that closely resembles well-known retail websites, making it difficult for casual shoppers to detect.

Cybercriminals copy the legitimate retailer’s website design and add a trusted TLS certificate completing a look and feel of the original retailer. This enables the criminals to gather sensitive financial data and shopper personal information often without the online customer’s knowledge.

Copycat domains proliferate, ready to steal shopper info

Venafi’s analysis shows an explosive growth in the number of fraudulent domains. “There are more than double the number of look-alike domains compared to legitimate domains, and every online retailer studied is being targeted,” the company reported.

look-alike domains by country

Other key findings from the report show:

  • The total number of certificates for look-alike domains is more than 200% greater than the number of authentic retail domains.
  • Among the top 20 online German retailers, there are almost four times more look-alike domains than valid domains.
  • Major retailers present larger targets for cybercriminals. One of the top 20 US retailers has over 12,000 look-alike domains targeting its customers.
  • The growth in look-alike domains appears connected to the availability of free TLS certificates; 84% of the look-alike domains analyzed use free certificates from Let’s Encrypt.

look-alike domain certificates“Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique,” said Jing Xie, senior threat intelligence analyst for Venafi. “Because malicious domains now must have a legitimate TLS certificate to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates. In spite of significant advances in the best practices followed by certificate issuers, this is a really bad idea.”

Xie cited a spoof website set up for online retailer NewEgg which receives more than 50 million monthly visitors. “The look-alike domain used a trusted TLS certificate issued by the CA who followed all the best practices and baseline requirements. This phishing website was used to steal account and credit card data for over a month before it was shut down by security researchers,” he said.

How can online sellers protect their customers?

look-alike TLS certificates“We should expect even more malicious lookalike websites designed for social engineering to pop up in the future,” added Xie. “In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs. This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates.”

Venafi says online retailers that discover malicious domains can take four key steps to protect their customers:

  1. Search and report suspicious domains using Google Safe Browsing. Google Safe Browsing is an industry anti-phishing service that identifies and blacklists dangerous websites. Retailers can report a domain at https://safebrowsing.google.com/safebrowsing/report_general/.
  2. look-alike domainsReport suspicious domains to the Anti-Phishing Working Group (APWG). The APWG is an international volunteer organization that focuses on limiting cybercrime perpetrated through phishing. Retailers can report a suspicious domain at https://www.antiphishing.org/report-phishing/ or via email to reportphishing@apwg.org.
  3. Add Certificate Authority Authorization (CAA) to the DNS records of domains and subdomains. CAA lets organizations determine which CAs can issue certificates for domains they own. It is an extension of the domain’s DNS record and supports property tags that let domains owners set CA policy for entire domains or for specific host names.
  4. Leverage software packages to search for suspicious domains. Copyright infringement software may help retailers find malicious websites, stopping the unauthorized use of their logos or brands. Solutions that also provide anti-phishing functionality can help aid in the search for look-alike domains.

What’s ahead for fraud protection?

Venafi look-alike domain reportGoogle, APWG, and industry leaders are working hard on solutions to cybercrime such as look-alike domains. More business and consumer awareness are needed and online retailers need to step up their monitoring and safeguarding to protect online shoppers.

Venafi’s report is important reading for online sellers and you can access a free copy of the report here.

Visuals courtesy of Venafi