An alarming 32% of sample domains containing the names of the 10 most-impersonated brands have been found malicious by WhoisXML API researchers.
The volume was based on a sample comprising 12,000 possible typosquatting domains and subdomains that made their way into the Domain Name System (DNS) between 1 July and 3 August 2021. These cyber resources appeared to be imitating Microsoft, DHL, Amazon, Bestbuy, Google, LinkedIn, Dropbox, Chase, Apple, and PayPal.
Could the companies themselves have registered the domains? The study found that less than 1% of the domains could be publicly attributed to the brands. The rest either had redacted WHOIS records (making attribution difficult) or were registered by other entities.
Cybersquatters do not limit their activities to mimicking company names, though. A study on CEO impersonation revealed that close to 3,000 domains and subdomains contain the names of Glassdoor’s top 100 CEOs. Only 2% of the domains, however, could be publicly attributed to the CEOs’ respective companies, while a number of the resources were reported as “malicious.”
Risks That Impersonated Companies Face
The most apparent threat associated with online impersonation is phishing, which could take the form of email, text (smishing), and whaling (CEO fraud); the list goes on. But they all have a common goal—to make victims believe the messages they receive are legitimate.
The PayPal Phishing Report for Q2 2021 provided details on how threat actors use urgency, threats, and financial baits, among other techniques, to spur victims into action. Clicking the links embedded in these messages would typically lead them to poisoned web pages. And the rest, as they say, is history. Sensitive data gets stolen, bank accounts get compromised, and networks get infiltrated, among many other possible horror stories.
A less scary version of online impersonation using the identified Internet properties, such as hosting websites that seemingly sell counterfeit products, was also seen. The actors behind these sites likely hoped that customers would get lured into buying from them instead of the legitimate companies.
It’s less scary in a sense because this type of impersonation does not directly impact consumers. But that doesn’t mean that the target organizations do not pay the price. The International Chamber of Commerce (ICC), in fact, projected that by 2022, the cost of counterfeiting and piracy would reach US$4.2–5.4 million primarily due to the displacement of legitimate economic activity.
A Myriad of Ways to Imitate Brands
The domain footprints of companies go beyond what’s found in their DNS zone records. While these internal digital assets may also be vulnerable to attacks, online impersonation tends to lead to the weaponization of external assets.
Consider the company name “Amazon.” Ever wondered how many times possible impersonators have used it in domains and subdomains? We can base the answer on the number of web properties containing the company’s name registered on 1–20 August 2021. That figure includes 1,757 domains and 4,306 subdomains, amounting to around 303 digital assets added to the DNS per day.
The number of possible typosquatting domains may even be far greater, though. Domain Brand Monitor detected 182 ways by which “Amazon” can be misspelled. A few examples are “emazon,” “amezon,” “amqzon,” and “āmazon.”
Take any of these typos and partner them with text strings, such as “password,” “account,” “shop,” “login,” “signin,” and “payment,” and you could have hundreds if not thousands of other possible combinations for every top-level domain (TLD).
Domain Brand Monitor Alerts You When Typosquatting Domains Get Registered
External digital assets are part of a company’s overall attack surface. That is true for typosquatting domains, as evidenced by the percentage of malicious domains that impersonate some of the largest companies in the world. Brand Monitor by WhoisXML API lets companies combat typosquatting and online impersonation through:
- Domain registration monitoring: Domains containing a specified search string are detected as soon as they appear in the DNS.
- Inclusion of typo variants: Possible misspelled variations of search strings are generated for companies to include in their monitoring efforts.
- Alert notifications: Key personnel can get alerted when relevant domain names get registered, modified, or dropped, ensuring immediate investigation into possibly dangerous digital assets.
- 14-day lookback: Relevant domain activity for the past 14 days can be reviewed and analyzed with the software’s help.
- Digital asset contextualization: Detected typosquatting domains can be contextualized further using the search and monitoring tools within the Domain Research Suite (DRS).
—
When companies are impersonated, their customers, employees, and partners are often the ones who suffer most. Brand Monitor by WhoisXML API supports brand protection initiatives by offering advanced capabilities to monitor company-owned or related domain assets in near-real-time.
For more than 10 years now, WhoisXML API has been gathering, analyzing, and correlating domain, IP, and DNS data to make the Internet more secure and transparent.