The Domain Game: How Phishing Artists Hijack Brands

Take a guess: Which retail domains are most likely to be ripped off by phishing artists -- those of the pizza parlor, the bicycle shop, the newsstand?

Don’t be silly, folks. Try Amazon, Apple, Gap, Nike and Walmart. And on the banking side, think of Barclay’s and HSBC. That’s the word from DomainTools, which studied this problem, using research from PhishEye.

You’d think that large institutions like those would be immune to a phishing attack. But the scammers agree with the title of that old movie: “Never steal anything small.”

How do these cyber felons do it? “While most phishers won’t be able to register the primary domain names of their intended targets (unless the victim organization accidentally let a valuable domain lapse), they can and do register an almost limitless variety of look-alikes,” DomainTools explains.

Typically, a scam artist would “add certain words (called affixes) like “account,” “login,” “online,” or countless others to the domain names, in order to make the victims believe they are either visiting the legitimate site or receiving a trusted email,” DomainTools continues.

“Adding affixes has the advantage (to the phisher) of allowing them to spell the victim organization’s name correctly,” it adds. “For example, the (fictional) Acme Grommet Company may have registered but never registered, leaving it available to potential phishers.

The end game is that “these look-alike domains are often used to trick victims into handing over personal data and credentials,” DomainTools writes.

In March, the DomainTools research team “monitored the top UK-based banks and US-based retailers for high risk domains spoofing the respective banks and retailers.

Domains with DomainTools Reputation Engine scores of 70 or higher were deemed “high risk.” Apple was identified with 210 high-risk domains, and was the most abused brand name overall. Some variations:






(As the owner of several Apple products, I’m always getting communications, it seems. I could easily click through one of these domains without thinking).

There are similar versions for Amazon.






As for the banking side, let’s start with HSBC, for which 110 high-risk domains have been identified. PhishEye uncovered these variations:


Then there’s Barclay’s, which is mimicked by 74 high-risk domains:


Want to fight this type of crime? DomainTools advises to you to watch out for:

  • Extra added letters in the domain, such as Yahoo[.]com
  • Dashes in the domain name, such as Domain-tools[.]com
  • The letters ‘rn’ disguised as an ‘m’, such as versus
  • Reversed letters, such as Domiantools[.]com
  • Plural or singular forms of the domain, such as Domaintool[.]com

Oh, yes, you should also train employees, and have both your iT and legal teams standing watch 24/7.


Next story loading loading..