• by Ray Schultz , Columnist, May 4, 2017

Take a guess: Which retail domains are most likely to be ripped off by phishing artists -- those of the pizza parlor, the bicycle shop, the newsstand?

Don’t be silly, folks. Try Amazon, Apple, Gap, Nike and Walmart. And on the banking side, think of Barclay’s and HSBC. That’s the word from DomainTools, which studied this problem, using research from PhishEye.

You’d think that large institutions like those would be immune to a phishing attack. But the scammers agree with the title of that old movie: “Never steal anything small.”

How do these cyber felons do it? “While most phishers won’t be able to register the primary domain names of their intended targets (unless the victim organization accidentally let a valuable domain lapse), they can and do register an almost limitless variety of look-alikes,” DomainTools explains.

Typically, a scam artist would “add certain words (called affixes) like “account,” “login,” “online,” or countless others to the domain names, in order to make the victims believe they are either visiting the legitimate site or receiving a trusted email,” DomainTools continues.

“Adding affixes has the advantage (to the phisher) of allowing them to spell the victim organization’s name correctly,” it adds. “For example, the (fictional) Acme Grommet Company may have registered acmegrommet.com but never registered acmegrommet-login.com, leaving it available to potential phishers.

The end game is that “these look-alike domains are often used to trick victims into handing over personal data and credentials,” DomainTools writes.

In March, the DomainTools research team “monitored the top UK-based banks and US-based retailers for high risk domains spoofing the respective banks and retailers.

Domains with DomainTools Reputation Engine scores of 70 or higher were deemed “high risk.” Apple was identified with 210 high-risk domains, and was the most abused brand name overall. Some variations:

Securedapplewebverification[.]ga

Auth-apple-id[.]com

Apple-accountservice[.]com

Apples-verificationsecurepage-required[.]mi

Iphone-applen[.]com

(As the owner of several Apple products, I’m always getting communications, it seems. I could easily click through one of these domains without thinking).

There are similar versions for Amazon.

Sellercencetral-amazon[.]it

Amazonhome[.]club

Noreply-amazon[.]com

Amazon-gc[.]tk

Amazon-walmart-ebay[.]info

As for the banking side, let’s start with HSBC, for which 110 high-risk domains have been identified. PhishEye uncovered these variations:

Hsbcgrp[.]com

Hsbc-groups.com

Hsbc-direct.com

Hsbcc.com.br

Hsbvc.com.br

Hsbc-security.su

Then there’s Barclay’s, which is mimicked by 74 high-risk domains:

Barclaysbank-pic[.]co.uk

Barclaysbank-uae.com

Barclaye-supports.com

www.barclays.com

barclaya.net 

Want to fight this type of crime? DomainTools advises to you to watch out for:

• Extra added letters in the domain, such as Yahoo[.]com
• Dashes in the domain name, such as Domain-tools[.]com
• The letters ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com
• Reversed letters, such as Domiantools[.]com
• Plural or singular forms of the domain, such as Domaintool[.]com

Oh, yes, you should also train employees, and have both your iT and legal teams standing watch 24/7.