Take a guess: Which retail domains are most likely to be ripped off by phishing artists -- those of the pizza parlor, the bicycle shop, the newsstand?
Don’t be silly, folks. Try Amazon, Apple, Gap, Nike and Walmart. And on the banking side, think of Barclay’s and HSBC. That’s the word from DomainTools, which studied this problem, using research from PhishEye.
You’d think that large institutions like those would be immune to a phishing attack. But the scammers agree with the title of that old movie: “Never steal anything small.”
How do these cyber felons do it? “While most phishers won’t be able to register the primary domain names of their intended targets (unless the victim organization accidentally let a valuable domain lapse), they can and do register an almost limitless variety of look-alikes,” DomainTools explains.
Typically, a scam artist would “add certain words (called affixes) like “account,” “login,” “online,” or countless others to the domain names, in order to make the victims believe they are either visiting the legitimate site or receiving a trusted email,” DomainTools continues.
“Adding affixes has the advantage (to the phisher) of allowing them to spell the victim organization’s name correctly,” it adds. “For example, the (fictional) Acme Grommet Company may have registered acmegrommet.com but never registered acmegrommet-login.com, leaving it available to potential phishers.
The end game is that “these look-alike domains are often used to trick victims into handing over personal data and credentials,” DomainTools writes.
In March, the DomainTools research team “monitored the top UK-based banks and US-based retailers for high risk domains spoofing the respective banks and retailers.
Domains with DomainTools Reputation Engine scores of 70 or higher were deemed “high risk.” Apple was identified with 210 high-risk domains, and was the most abused brand name overall. Some variations:
Securedapplewebverification[.]ga
Auth-apple-id[.]com
Apple-accountservice[.]com
Apples-verificationsecurepage-required[.]mi
Iphone-applen[.]com
(As the owner of several Apple products, I’m always getting communications, it seems. I could easily click through one of these domains without thinking).
There are similar versions for Amazon.
Sellercencetral-amazon[.]it
Amazonhome[.]club
Noreply-amazon[.]com
Amazon-gc[.]tk
Amazon-walmart-ebay[.]info
As for the banking side, let’s start with HSBC, for which 110 high-risk domains have been identified. PhishEye uncovered these variations:
Hsbcgrp[.]com
Hsbc-groups.com
Hsbc-direct.com
Hsbcc.com.br
Hsbvc.com.br
Hsbc-security.su
Then there’s Barclay’s, which is mimicked by 74 high-risk domains:
Barclaysbank-pic[.]co.uk
Barclaysbank-uae.com
Barclaye-supports.com
www.barclays.com
barclaya.net
Want to fight this type of crime? DomainTools advises to you to watch out for:
Oh, yes, you should also train employees, and have both your iT and legal teams standing watch 24/7.