Royal Bank of Canada is among the top worldwide brands whose domains are mimicked by cybercriminals to make fake websites look more real, according to a new study.
In a report released this morning, Palo Alto Networks says RBC was the third most common brand and domain abused by crooks in a survey done last December, behind PayPal and Apple and slightly ahead of Netflix, LinkedIn and Amazon.
Others in the top 10 that month included Dropbox, Trip Advisor and Bank of America.
In the case of the Royal Bank, the report says one squatted domain it found was “rbyroyalbank [.]com.”
RBC is not only Canada’s biggest bank, but it also has branches in the United States and 30 other countries. Banks are favourite targets for cybercriminals, who use fake web sites to get the login credentials of unsuspecting customers.
Other phony sites found during the study period include “apple.com.recover[.]support,” “icloud.com-iphone[.]support,” “netflix-payments[.]com” and “secure-wellsfargo[.]org.”
The report uses two factors for its ranking of abused domains: The number of squatting domains associated with the brand and the percentage of malicious squatting domains. The first factor is a reflection of the popularity of a brand among domain squatters. The second factor quantifies the degree of threat to users. A high adjusted malicious rate means that many squatting domains targeted the brand, or most of the squatting domains are malicious.
For this study, researchers created a squatting detector, which found 13,857 squatting domains were registered in December, an average of 450 per day. Not all squatting domains are malicious. Some might have been registered in the hopes than a legitimate organization might buy the “near-enough” domain to protect their brand.
However, using URL filtering and comparing domains found on the VirusTotal website, researchers found slightly under 19 per cent of the suspected squatting domains were malicious, often distributing malware or conducting phishing attacks. Another 36.5 per cent were a high risk to users by being associated with malicious URLs within the domain.
Cybersquatting isn’t merely copying the logos and the look of a site. It’s the term for sites that use domain names similar to a legitimate site that rely on misspellings as an additional way of tricking viewers, who have usually been taken there by clicking on a link in an email or text message.
These malicious domains take advantage of a weakness in the international domain registration system that allows anyone to register a domain that is close to but not identical to one already locked down.
Many organizations try to cover themselves by registering domains close to theirs. For example, a company with the main domain of “brand[.]com” might also register “brand[.]org” and “brand[.]net.” The web sites of these close-to domains won’t have content; instead, they are set up to automatically forward visitors who misspell the domain to the real domain.
Criminals go the next step to rely on misspellings and other tricks to fool users. For example, a viewer reading a malicious email message that says “Click on this link to go to our secure web site” would be fooled at a site that starts with “secure-brand[.]com,” when the legitimate site is “brand[.]com/secure.”
Fake domains are used for a range of criminal activities including hosting copycat web sites for infecting vistors, as well as for command and control sites for overseeing the distribution of malware.
Reacting to the report Adam Evans, RBC’s vice-president of cyber operations and chief information security officer says it maintains the highest possible security standards.
“Safeguarding the security of our systems and the confidentiality of our clients’ information is always a top priority. We have rigorous, state-of-the-art fraud and security safeguards to protect RBC clients and ensure they have access to our services without interruption. We have education programs dedicated to helping our employees and clients spot phishing, social engineering and other cybercrime tactics,” he told IT World Canada.
The report says criminals use a number of techniques including:
- Typo-squatting, which is misspelling variants of the target’s name (such as “whatsa1pp[.]com”).
- Combo-squattting, which combines words in domains viewers might be looking for (such as “secure-brand[.]com”).
- Homograph-squatting, which uses Unicode or Cyrillic characters in domain names (such as microsofŧ [.]com).
- Bit-squatting, which misspells one nearby letter in a domain (for example, micposoft[,]com). A memory error could allow a user to be sent to the wrong site even though they typed the right one.
- Sound-squatting, which uses words or symbols that sound like the site the user would be looking for (such as “4ever21[.]com” instead of the real site “forever21[.]com”.
- Level-squatting, where criminals create a long domain that starts with a legitimate domain but adds other letters or numbers as a disguise. Legitimate domains can be long because they often go to subdomains, which, knowledgeable people know, are separated by slashes. Level-squatting takes advantage of the fact people today are used to long domain names but don’t know about the slashes (so for example, the fake domain “safety.brand.com.complex.eknm00d[.]net” really goes to the site “eknm00d[.]net.”
The report notes that level-squatting is especially worrisome for mobile users because a browser’s address bar might not be wide enough to display the entire domain name. Criminals who use cybersquatting often register domains at shady DNS providers or so-called parking services, which also host abused domains. Some provide privacy-protected domain registration, others offer so-called bulletproof hosting, and others support an unlimited number of subdomains and free URL forwarding.
In an email, Janos Szurdi, staff researcher for Palo Alto Networks’ Unit 42 threat intelligence service, notes that domain parking services offer easy-to-use monetization to domain owners through third-party advertisements. Some parking services send users to advertisement networks, which in return, send users to malicious landing pages. In essence, they supply traffic to cybercriminals. Second, when cybercriminals need a large number of domains, domain parking can help pay for domain registration costs until the domain names start hosting malicious content.
A related problem is abused security certificates, which take advantage of users looking for HTTPS in domain names. Abused security certificates reinforce the legitimacy of a fake domain.
Szurdi says organizations can protect themselves from cybersquatting in several ways: Proactively register certain squatting domains, such as domains missing a character; by leveraging the U.S. Anticybersquatting Consumer Protection Act (ACPA); use the International Corporation for Assigned Names’ (ICANN) Uniform Domain-Name Dispute-Resolution Policy (UDRP) if possible to take hold of the domains or have them taken down; and contract a cybersecurity vendor that continuously tracks squatting domains.
