jamdesign - stock.adobe.com

Explosion in fake data-stealing shopping sites

Cyber attackers are ramping up efforts to steal personal data by setting up look-alike domains that pose a phishing risk to online shoppers, researchers warn

There are more than 6,400 digital certificates for look-alike domains, which is 168% greater than the number of certificates for valid UK retail domains, research by security firm Venafi has revealed.

This puts online shoppers at risk of unwittingly handing over their username, password and even credit card details to threat actors, the researchers warn.

The research analysed suspicious domains targeting the top 20 retailers in the UK, US, France, Germany and Australia.

The total number of certificates for look-alike domains across all five regions is more than 200% greater than the number of authentic retail domains, with one of the top 20 US retailers found to have more than 12,000 look-alike domains targeting its customers.

Major retailers present larger targets for cyber criminals, the researchers said, with the growth in look-alike domains appearing to be connected to the availability of free secure sockets layer (SSL) and transport layer security (TLS) certificates.

They found that 84% of the look-alike domains studied and 81% of those studied in the UK use free certificates from Let’s Encrypt, a free, open and automated certificate authority (CA) provided as a service by the Internet Security Research Group (ISRG).

As the rate of online shopping increases, the researchers said customers are being targeted through look-alike domains which cyber attackers create by substituting a few characters in the URLs.

Because they point to malicious online shopping sites that mimic legitimate, well-known retail websites, it makes it increasingly difficult for customers to detect the fake domains. Additionally, given that many of these malicious pages use a trusted SSL/TLS certificate, they appear to be safe for online shoppers who unknowingly provide sensitive account information and payment data.

“Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique,” said Jing Xie, senior threat intelligence analyst for Venafi.

“Because malicious domains now must have a legitimate TLS certificate to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates. In spite of significant advances in the best practices followed by certificate issuers, this is a really bad idea,” she said.

According to Xie, no organisation should rely exclusively on certificate authorities to detect suspicious certificate requests. “For example, cyber attackers recently set up a look-alike domain for NewEgg, a website with more than 50 million visitors a month.

“The look-alike domain used a trusted TLS certificate issued by the CA who followed all the best practices and baseline requirements. This phishing website was used to steal account and credit card data for over a month before it was shut down by security researchers,” she said.

According to Venafi’s research, every online retailer studied is being targeted. Researchers warn that as the end of year shopping season approaches, there will likely be an increase in look-alike domains.

“To protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analysing certificate transparency logs,” said Xie. 

“This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates,” she said.

Online retailers that discover malicious domains can take several steps to protect their customers, including:

  • Search and report suspicious domains using Google Safe Browsing, an industry anti-phishing service that identifies and blacklists dangerous websites.  
  • Report suspicious domains to the Anti-Phishing Working Group (APWG), an international voluntary organisation that focuses on limiting cyber crime perpetrated through phishing.
  • Add Certificate Authority Authorisation (CAA) to the DNS records of domains and subdomains to determine which CAs can issue certificates for domains they own.
  • Use copyright infringement software to search for suspicious domain, find malicious websites and stop the unauthorised use of their logos or brands.

Read more about phishing

  • Majority of European firms unprepared for phishing attacks.
  • More than one million new phishing sites created each month.
  • Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
  • Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.

Read more on Hackers and cybercrime prevention