How cyber squatters and phishers target antivirus vendors

Illegal online activities such as phishing and typosquatting are growing at an alarming rate. To understand the issue in detail High-Tech Bridge analyzed 946 domains that may visually look like a legitimate domain (for example replacement of “t” character by “l” character, or mutated domain names such as “kasperski.com” or “mcaffee.com”) or that contain typos (e.g. “symanrec.com” or “dymantec.com”).

For ten antivirus companies, they 385 domains which can be classified by the following categories:

164 fraudulent domains. Domains registered by third-parties to make money on users erroneously visiting websites hosted on these domains (due to a typo in URL or a phishing campaign) by displaying ads, redirecting users to questionable websites selling illegal or semi-legal products and services, etc. 164 domains were detected (42.5%).

107 corporate domains. Domains registered by the antivirus companies to prevent potential Typosquatting and illegal usage of these domains. 107 domains were detected (27.7%).

73 squatted domains. Domains registered by cyber-squatters in the hope that the antivirus companies or third-parties will buy the domains at some point in the future. Websites on these domains are not active. 73 domains were detected (18.9%).

41 other domains. Domains registered by third-party businesses or companies that may have a legitimate reason to register the domain (e.g. similar Trade Mark or company name) without intention to spoof the identity or to benefit from user typos. 41 domains were detected (10.6%).

Detailed statistics are provided in the table below:

Corporations, governments and law-enforcement agencies go to great lengths to prevent abusive or illegal domain name registration and usage. However, our research revealed that the average age of a fraudulent domain is as high as 1181 days, and the average age of a squatted domain is 431 days.

Research results show that some antivirus companies pay attention to such illegal activities and try to prevent them, for example Kaspersky and McAfee purchased more than 70% of the domains that could be potentially used for illegal purposes if registered by third-parties. While others should probably pay more attention to domain squatting, monitor illegal activities and block them.

Researchers wanted to understand which domain registrars are used by cyber crooks to register fraudulent and squatted domains. The most popular domain registrars for fraudulent or squatted domains are listed in a table below:

During the research the company also collected statistics about the most popular countries in which to host websites with fraudulent content. The list is provided below:

Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, comments on the research: “Our research clearly demonstrates that cyber criminals do not hesitate to use any opportunity to make money on domain squatting and subsequent illegal practices. There are many ways to make money from these domains: they can be resold at a profit to the legitimate owner of the Trade Mark, used to display annoying ads, redirect users to pornographic or underground pharmaceutical websites, or even to infect with malware user machines who accidentally made a typo in the URL or clicked a phishing URL.”

Don't miss