The growth of fraudulent domains corresponds to the growth of the overall domain landscape, according to Proofpoint.
Between Q1 and Q4 2018, registrations of fraudulent domains grew by 11 percent. Nearly all fraudulent domains detected by Proofpoint remain active and positioned for attack, with more than 90 percent associated with a live server.
Of these fraudulent domains, more than 15 percent have Mail Exchanger (MX) records, indicating that they send and/or receive email. One-in-four also have security certificates – far more than appear in the aggregate domain landscape – which many internet users mistakenly equate with legitimacy and security.
The 2019 Domain Fraud Report provides in-depth analysis of data collected from Proofpoint’s Active Domains Database, which contains over 350 million domains and represents virtually all domains on the web, over a twelve-month period.
“Similar to many of today’s top attack methods, domain fraud targets individuals rather than infrastructure by using social engineering to trick users into believing the domains they are accessing are legitimate,” said Ali Mesdaq, director of Digital Risk Engineering for Proofpoint.
“Due to the relatively low barrier to entry of domain registrations and ease of execution, it is critical that organizations remain vigilant of suspicious and infringing domains that might pose a risk to their brand and customers.”
Fraudulent domains leverage many of the same top-level domains (TLDs), registrars, and web servers as legitimate domains to impersonate brands and manipulate users.
These factors, as well as the high proportion of live web servers, many with valid SSL certificates, increase the perceived legitimacy of fraudulent domains, increasing the potential for a wide range of attacks, including wire transfer fraud, phishing, counterfeit good sales and other scams.
More than 85 percent of top retail brands found domains selling counterfeit versions of their products. In fact, the average retail brand had more than 200 such detections. In addition, domains selling counterfeit goods have security certificates at a significantly higher rate than other types of fraudulent domains, making them seem legitimate to customers.
Ninety-six percent of organizations found exact matches of their brand-owned domain with a different TLD (e.g. “.net” vs “.com”) and 76 percent observed had “lookalike” domains posing as their brand. This impacted most industries and geographies.
Fraudulent domains are using email for highly targeted attacks. For 94 percent of organizations observed, Proofpoint identified at least one fraudulent domain posing as their brand and sending email. Many fraudulent domains sent low volumes of email, which is behavior typically associated with highly targeted and socially engineered attacks.
Attackers impersonating highly recognizable retail brands (especially those with complex supply chains), sent much higher volumes of email, suggesting more broad-based attacks against customers and partners.
Market factors, such as the introduction of new TLDs, create opportunity for threat actors. In 2018, the introduction of new TLDs, such as .app and .icu, provided new opportunities for the registration of fraudulent domains. Proofpoint found that attackers leveraged these new TLDs to register names that resembled “.com” domains already owned by top brands.