Trusted certificates make phishing websites appear valid

There has been a rampant growth of look-alike domains, which are often used to steal sensitive data from online shoppers.

Venafi analyzed suspicious domains targeting 20 major retailers in the U.S., U.K., France, Germany and Australia and found over 100,000 look-alike domains that use valid TLS certificates to appear safe and trusted.

According to the research, growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four times.

Key findings

• The total number of certificates used look-alike domains is more than 400% greater than the number of authentic retail domains.
• Major retailers are important targets for cyber criminals. One of the top U.S. retailers has over 49,500 look-alike domains targeting their customers.
• There are over six times more look-alike domains than valid domains among the top 20 online U.K. retailers.
• Over half (60%) of the look-alike domains studied use free certificates from Let’s Encrypt.

As online shopping continues to grow, so does the targeting of consumers through malicious look-alike domains. Cyber attackers create fraudulent domains by substituting a few characters in the URLs.

Because they point to malicious online shopping websites that closely mimic legitimate, well-known retail websites, it makes it increasingly difficult for customers to detect the fake domains.

Additionally, given that many of these malicious pages use a trusted TLS certificate, they appear to be safe to online shoppers who unknowingly provide sensitive account information and payment data.

Protection steps for online retailers

As the holiday shopping season approaches, the number of look-alike domains targeting online shoppers will multiply. Online retailers that discover malicious domains can take several steps to protect their customers, including:

• Search and report suspicious domains using Google Safe Browsing. Google Safe Browsing is an industry anti-phishing service that identifies and blacklists dangerous websites.
• Add Certificate Authority Authorization (CAA) to the DNS records of domains and subdomains. CAA lets organizations determine which CAs can issue certificates for domains they own. It is an extension of the domain’s DNS record and supports property tags that let owners set CA policy for entire domains or for specific hostnames.
• Leverage technology solutions to search for suspicious domains. Brand protection services may help retailers find malicious websites and stop the unauthorized use of their logos or brands. Solutions that also provide anti-phishing functionality can help aid in the search for look-alike domains.
• Detect malicious certificates using Certificate Transparency. All publicly trusted machine identities, such as TLS certificates, are published to open logs. Monitoring and analyzing these logs enable organizations to detect look-alike domains and certificates before they are used in attacks against customers.

“We continue to see rampant growth in the number of dangerous look-alike domains used in predatory phishing attacks,” said Jing Xie, senior threat intelligence researcher at Venafi.

“This is a result of the push to encrypt more and potentially all web traffic, a trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection. Most businesses and many retailers don’t have the updated technology in place to find these malicious sites and remove them to protect their customers.”