The proliferation of alternative, “generic” TLDs—such as .app and .online—as well as the ability to register domain names using non-latin characters are enabling phishing attacks, according to the 2019 Proofpoint Domain Fraud Report, published Tuesday. Since ICANN—the organization responsible for administration of the domain name system—began delegations of new generic top-level domains (gTLDs) in October 2013, the number of top-level domains has risen above 1,200, providing malicious actors the means to embark on phishing campaigns.
To be fair, traditional means of domain-based phishing such as typosquatting—registering a name like “goggle” for its similarity to “google,” for example—are still popular tactics, as is exploiting kerning faults, such as using the letter “m” to give the appearance of the visually similar “rn.” Of these traditional means, which Proofpoint categorizes as “lookalike attacks,” 79% resolve to an IP address, 34% have an MX record—used for sending phishing emails—and 17% have a security certificate, showing a lock icon when users open that site in a browser.
Years of cybersecurity training for non-technical users including such shorthand guidance as “look for the lock icon to ensure the website is secure, etc.,” are likely to become a problem, as phishing attackers are able to self-sign certificates using services like Let’s Encrypt.
Some 76% of Proofpoint’s Digital Risk Protection customers had an encounter with a lookalike domain in 2018, the report said.
SEE: Phishing and spearphishing: An IT pro’s guide (free PDF) (TechRepublic)
Phishers—and other cybercriminals—closely watch the gTLD market for potentially exploitable, cheap registrations. According to Proofpoint, “Because the most popular TLDs (“.com” and “.net”) are unavailable, TLD attacks use a more broadly distributed set of TLDs than other types of fraudulent domains.” Some 96% of Proofpoint’s Digital Risk Protection customers encountered a TLD attack, the report stated, with the frequency of registrations used in TLD attacks increasing 24% between Q1 and Q4 2018.
The 10 most commonly used gTLDs in these attacks are:
- .app (6%)
- .ooo (3%)
- .xyz (3%)
- .online (2%)
- .site (2%)
- .club (2%)
- .top (2%)
- .info (2%)
- .icu (2%)
- .website (1%)
Internationalized domain names (IDNs) are similarly problematic. IDNs allow for domains with non-latin characters to be registered, though visual similarities between characters in different scripts, called homoglyphs, can be used to create domain names with visually indiscernible differences, such as substituting the Cyrillic characters T, e, c, and p for the Latin T, e, c, and p. By substituting these characters, these can be used to register similar-looking domain names.
While Google Chrome disallows domains from using a mixture of Cyrllic and Latin characters—instead displaying the punycode equivalent, starting with “xn--,” this is not a guarantee when emails are sent from these domains, with many mail clients displaying the mixed character set.
“In 2018, nearly 66% of Proofpoint Digital Risk Protection customers had at least one detection for an active fraudulent IDN domain that uses their brand name. And for more than 1 in 5 of those customers, the fraudulent domains are almost an exact match for their brand-owned domain, with just one or two characters swapped,” the report stated.
Domains used in these attacks are typically seen as part of highly-targeted attacks, the report stated.
For more on gTLDs, check out “Registrations for .inc domain names are open, but is it worth it to get one?” and “Rampant spam, falling registrations show new gTLDs have limited business value” on TechRepublic.