Introduction

Phishing isn’t going away. In fact, it’s seen substantial gains by playing off coronavirus fears. While enterprises spend a considerable amount of effort and money to ensure phishing emails never land in inboxes, it’s not foolproof. An additional step that adds another layer of security is blacklisting known phishing domains. 

What’s the current state of phishing? 

What’s the current climate of phishing? What does the data say? Let’s look at what you’re up against in 2020. 

The Anti-Phishing Working Group (APWG), an international coalition of over 2,200 institutions impacted by phishing, provides regular trend updates. The latest report covers the first quarter of 2020. Here are some critical insights.

COVID-19 is a perfect storm for phishing opportunists

COVID-19-themed phishing attacks against workers, healthcare and the unemployed became a severe threat in mid-March. This rise includes emails related to Zoom, one of the leading video conference platforms, which has been in high demand for everything from work meetings to online gatherings with friends and family. 

Cybercriminals are also using the crisis in business communications. Businesses began to receive emails from their suppliers with look-alike domains. This approach played on the real concerns regarding supply chains.

Furthermore, healthcare has been the target of many phishing schemes. The sector saw an increase of 35 percent, as compared to the same, according to a RISKIQ study

Phishing domains on the rise and majority of sites now use SSL

The number of phishing domains was 165,772, up slightly from the fourth quarter of 2019. This number has been trending up since November 2019. On top of this, 75 percent of all phishing sites now use SSL. This use of encryption is having an impact on those receiving phishing because it adds more legitimacy to the con. 

These data points showcase that phishing is alive and well. So, what are some proactive steps to take to mitigate the impact? 

Blacklisting is an option. Using in conjunction with threat monitoring and education programs creates a more comprehensive shield. 

Why blacklist?

Blacklisting creates governance around what makes it into inboxes. Blacklisting can have many different parameters. It can include the content of the email as well as the domain. 

Blacklisting doesn’t always work in your favor. There are times when domains get blacklisted that are not phishing related. The emails may or may not be spam. 

It’s not a perfect science, but as the owner of your network, you can define blacklisting. What’s critical is to use as a tool to protect users against phishing attacks. The effectiveness depends on size, scope, update frequency, accuracy and other factors. 

Types of phishing domains to add to your blacklist

Various types of phishing domains exist. The sophistication of cybercriminals continues to expand. Here’s an overview of domain attacks and how to defend against them with blacklisting.

Active directory and namespace collision

The problem of namespace collision describes a situation where a company intends for a domain to be used exclusively for an internal audience overlap with domains available on the open internet. It’s a scenario ripe for phishing.

Why does this happen? The root of it goes back to Microsoft’s Active Directory. Within this application, it made it easier for computers or services within a network without having to type out the complete domain name. 

While this isn’t a concern for most Windows users, the problem occurs when the mapping to the second-level domain isn’t owned or controlled by the organization. It’s a loophole of sorts that can cause catastrophic breaches, especially in the age of remote and mobile working. 

The dangers of namespace collusion

An illustration of the security dangers of namespace collusion includes the domain corp.com. Domain experts labeled this as a very dangerous domain because its owner could likely be able to access networks from businesses across the world. Microsoft purchased the domain recently, which had, for decades, been owned by a private citizen. Microsoft took the step to ensure the protection of its systems and users. 

This scenario has a lot to do with probable phishing domains. Users receive messages that appear to mimic their own internal domains, where they share and store documents. That click could result in unauthorized access, breaches and the spread of malware. 

The lesson here is that you must own second-level or third-level domains. This is typically a given, such as technical.support.portal.website.com. The owner of website.com also owns those other levels. It becomes tricky when you have second-level subdomains. 

In your phishing due diligence, you either need to ensure you own all the levels or blacklist any you don’t own. 

Typosquatting phishing domains

Typosquatting is the most basic type of phishing domain. It preys on the reality that typos happen quite often. 

What happens in this situation is that someone registers the likely misspellings of the domain, singular/plural versions, hyphenations or other variations to a known and trusted domain. 

Also, under the umbrella of typosquatting is kerning faults. Instead of the letter “m,” the domain uses “rn.” It looks very close to the real one, especially if the type is small — say, when being read on a phone. It can be successful for phishers to get users to take the bait. 

Typosquatting examples

Typosquatting is executable in many different ways. Here are some examples:

  • Typos: The thought is that many won’t notice the typo. Hence, goigle.com may pass for google.com
  • Misspellings: This can occur with just the addition or change of a letter, such as gooogle.com
  • Alternative spellings: Many brands use a unique spelling, so hackers create sites that take advantage of this. The URL may be findfotos.com rather than findphotos.com
  • Hyphens: Adding or omitting a hyphen is a quick way to trick users. The phishing domain could be insta-gram.com, instead of instagram.com
  • Adding www: Domains still include the www, but it requires a period. www.google.com is authentic, while wwwgoogle.com is not

Employees may be easily fooled

Should an email land in the box of an employee, they may click it because it looks so similar. Training and educating employees on how phishing works is another defense to this. But you’d probably rather it never gets through your email server.

To protect against this, you should perform a search of any current domains that are possible typos of your domain, following the examples above. If you find that some are registered, blacklist those. If any others exist, buy them and redirect to your actual home page.

Registrar imitating phishing

Registrar hacking is uncommon but still a risk. If a cybercriminal hacks a registrar, he has access to all the domains in the database. Once inside, they can make change and clone a site to spread malware. They may then redirect all traffic to the malicious site.

An example is the recent hacking of a Japanese cryptocurrency Coincheck. Hackers hijacked a domain at Oname.com and used it to contact customers. The incident details that after seizure of the domain, a lookalike domain was registered, replacing the original domain. The original was awdns-61.org. The new one was awsdns-061.org.

From there, they sent spearphishing emails to users as Coincheck, redirecting replies to their servers. The hackers had control of their domain for about 48 hours, impacting about 200 users.

The same principles of phishing awareness apply here because the domains are different. It may not be possible to blacklist these domains because they don’t have the normal attributes of fake domains. However, it is something to monitor appropriately. If such a phishing attempt occurs and your employee catches it, then you can move to blacklist.

Generic TLDs

Generic TLDs (top-level domains) are becoming very prevalent. An uptick in domain registration featuring non-Latin letters is also growing. Phishers are always closely monitoring gTLDs for opportunities for exploitation. 

Because .com or .net, the most popular, are often unavailable, they have greatly expanded. According to Spamhaus, the most abused gTLDs are .rest, .tk, .gq., .fit, .work, .ml, .cf, .ga, .buzz and .cn.

For example, .work domains typically associate with employment or people. Something like yourdomain.work might seem legitimate to those involved with recruiting. However, unless you’ve actually purchased it, there’s an opportunity for human error. 

Based on this knowledge, you can blacklist any domains that use these gTLDs and contain your website, as well as applications your employees use. 

Conclusion: Blacklist but also empower your employees

Blacklisting phishing domains can only provide so much protection. Ultimately, your employees should be aware of how to assess suspicious emails. This level of alertness is possible with simulated phishing training. 

 

Sources

  1. Microsoft Buys Corp.com So Bad Guys Can’t, Security Boulevard
  2. Phishing Activity Trends Report, 1st Quarter 2020, APWG
  3. Ransomware in Health Sector 2020: A Perfect Storm of New Targets and Methods, RiskIQ
  4. The World’s Most Abused TLDs, Spamhaus