How Fraudulent Domains Hide in Plain Sight

Cybercriminals use new types of top-level domains, topical keywords, and targeted emails to trick victims into clicking malicious links.

Domain fraud is an old cybersecurity risk manifesting in new ways as cybercriminals take advantage of new top-level domains, privacy regulations, and social engineering tactics.
More than three-quarters of businesses found lookalike domains posing as their brand, researchers at Proofpoint Digital Risk Protection discovered as part of the 2019 Domain Fraud Report. Nearly all (96%) found exact matches of their brand-owned domain with a different top-level domain (TLD); for example, .net tacked on the end of the URL instead of .com.
This is a huge brand problem, both from a direct revenue standpoint and indirect loss standpoint, says Kevin Epstein, vice president of threat operations at Proofpoint. In a best-case scenario, a consumer may happen upon a blank website with a domain similar to yours. Worst-case scenario, they end up on a fake website, engage in a transaction, and their money and credit card information is sent to a cybercriminal. Theyre angry at the attacker – and the brand.
Id associate this brand, now, with something negative, Epstein continues. Spoofed domains can tarnish a business reputation, resulting in customer loss and indirect financial impact.
Most domains are registered by people and businesses for legitimate reasons. Some are registered by fraudsters planning to launch phishing attacks, sell knock-off goods on spoofed sites, or use typo-squatting domains to make money off unintentional traffic for other sites. Between the first and fourth quarters of 2018, Proofpoint found the registrations of fraudulent domains rose 11%. Domains were categorized as fraudulent based on a classification engine built to analyze domain records, reputation, website content, email activity, and other factors.
The most interesting thing to me is this change in attacker philosophy, says Epstein of this years report. Cybercriminals have shifted from investing in highly technical attacks to more individually focused phishing attacks happening on every street corner of the Internet. Any email can be an attempt to con you out of money, pretending to be from your boss or bank.
Social Scamming
It all comes down to the tricks of a manipulative social engineer. The rise of new TLDs has contributed to fraudulent domain registrations. Researchers saw significant growth in fraudulent domains outside the classic .com, .net, and .org. Some of the lesser known TLDs in fraudulent domains include .top (#2), .fr (#3), .men (#19), and .work (50). European country codes are often used among criminals hoping to fool victims with fake links.
Apparently as human beings were sensitive more to the brand than the extension, says Epstein. Over time, as computer users, were less trained to ignore things after the dot.
If someone sees the name of a well-known bank in a URL, theyre likely to click without noticing a .pop or .xyz at the end. This should give people pause, but well-known brands seem safe.
This can be seen in new findings from Segasec, which recently detected an increase in domain spoofing targeting customers of Walmart, Best Buy, and Wayfair. In the week leading up to Mothers Day, they noticed 188 domains related to the Walmart brand were created, up from 80 new domains two weeks prior to the holiday: walmartgiftpromo[.]com is an example. Others include bestbuy-survey[.]online, bestbuyus[.]org, and bestbuycyprus[.]eu.
It is potentially one of the most common threat tactics, says Segasec CEO Elad Schulman. Its aimed to mislead the weakest link, which is the end user. Whats more, he adds, cybercriminals dont have to be advanced to pull this off. This is something you can familiarize with very easily, he adds.
Some fraudulent websites have certificates, which also put victims at ease. Attackers are leaning away from plain domains and towards legitimate certificates, a trend that leads to an error of attribution on the part of victims. Sure, the lock symbol means the connection to the server is encrypted – but it doesnt mean the server is legitimate. People feel safe when they see the lock; as a result, theyre likely to engage with these potentially malicious sites.
Think Before You Click
Rather than rely on the passive typo-squatting strategy, more attackers are directly targeting domain spoofing victims with phishing attacks.
Business email compromise
(BEC) is common, researchers report. Many criminals pick a large class of people to target with malicious links appearing to be from real brands, or containing keywords they think victims are likely to click.
Which terms are most common? Some consistently appeared in the top rankings; for example, real estate, which was top for June through December, as well as for sale, I am, block chain, bit coin, and other US city names and terms related to cryptocurrency. Other tech-related terms frequently seen in domains included server, security, and system.
The people targeted with these malicious emails arent the CEO or CFO, but middle-management people who typically work with them. Its not necessarily related to top titles, Epstein says. An attacker is more likely to succeed in tricking the CEOs assistant than the CEO, and theyll frequently peruse LinkedIn and other social platforms to figure out their targets.
Its not only email at risk for domain spoofing attacks, as Schulman points out. Were talking about digital channels an organization has to interact with its customers, he adds. Sometimes its via email, sometimes its a website, sometimes its via application, sometimes its across all social channels. He agrees the trend of typo-squatting is down as targeted attacks spread.
Theres no accidental stumbling upon it, he says.
Related Content:
Better Cybersecurity Research Requires More Data Sharing
6 Security Scams Set to Sweep This Summer
GDPRs First-Year Impact By the Numbers
The Life-Changing Magic of Tidying Up the Cloud

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How Fraudulent Domains Hide in Plain Sight