20 Jan From Account Hijacking To Cybersquatting: A Brief Dive Into Suspicious Disney+ Domains
Popularity can come at a price
– Jonathan Zhang, CEO at Whois XML API
Walnut, Calif. – Jan. 20, 2020
When a company launches a new product or service, you can usually expect cybercriminals not to be far behind. The recent events surrounding the rollout of Disney’s online streaming service illustrate this. In fact, Disney+ was officially made available on November 12, 2019, in the U.S., Canada, and the Netherlands. But things ultimately didn’t go quite as planned.
Within 24 hours of its launch, the service accumulated a whopping 10 million subscribers. That is not surprising given the fact that Walt Disney, its parent company, owns a stake in several large movie franchises, including Pixar, Marvel, and 20th Century Fox, not to mention its own roster of popular shows and films.
Unfortunately, popularity can come at a price. And so, along with the surge in subscriber volume came unwanted cybercriminal attention. In the case of Disney+, that occurred in the form of account hijacking.
As soon as Disney+ opened its doors to subscribers, thousands of user accounts were reportedly hijacked and sold on the dark web at prices ranging from US$3 to US$11 per account. Researchers confirmed that these accounts were the result of a credential stuffing attack. Their owners likely reused username and password combinations, which made it easy for the attackers to hijack subscribers’ accounts.
As cybercriminals are relentless, however, we did some more digging to identify what other misdeeds may currently be in progress. We found that credential stuffing is not the only thing Disney+ subscribers, current and would-be alike, need to be wary of as cybersquatters are also on their heels.
Disney+: A Possible Phishing and Spamming Campaign Target
Leveraging our suite of tools and other internal capabilities, we started looking for misspelled variations of the Disney+ official domain (disneyplus[.]com) using the search term “disney plus” and found more than 120 variations. Here is the complete list:
Granted, not all of them are that close to the real Disney+ domain, but some such as diseneyplus[.]com and diisneyplus[.]com could easily figure in phishing and spamming attacks. Users are, after all, not known for carefully scrutinizing the URLs of the sites they visit.
Phishers and spammers, on the other hand, are known for using domains that closely resemble those of famous brands (i.e., cybersquatting sites) to trick victims into giving out their personally identifiable information (PII). After that, the stolen data usually ends up for sale in the dark web or used in other attacks (e.g., getting into their owner’s company networks to exfiltrate confidential corporate information).
We dug deeper into these domain names and found that many were registered just this April. Coincidentally, Disney first announced the upcoming Disney+ launch around that time. It is, therefore, possible that domain parkers and cybercriminals acted on the news to benefit from users committing typos while searching for the Disney+ official site.
Interestingly, domain registrations have kept on after the launch as we found two groups of closely-resembling web domains both registered on November 16, 2019:
1st group
- disneypluds[.]com
- disneyplues[.]com
- disneypluys[.]com
- disneypluis[.]com
2nd group
- deisneyplus[.]com
- disneyplus[.]llc
- duisneyplus[.]com
The above indicates that typosquatting pages are frequently registered in bursts with groups of domains having similar names and appearing in the Domain Name System close to each other in time, actually even on the same day.
Same Registrar, Different Target
We have done a series of investigations in the past on cybersquatting attacks such as those targeting Yahoo! and wish.com breach settlement claimants, which both featured the registrar Dynadot, LLC.
The registrar again turned up in our investigation on potentially bogus Disney+ sites, as revealed by WHOIS record queries for several of the aforementioned domains, including diesneyplus[.]com, disenyplus[.]com, and dineyplus[.]com. This connection does not mean that Dynadot is promoting cybersquatting, though its services are possibly being abused for that purpose.
Registering domains to park them, even if they very closely resemble those of legitimate sites, is not a crime. Still, one should treat them with caution. While their owners may not intend to use the websites for attacks, they may be waiting for Disney to buy the domains for a hefty sum, which can be considered a fraudulent practice.
A quick check at the real service disneyplus.com’s WHOIS record also told us that the official site’s registrar is CSC Corporate Domains, Inc. and not Dynadot, LLC. And while disneyplus.com’s registrant information is publicly available, the registrant owner details of the domains managed by Dynadot, LLC (i.e., diesneyplus[.]com, disenyplus[.]com, and dineyplus[.]com, among others) have been redacted through an anonymous registration service. Keeping records private is also not proof of foul play, though established companies with long-standing registrations often keep their details publicly available.
All that said, while we have not seen attacks using the abovementioned domains, it is probably best to stay away from them just in case.
How to Combat Cybersquatting
Cybersquatting can have severe consequences for the reputation of the spoofed brand, ultimately affecting its bottom line. It can not only tarnish the reputation of the brand’s owner but more so put its employees and customers at risk of data and identity theft.
However, with due diligence and the help of proactive domain research and monitoring tools, companies can identify potentially malicious domains before they can cause harm to their business. For example, brand professionals can monitor their brands regularly to identify misspelled variations that may have just been registered and could be used for phishing and spamming attacks.
The said tools can also help organizations prove brand abuse should they be in the middle of trademark or copyright infringement litigations. After identifying potential cybersquatters, they can file UDRP cases against them. If they win, they can either push for the offending URLs’ takedown or take ownership of them so they can’t be used in more sinister activities.
Another good practice is identifying misspelled variations of your domain as soon as you register it. This approach can save you from the hassle of dealing with cybersquatters and more cyber attackers later on when they have already been used in attacks. While this may cost you some money, the amount you’ll spend on registering copycat domains will surely not be greater than how much a data breach (should you become a victim) would. To date, that translates to US$3.92 million.
Cybersquatting continues to be a threat to any company. The number of cybersquatting cases recorded last year has been the highest to date. And that is not surprising since cybersquatting sites are effective launchpads for far more severe attacks. As such, companies of any size can look out for their brands’ and domains’ integrity with the help of domain research and monitoring tools.
– Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.
Sponsored by Whois XML API
Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.
