Domain Name Squatting. PHOTO: Cybercrime Magazine.

Settlement Sites and Typosquatting: We Detected What Could Be Yet Another Attack

Cybercriminals often register domains that look so much like the target organizations’ that their customers end up on the fake websites

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Feb. 3, 2020

Popularity has a downside. Any well-known organization is likely to become a favored target of fraudsters, brand abusers, trademark infringers, phishers, and other cybercriminals. And while it’s said that imitation is the greatest form of flattery, the last thing any company would want is to be mimicked by a cyber attacker.

Cybercriminals have spoofed many established companies through typosquatting. They often register domains that look so much like the target organizations’ that their customers end up on the fake websites rather than the real ones. And while many businesses are aware of the threat, several may still fail to detect such instances.

So, what’s the motivation of typosquating attackers these days? In most cases, bad guys earn from typosquatting sites used in phishing attacks. A common technique is to host forms on look-alike domains that log all of visitors’ inputs to their database. They then compile stolen data into so-called “fullz” files, which they then sell in underground markets in the dark web.

These fullz databases typically contain the full name, payment card number, and card verification value (CVV) of each victim. Buyers can use the stolen information for card-not-present transactions typically through online stores to purchase whatever goods or services they fancy. And because they are using someone else’s identity, whatever purchases made do not cost them any money.

A few cases we have seen over the past months, however, are leading us to believe in the rise of a new use for typosquatting URLs — that is to go after settlement claimants. This post sheds some light as to why, looks at yet another instance of typosquatting attack involving a settlement site, and provides best practices and potential solutions to avoid becoming a victim of this emerging threat.

Why Cybercriminals Are Setting Their Sights on Settlement Claimants

We have seen several cases where entities registered domains mimicking the settlement pages of the breached establishment in bulk shortly after the launch of the legitimate websites. In fact, we discovered suspicious domains related to the Yahoo! and wish[.]com settlement announcements. The question is why.

Our company believes that despite causing more trouble for the organizations that have already been through an ordeal, the attackers are hoping they could scam claimants. While the settlement amount per claimant is relatively small, ranging from US$20 to US$100 for individuals, that figure can become substantial if attackers manage to lure targets to their sites instead of the legitimate one and then use the claimants’ info to file real claims. It’s important to emphasize that we are talking about a combined settlement amount of US$133.5 million from Yahoo! and ContextLogic (operator of wish[.]com) here.

Recently, we stumbled upon a similar case, this time, involving one of the largest banks in the U.S. — Bank of America.

The Galavis, et al., Versus Bank of America Class Action Lawsuit

The Central District of California District Court recently released a settlement notification for potential claimants. Should the court approve the settlement, the bank would pay US$415,000 to customers who have incurred cash advance fees or interest charges in connection with cryptocurrency transactions made using their Bank of America credit cards from June 1, 2016, to September 26, 2019. Each claimant can receive as much as US$5,000 and can read the entire settlement agreement at GalavisBankofAmericaSettlement[.]com.

Typosquatting-Enabled Attacks in Progress?

That said, we used our Typosquatting Data Feed to search for potentially malicious sites related to the event. The benefit of the data feed is that it lists all groups of domains that have been registered on the same day, and have names similar to each other.

While such registrations are in some cases benign and may even serve for the prevention of typosquatting, miscreants also have the habit of registering their domains in such bursts. And the feed’s lists hold a few ten thousand domains daily, thus it is easy to search within them. 

Using the search string, “bankofam,” for example, we discovered ten domain look-alikes all registered as early as October 23, 2019. These include:

  • galvisbankofamericasettlement[.]com
  • galavisbankofamericasetlement[.]com
  • galavisbankofamericasettement[.]com
  • wwwgalavisbankofamericasettlement[.]com
  • galavisbankofamericasettlement[.]com
  • galavisbankofamericasettlment[.]com
  • galavisbankofamericassettlement[.]com
  • galavisbankofamericsettlement[.]com
  • galavisbankofamericasettelment[.]com
  • galavibankofamericasettlement[.]com

Any of these domains can host a phishing page in the future that claimants could land on and lose their personally identifiable information (PII) to. Examples of PII can include their full name, bankofamerica[.]com (the bank’s website) username and password, and so on. And if that happens, the phishers could claim what is rightfully somebody else’s.

On December 16, 2019, we found another set of domain look-alikes that have already been blacklisted by Google Safe Browsing. These include:

  • bankofamericaa-online-connect-account-verification[.]com
  • bankofamericaa-online-connect-account-verification[.]net
  • bankofamericaa-online-connect-account-verification[.]org

We can deduce that these are supposedly account verification links that Bank of America customers might be tempted to click to verify their accounts. Users who would fall for that trick would, of course, instantly hand their online banking credentials to attackers.

Finally, on December 8, our Typosquatting Data Feed was able to detect another set of domain look-alikes that appeared two days later in an IBM threat intelligence warning. These included:

  • logined-bankofamarca[.]com
  • logind-bankofamarca[.]com
  • loginds-bankofamarca[.]com

The early detection two days before the warning was issued means that users of the Typosquatting Data Feed could have had access to this domain intelligence up to 48 hours before and take actions on the very next day after these domains were registered.

The Galavis, et al., Versus Bank of America Domain Look-Alikes

As in the Yahoo! and wish[.]com settlement cases, we dug deeper into the three sets of domain look-alikes to see who’s behind them. First, we wanted to know who registered the real settlement website, so we ran GalavisBankofAmericaSettlement[.]com on WHOIS Lookup.

We found that it is 93 days old and is a privately U.S.-based domain registered on October 22, 2019, with Network Solutions, LLC.

We then ran the first set of domain look-alikes on the same tool.

We found that:

  • They were all only days old (93 at the time of writing) and registered on the same date as the legitimate website — October 22, 2019.
  • All of them had redacted WHOIS information and registered across three registrars — Dynadot, LLC (2 domains); NameSilo, LLC (7 domains); and Network Solutions, LLC (1domain).
  • All of them are U.S.-based.
  • Given the registration timing, it is possible that the owner of the real website owns the domain look-alikes, too. It may have registered them so attackers can’t use them. That is an effective countermeasure against typosquatting-enabled attacks. We can’t be sure, however, so potential claimants should be wary.

The Google Safe Browsing-Blacklisted Domains

While these may no longer pose risks to Chrome users, those who utilize other browsers may still be in danger.

Any online banking customer of Bank of America needs to go through this sign-in page: https://www.bankofamerica[.]com/online-banking/sign-in/. While the three domain look-alikes follow the same formatting (using hyphens to separate words after the domain), a comparison of their WHOIS records with that of the bank’s real site would reveal stark differences that include:

  • The actual bank’s domain has been up for 7,697 days as opposed to all three look-alikes, which are only 39 days old.
  • The real site’s record details are publicly viewable, which is typical for companies with nothing to hide.
  • The real site also used a different registrar from its look-alikes. If it owned the domain look-alikes (which the blacklisting seem to prove otherwise), it’d be likely to use the same registrar.

The Domain Look-Alikes Most Recently Seen

For the last set of suspect typosquatting domains, we used Domain Reputation API to check if they showed telltale signs of maliciousness.

We found that all three domains had low reputation scores, which users should interpret as not safe to access. Looking closely at the domains that host pages with WHOIS tools is an effective means of avoiding the likelihood of becoming a victim. That is just one way, though, there are others.

How to Combat Typosquatting-Enabled Attacks

Because settlement announcements are bound to become a norm in light of stricter data privacy regulations and cybercrime legislation, we doubt typosquatting-enabled attacks will cease anytime soon. As long as there’s money to be made, cybercriminals will be on the lookout for their next scam.

As such, we advise that claimants refrain from manually typing settlement website URLs into their browsers. They should instead go through the official channels. Using security solutions that prevent access to known malicious websites (such as those included in a blacklist) is also highly recommended.

The domain owners, meanwhile, should make it a habit to monitor for possible typosquatters and report them to the authorities. Typosquatting Data Feed can help them identify look-alike domains as it provides a good clue. In fact, the domains listed by the feed have some counterparts with similar names registered on the same day. So even if they are benign, they need some attention.

And should domain owners get wind of phishing attacks using their brands, they should issue warnings to their clients who are, after all, the lifeblood of their business.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.