Domain Name Squatting. PHOTO: Cybercrime Magazine.

When Domain Parking Goes Wrong: Defending Against Domain Name Squatting

Cybercriminals cash in on unused domains

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Oct. 29, 2019

Most of us come across parked domains regularly. Domain parking, which refers to the practice of registering a domain name without using it immediately, is commonly done by registrants for various legitimate reasons. Doing so, for example, allows reserving a good name for future developments or protecting it against the possibility of domain name squatting. As such, domain parking is by no means illegal.

There are times, however, when a parked domain can become the object of a cyber attack. This post aims to take a deeper look at such instances as well as illustrate how salient the problem can become.

When Does Tide of Parked Domains Turn? Who Cashes In?

Domain parking becomes harmful when, for example, cybercriminals compromise registrars’ or resellers’ networks. They might take control of the name servers (typically created by the registrar at the time of domain registration) of a parked domain and configure them so they can be part of malicious schemes. Others might even purchase domain names containing misspelled versions of well-known brand names to mislead their victims.

For cybercriminals, the primary motivator behind illegal domain parking is the ability to cash in on relatively unused domains. In fact, a lot of parked domains serve as home to malicious pay-per-click (PPC) ads. Each time users land on them and knowingly or unknowingly click an ad, that translates to profit for their owners. What’s more, these ads may result in malware download that then leads to more ads, compromised systems, and/or devices turned into bots.

Parked domains can also be used in phishing attacks. Apart from pointing visitors to malicious sites, said domains become tools to conduct spoofing and elaborated business email compromise (BEC) scams. Consequently, organizations which domains are abused may suffer from brand defamation, causing them to lose customers and possibly even being sued by their partners also taking a hit from the incident.

An Unsettling Story: The Wish[.]com Settlement Case

In an unfortunate turn of events, we got wind of another case of domain name squatting this time involving wish[.]com, which recently announced that its operator ContextLogic would pay US$16 million for violating federal law and sending unsolicited advertising text messages to users between April 2014 and September 2019.

True to cybercriminal fashion, however, soon after the announcement was made, we saw bulk domain registrations of misspelled variants of Wish’s settlement website. As with the Equifax and Yahoo! settlement cases, threat actors hoped to entrap claimants into parting with their login credentials and other personally identifiable information (PII).

We ran a query on Brand Alert API for keywords such as “wish settlement,” “wish settle,” and “wish” to spot potential domain name squatting sites and here’s what we found:

  • ishtcpasettlement[.]com
  • wishrcpasettlement[.]com
  • wishtvpasettlement[.]com
  • wihtcpasettlement[.]com
  • wishtcpasettlemrnt[.]com
  • wishtcpasettlemet[.]com
  • wishtcpasettkement[.]com
  • wshtcpasettlement[.]com
  • wishtxpasettlement[.]com
  • eishtcpasettlement[.]com
  • wishtpasettlement[.]com
  • wishtcoasettlement[.]com
  • woshtcpasettlement[.]com
  • wishtcpasettlwment[.]com
  • wishtcpasettlemen[.]com
  • wishtcasettlement[.]com
  • wishtcpasettlemwnt[.]com
  • wishcpasettlement[.]com
  • wishtcpssettlement[.]com
  • wisshtcpasettlement[.]com
  • qishtcpasettlement[.]com
  • wisjtcpasettlement[.]com
  • wiahtcpasettlement[.]com
  • wishtcpasettlemnt[.]com
  • wishtcpasettlrment[.]com
  • wishttcpasettlement[.]com
  • widhtcpasettlement[.]com
  • wishtcpasettlenent[.]com
  • wishtcpaettlement[.]com
  • wishtcapsettlement[.]com
  • wishtcpasettlemeny[.]com
  • wishycpasettlement[.]com
  • wishtcpasettlemenr[.]com
  • wisgtcpasettlement[.]com
  • wishtpcasettlement[.]com
  • wishtcpasettlements[.]com
  • wishtcpasettlemebt[.]com
  • wishtcpasetttlement[.]com
  • wushtcpasettlement[.]com
  • wishtcpasettlememt[.]com

We took a closer look at these websites using WHOIS Search and discovered that most were again under the registrar, Dynadot, LLC, the same entity behind most of the fake Yahoo! breach settlement pages featured in our last research. Most of the sites were also created sometime after the announcement was made. Most of them were located in California (where Dynadot’s headquarters are based).

Note that Dynadot is a big company in the domain business, also offering domain parking services. As such, it is very likely that the actual registrants of these typosquatting domains misuse its domain parking services to register typo versions of settlement sites in bulk.

Interestingly, we ran the real Wish settlement website’s domain (i.e., WishTCPASettlement[.]com) through WHOIS Search to see who its registrar was and it isn’t Dynadot.

What Can Be Done Against Domain Name Squatting?

The dangers of domain name squatting are real. Cybercriminals do abuse parked domains to carry out attacks, and unsuspecting users can easily land on fake sites if they are not careful.

Proactive solutions and countermeasures are highly recommended for companies to mitigate risks, some of which include:

  1. Registering misspelled versions of their domain names to prevent domain squatters from doing so beforehand.
  2. Identifying variations of their domain names that have been registered by others across the entire top-level domain (TLD) space and, if these are found, reporting them to the relevant authorities.
  3. Notifying customers about websites that may be mimicking theirs and warn of the potential harm that can be done.
  4. Use domain research and monitoring tools such as Domain Research Suite as a starting point to gauge risks tied to fake sites.

Claimants, meanwhile, would do well to rely only on reputable sources of information. To file for claims, they may go to the company’s official website and look for the settlement page link from there to ensure it’s legitimate.

Cybercriminals are always on the lookout for sites and incidents that they can take advantage of. With the help of domain and research monitoring tools, companies can be warned of threats to their reputation. Such solutions are also quite useful in spotting potential trademark and copyright infringers.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.