Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Abuse New TLDs in Phishing, Malware Attacks

The recent expansion of generic Top-Level Domains (gTLDs) has attracted the attention of cybercriminals who have started abusing them for their malicious operations, researchers warned this week.

The recent expansion of generic Top-Level Domains (gTLDs) has attracted the attention of cybercriminals who have started abusing them for their malicious operations, researchers warned this week.

Over the past year, hundreds of new domain suffixes have been rolled out by the Internet Corporation for Assigned Names and Numbers (ICANN), including .GURU, .FLY, .PHARMACY, .SUPPORT, .PIZZA, .NETWORK, .AUCTION and .MARKET. ICANN believes that more than 1,300 new names could become available over the next few years.

While these TLDs can be useful for organizations, cybercriminals have come to realize that they too can put the new domain suffixes to good use.

Researchers at security solutions provider Malwarebytes analyzed their honeypot logs for the past 60 days to find out if the new types of domains have been abused for malicious purposes. They’ve identified cybercriminal operations associated with .PICTURES, .CONSULTING, .XYZ, .CLUB, .EMAIL, .SOLUTIONS, .DOMAINS, .COMPANY, .PHOTOS, .DIRECTORY, .ENTERPRISES and .GURU.

Jerome Segura, senior security researcher at Malwarebytes Labs, told SecurityWeek that they have identified a relatively small number of domains used for malicious activities, but considering that the new TLDs have been rolled out only recently, the security firm predicts a definite increase as time goes by.

Most of the affected domains are legitimate websites that have been hijacked through brute-force attacks, vulnerabilities and other typical techniques. It’s uncertain at this point if they were targeted specifically or if these are ongoing random automated attacks.

“For each of these domains, the bad guys are creating a custom sub-domain by using a domain generation algorithm (DGA), a technique that has been used for some time to evade blacklisting,” Segura said via email.

The cyberattacks documented by Malwarebytes were drive-by download attacks designed to install malware on computers with the aid of the Angler Exploit Kit, which has been recently enhanced to inject malware directly into memory, instead of writing it to the disk.

Advertisement. Scroll to continue reading.

The URLs involved in the Angler EK attacks analyzed by Malwarebytes follow similar patters and they all use a specific port number. An example of such a URL is “alkoholisminflaus.jamesbratton. pictures:37702/0ux6l07aus.php.”

In addition to malware attacks, experts have also spotted phishing schemes leveraging the new names. Researchers at the SANS Institute’s Internet Storm Center have identified a phishing attack targeting Bank of America customers. The attackers set up a Bank of America phishing page on “url-bofa.support/BankOfAmerica.com.”

In this case, the malicious domain was registered by the cybercriminals themselves and they had even managed to obtain a valid SSL certificate by passing a certificate authority’s domain control validation process. Since many users know that bank website should be protected by an SSL certificates, it’s more likely that they’ll trust the malicious site.

“In the case of phishing scams, the cyber-crooks are going the extra mile to make their creation more authentic. The majority of phishing pages are hosted on hacked websites whose URLs often are dead giveaways. By registering your own site with a specific TLD that looks legitimate, your chances of fooling potential marks is exponentially higher. The registration cost is a small price to pay for much larger monetary gains,” Segura said.

“Some TLDs look incredibly attractive from a bad guy’s point of view. Unfortunately, something that helps legitimate businesses distinguish themselves by using a custom TLD also creates an avenue for the bad guys to exploit,” the researcher added.

One perfect example is the .PHARMACY domain, which can be leveraged to host the well-known rogue pharmacy websites.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.