The recent expansion of generic Top-Level Domains (gTLDs) has attracted the attention of cybercriminals who have started abusing them for their malicious operations, researchers warned this week.
Over the past year, hundreds of new domain suffixes have been rolled out by the Internet Corporation for Assigned Names and Numbers (ICANN), including .GURU, .FLY, .PHARMACY, .SUPPORT, .PIZZA, .NETWORK, .AUCTION and .MARKET. ICANN believes that more than 1,300 new names could become available over the next few years.
While these TLDs can be useful for organizations, cybercriminals have come to realize that they too can put the new domain suffixes to good use.
Researchers at security solutions provider Malwarebytes analyzed their honeypot logs for the past 60 days to find out if the new types of domains have been abused for malicious purposes. They’ve identified cybercriminal operations associated with .PICTURES, .CONSULTING, .XYZ, .CLUB, .EMAIL, .SOLUTIONS, .DOMAINS, .COMPANY, .PHOTOS, .DIRECTORY, .ENTERPRISES and .GURU.
Jerome Segura, senior security researcher at Malwarebytes Labs, told SecurityWeek that they have identified a relatively small number of domains used for malicious activities, but considering that the new TLDs have been rolled out only recently, the security firm predicts a definite increase as time goes by.
Most of the affected domains are legitimate websites that have been hijacked through brute-force attacks, vulnerabilities and other typical techniques. It’s uncertain at this point if they were targeted specifically or if these are ongoing random automated attacks.
“For each of these domains, the bad guys are creating a custom sub-domain by using a domain generation algorithm (DGA), a technique that has been used for some time to evade blacklisting,” Segura said via email.
The cyberattacks documented by Malwarebytes were drive-by download attacks designed to install malware on computers with the aid of the Angler Exploit Kit, which has been recently enhanced to inject malware directly into memory, instead of writing it to the disk.
The URLs involved in the Angler EK attacks analyzed by Malwarebytes follow similar patters and they all use a specific port number. An example of such a URL is “alkoholisminflaus.jamesbratton. pictures:37702/0ux6l07aus.php.”
In addition to malware attacks, experts have also spotted phishing schemes leveraging the new names. Researchers at the SANS Institute’s Internet Storm Center have identified a phishing attack targeting Bank of America customers. The attackers set up a Bank of America phishing page on “url-bofa.support/BankOfAmerica.com.”
In this case, the malicious domain was registered by the cybercriminals themselves and they had even managed to obtain a valid SSL certificate by passing a certificate authority’s domain control validation process. Since many users know that bank website should be protected by an SSL certificates, it’s more likely that they’ll trust the malicious site.
“In the case of phishing scams, the cyber-crooks are going the extra mile to make their creation more authentic. The majority of phishing pages are hosted on hacked websites whose URLs often are dead giveaways. By registering your own site with a specific TLD that looks legitimate, your chances of fooling potential marks is exponentially higher. The registration cost is a small price to pay for much larger monetary gains,” Segura said.
“Some TLDs look incredibly attractive from a bad guy’s point of view. Unfortunately, something that helps legitimate businesses distinguish themselves by using a custom TLD also creates an avenue for the bad guys to exploit,” the researcher added.
One perfect example is the .PHARMACY domain, which can be leveraged to host the well-known rogue pharmacy websites.