Phantom legitimacy: don’t be fooled

Phantom legitimacy: don't be fooled

Since the end of 2023, specialists from the National Computer Incident Response Center
(CERT.BY ) have recorded a trend of attackers using domains that mimic legitimate ones. This is called typesquatting – the registration of domain names that are similar in spelling to the addresses of popular websites, relying on user errors. This trick is often used for phishing in order to lull the victim’s vigilance and extract login, password, card details and any other information using a fake resource.

To simulate an email or a website of the desired organization, attackers create a domain that combines its name and an appropriate auxiliary word, such as Microsoft-login.com or SkypeSupport.com. The situation is aggravated by the fact that some organizations do have domains with similar auxiliary parts: for example, login.microsoftonline.com is a legitimate Microsoft website.

However, recently this technology has been used in a more sophisticated way. Attackers register domain names similar to the name of antivirus solutions and “link” their own command centers of malware to them. Subsequently, when checking domain name resolution requests in monitoring systems, cybersecurity specialists may overlook false domains, encountering familiar names, or even mark them as legitimate.

To counter cyber threats, there are examples of domains discovered by CERT.BY below that are used by a specific group of attackers as malware command centers:

  1. api.kaspersky[.]one
  2. api.kaspersky[.]codes
  3. sync.kaspersky[.]codes
  4. kaspersky[.]agency

Moreover, due to the exploitation of legal means of remote access used by intruders and the peculiarities of the work of the malware, the identification of such cyber threats is significantly more difficult.

Domain name analysis in traffic is used to identify requests for the specified domain names. It is important to note that due to the use of mimicry techniques for the organization’s domain names, the search must be carried out on the main part of the domain without taking into account the domain zone.

If detected, please report to support@cert.by. For convenience and timely updates, follow us on social media: