Pierluigi Paganini November 18, 2019

Cyber security firm Venafi announced it has uncovered lookalike domains with valid TLS certificates that appear to target major retailers.

Venafi, Inc. is a private cybersecurity company that develops software to secure and protect cryptographic keys and digital certificates.

Ahead of the holiday shopping season, security experts from Venafi conducted a study of typosquatted domains used to target 20 major retailers in the United States, the United Kingdom, Australia, Germany, and France.

The researchers discovered 109,045 lookalike domains using valid TLS certificates to make them appear more trustworthy. The number is doubled compared to last year, the study revealed that less than 19,890 certificates have been issued for legitimate retail domains.

Below key findings of the study:

• Growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four times.
• The total number of certificates used for look-alike domains is more than 400% greater than the number of authentic retail domains.
• Over half (60%) of the look-alike domains studied use free certificates from Let’s Encrypt. 

Experts pointed out that every region had its own lookalike domains, in the US crooks targeted 83,934 retailers, one of which is a top U.S. retailers with over 49,500 typosquatted domains. In the US 14,784 certificates have been issued for legitimate retail domains.

Experts reported nearly 84,000 target retailers in the U.S., including almost 50,000 domains that imitate one of the country’s top retailers. In the U.K., Venafi identifier nearly 14,000 certificates issued for fake retailer domains.

The situation is also worrisome in the UK where Venafi has found the largest ratio of lookalike domains targeting retailers, that are over six times more look-alike domains than valid domains. The researchers found nearly 14,000 target retailers in the U.K., identifier nearly 1,900 certificates issued for fake retailer domains.

In Germany, there were roughly 7,000 certificates for typosquatted domains targeting retailers in the country, the lookalike domains are more likely to use certificates from Let’s Encrypt than any other region (85%).

In Australia, the experts found nearly 3,500 certificated for domains targeting local retailers, while the number of certificated in France was 1,500.

“We continue to see rampant growth in the number of malicious, look-alike domains used in predatory phishing attacks,” said Jing Xie, senior threat intelligence researcher at Venafi. “This is a result of the push to encrypt more and potentially all web traffic, a trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection. Most businesses and many retailers don’t have the updated technology in place to find these malicious sites and remove them to protect their customers.”

Pierluigi Paganini

(SecurityAffairs – Checkra1n exploit, checkm8)

[adrotate banner=”5″]

[adrotate banner=”13″]