Cybercrooks spoofing Aussie retail domains

By Dylan Bushell-Embling
Friday, 28 September, 2018

Cybercriminals are creating fake domains mimicking the online presence of retailers in Australia and other markets, complete with TLS certificates to attempt to appear legitimate.

A report from machine identity protection company Venafi analysing suspicious domains targeting the top 20 retailers in Australia and four other markets found that there have been nearly three times as many lookalike domains in Australia issued TLS certificates than there are valid retail domains.

The analysis found that 593 TLS certificates had been issued for valid retail domains associated with the top 20 retailers in Australia, and 1735 had been issued to lookalike domains.

Such lookalike domains change or add characters of a legitimate retailer’s URL, or use homoglyphs such as a ‘1’ in place of an ‘l’, in an attempt to fool web browsers into thinking they are visiting the legitimate retailer’s site.

Across the five markets, many of these domains were using certificates issued by Let’s Encrypt, a favoured tool used in many phishing attacks due to its free and automated issuance of certificates.

In Australia, 73% of these certificates were issued by Let’s Encrypt. Of these, 86% were attempting to spoof the domains of just two retailers, and 11 of the top 20 retailers had no lookalike domains associated with them.

“Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique,” Venafi Senior Threat Intelligence Analyst Jing Xie said.

“Because malicious domains now must have a legitimate TLS certificate in order to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates. In spite of significant advances in the best practices followed by certificate issuers, this is a really bad idea. No organisation should rely exclusively on certificate authorities to detect suspicious certificate requests.”

Image credit: ©stock.adobe.com/au/Péter Mács

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.