As an attack vector, phishing has several underlying purposes, such as the spread of malware, theft of sensitive information, and victim fraud. However, it appears that most phishing emails could be used to obtain user credentials according to Cofense’s 2021 Annual State of Phishing Report. After analyzing millions of emails, Cofense found that 57% are credential phishing emails.
While ID phishing can be performed in a number of ways, WhoisXML API researchers have attempted to identify suspicious domain names that contain account-related terms, such as “username,” “username,” and “word. outmoded “. Using text strings like these, alongside the name of the legitimate business, could make the email credible and potentially trick victims into disclosing their credentials.
Specifically, this article aims to find out how widely these text strings are used in areas related to PayPal and Amazon, two companies commonly targeted in phishing campaigns.
Obtaining the sample
PayPal and Amazon are among the top 10 most spoofed brands in the world. We have focused on these two brands, but future research may include other companies.
The domains related to PayPal and Amazon related credentials were obtained through Domains & Subdomains Discovery, which is part of Domain Research Suite (DRS). Specifically, we searched for domains that contained a combination of the brand name and generic terms related to the account, such as “password”, “login” and “login”.
We’ve also included two unique terms for each brand, as seen on verified phishing domains on PhishTank. For example, “activation” and “ticket” were typically seen in verified phishing domains targeting PayPal, but not so much with Amazon. On the other hand, “shop” and “payment” have been observed repeatedly among the phishing domains targeted by Amazon.
The search strings and corresponding domain volumes are specified in the table below.
|“paypal” + “password”||23||“Amazon” + “password”||14|
|“paypal” + “connection”||1,105||“Amazon” + “connection”||604|
|“paypal” + “connect”||275||“amazon” + “connect”||348|
|“paypal” + “activation”||40||“Amazon” + “shop”||5 833|
|“paypal” + “ticket”||2 147||“Amazon” + “payment”||1314|
A total of 11,703 domains have been discovered.
Domains related to phishing malicious identifiers
We ran our discovered sample on Threat Intelligence Platform (TIP) and found that approximately 15% or 1,715 domains were flagged as “malicious” by one or more malware detection engines.
Some examples for each brand are listed below.
|• paypal activation[.]life
• paypal activation[.]X Y Z
• PayPal password[.]com
• paypall connection[.]com
• secure connection-paypal[.]com
• amazon-jp — apypay[.]store
• amazonshop connection[.]buzz
• your payment-amazon[.]com
The majority of these malicious domains fell under the .com (44%) and .shop (38%) top-level domains (TLDs). It should be noted that the “.shop” domains in our sample were mostly related to Amazon as it is one of the search strings. In fact, .shop domains represent about 50% of the total number of domains found in this study. This could mean that when it comes to e-commerce sites, such as Amazon, threat actors can take advantage of related TLDs in phishing campaigns.
Besides .com and .shop, other TLDs that repeatedly appeared among malicious domains were .info, .ml, .cf, .xyz, .tk, .net, .ga, and .top. TLDs are a combination of country code TLDs (ccTLDs), generic new TLDs (ngTLDs), and gTLDs.
Content hosted by malicious domains
How dangerous are these domain names? Besides being flagged as “malicious,” one way to determine how dangerous they are is to take a look at the content they host. The screenshot API helped us answer the question.
Of the 1,715 malicious domains, only 70 domains turned into active websites. Several of the domains that did not link to sites may have already been deleted, as they were flagged as “malicious”. Alarmingly, some of the domains still host content that could be used in ID phishing or brand identity theft. The paypallogin domain[.]net, for example, seems to host a login page:
Credential phishing is a pressing concern as threat actors increasingly aim to steal sensitive user data. One of their tactics is to use typosquatting domains such as the PayPal and Amazon related domains found in this study. Raising user awareness and early detection of these domain names could be the key to preventing credential phishing.
If you are interested in domain names related to possible Amazon and PayPal credential phishing activity or to discuss potential security research collaborations, please do not hesitate to contact us.