Users on the internet rely on domain names to find brands, services, professionals and personal websites. Cybercriminals take advantage of the essential role that domain names play on the internet by registering names that appear related to existing domains or brands, with the intent of profiting from user mistakes. This is known as cybersquatting. The purpose of squatting domains is to confuse users into believing that the targeted brands (such as Netflix) own these domain names (such as netflix-payments[.]com) or to profit from users’ typing mistakes. While cybersquatting is not always malicious toward users, it is illegal in the U.S., and squatting domains are often used or repurposed for attacks.
The Palo Alto Networks squatting detector system discovered that 13,857 squatting domains were registered in December 2019, an average of 450 per day. It was found that 2,595 (18.59%) squatted domain names are malicious and 5,104 (36.57%) squatting domains studied present a high risk to users visiting them.
The researchers at the Palo Alto Networks also ranked the Top 20 most abused domains in December 2019.
From December 2019 to date, they observed a variety of malicious domains with different objectives, such as: Phishing, Malware distribution, Command and control (C2), Re-bill scam, Potentially unwanted program (PUP), Technical support scam, Reward scam and Domain parking.
Malicious actors were found using techniques such as typosquatting, combosquatting, level-squatting, bitsquatting and homograph-squatting to distribute malware or to conduct scams and phishing campaigns.
The researchers at the Palo Alto Networks recommend that enterprises block and closely monitor traffic from these domains, while consumers should make sure that they type domain names correctly and double-check that the domain owners are trusted before entering any site.