Retailers hit hard by domain spoofing, Venafi
Research from cyber security venture Venafi highlights the explosion of look-alike website domains which are routinely used to steal sensitive data from online shoppers.
The company analysed suspicious domains targeting the top 20 retailers in the US, UK, France, Germany and Australia. It found that while there were 3,848 certificates for valid UK retail domains, the number of certificates for look-alikes was 168% higher, at 6,449.
One of the top 20 US retailers had over 12,000 look-alike domains targeting its customers. The explosion appears to be connected to the availability of free TLS certificates; 84% of the look-alike domains studied use free certificates from Let’s Encrypt. In the UK, this figure was 81%.
“Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique,” says Jing Xie, Senior Threat Intelligence Analyst at Venafi.
“Because malicious domains now must have a legitimate TLS certificate in order to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates. In spite of significant advances in the best practices followed by certificate issuers, this is a really bad idea. No organisation should rely exclusively on certificate authorities to detect suspicious certificate requests.”
Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future. “In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analysing certificate transparency logs. This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates,” says Xie.