Cozy Bear Goes Typosquatting



RogueURLs-Webinar-LibraryResearchers at Recorded Future’s Insikt Group warn that the Russian threat actor NOBELIUM (also known as APT29 or Cozy Bear) is using typosquatting domains to target the news and media industries with phishing pages.

“From mid-2021 onwards, Recorded Future’s midpoint collection revealed a steady rise in the use of NOBELIUM infrastructure tracked by Insikt Group as SOLARDEFLECTION, which encompasses command and control (C2) infrastructure,” the researchers write. “In this report, we highlight trends observed by Insikt Group while monitoring SOLARDEFLECTION infrastructure and the recurring use of typosquat domains by its operators. A key factor we have observed from NOBELIUM operators involved in threat activity is a reliance on domains that emulate other brands (some legitimate and some that are likely fictitious businesses). Domain registrations and typosquats can enable spear phishing campaigns or redirects that pose a threat to victim networks and brands.”

Recorded Future notes that the threat actor is effectively imitating the targeted companies.

“Analysis of recent and historical domains attributed to NOBELIUM broadly demonstrates the group’s familiarity with, and tendency to emulate, a variety of media, news and technology providers,” the researchers write. “The group has abused dynamic DNS resolution to construct and resolve to randomly generated subdomains for its C2s or root domains to mislead victims. The key aspect to these attacks is the use of either email addresses or URLs that look similar to the domain of a legitimate organization. Potentially harmful domain registrations and typosquats can enable spear phishing campaigns or redirects that pose an elevated risk to a company’s brand or employees.”

The researchers add that spear phishing is a common technique used by both criminal and nation-state threat actors.

“A successful spear phish is dependent on factors such as the quality of the message, the credibility of the sender address, and, in the case of a redirecting URL, the credibility of the domain name,” the researchers write. “Insikt Group has previously observed other Russian nexus groups using typosquatting in support of operations, such as those aimed at the 2020 presidential elections, to increase confidence in the validity of the fraudulent login portal used to harvest victim credentials. This tactic has also been reported recently in open sources in connection with intrusions targeting entities in Ukraine, likely in support of Russia’s invasion of the country.”

New-school security awareness training can enable your employees to thwart targeted social engineering attacks.


Discover dangerous look-alike domains that could be used against you! 

Since look-alike domains are a dangerous vector for phishing attacks, it's top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, risk indicators, and end-user assessment with training so you can take action now.

DomainDoppelgangerResults-1Here's how it's done:

  • Get detailed results of look-alike domains found similar to your primary email domain
  • You can now quiz your users with your look-alike results
  • Get a summary PDF that contains an overview of the look-alike domains and associated risk levels discovered during the analysis
  • It only takes a few minutes to discover your “evil domain twins”!

Find Your Look-Alike Domains!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/domain-doppelganger

Subscribe To Our Blog


Anti-Phishing Guide ebook




Get the latest about social engineering

Subscribe to CyberheistNews