Holiday Threat No. 1: Evil Twin Domains With A "Trusted" SSL/TSL Certificate


As the holiday season approaches, cybercriminals are set to scam your users out of their personal money but also your organizational budget.

Online shopping fraud is rising in the double digits every year. How many of you buy hardware at NewEgg? Here is an example how you yourself could be a victim of this caused by organized cyber crime gang Magecart.

U.S. online retailer Newegg is a recent victim. They of course own the domain Magecart registered an "evil twin" domain called neweggstats (dot) com together with a legitimate certificate issued by Comodo. The legitimate domain was compromised with a card skimmer and the fake domain was pointed to a server that received credit card information stolen from Newegg customers. If your have made purchases at NewEgg in the last six months I recommend you get a new credit card!

Your users can be scammed in a variety of ways. A very popular attack this time of year are phishing scams that promote fake last-minute deals on hot items, and use FOMO (Fear Of Missing Out) social engineering tactics to trick users into entering their credentials and credit card info on fraudulent websites.

Evil Twin Domain Problem Is Rapidly Rising

This Thursday, machine ID protection firm Venafi said the evil twin domains problem is rapidly increasing with an"explosion" of look-alike, fraudulent domains appearing online at the moment.

Venafi analyzed fake domains created to mimic the World's top 20 retailers, and found that not only is the number of fake domains rising, but many of them use a trusted TLS certificate. A look-alike domain address that only substitutes one—possibly punycode—character will very likely cause a recognition problem for your users.

Venafi stated that it is becoming "increasingly difficult" for consumers to identify fake domains from legit ones, especially when a trusted TLS certificate is thrown into the mix.

Domain Spoofing Is A Cornerstone Of Social Engineering Attacks

"Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique," said Jing Xie, Venafi senior threat intelligence analyst. "Because malicious domains now must have a legitimate TLS certificate in order to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates."

Venafi's research showed that 84% of fraudulent domains rely on free certificates, like the ones by Let's Encrypt. Clearly, that service is being abused to create a false sense of security for potential victims.  Venafi says that the total number of certificates issued for domains masquerading as legitimate, well-known retailers is over 200 percent greater than the number issued to authentic e-commerce platforms.  More at ZDNet.

Find out if your own domain has an evil twin with the brand-new Domain Doppelgänger tool

Phishing is still the most widely used cyber attack vector, and criminal attack campaigns often use spoofed websites to deceive your users so they simply allow the bad guys to take over your network.

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now.

Better yet, with these results you can now generate an online assessment test to see what your users are able to Domain Doppelgangerrecognize as “safe” domains for your organization. You then receive a summary of the test results to understand how security-aware your users are when it comes to identifying potentially fraudulent or phishy domains.

With Domain Doppelgänger, you can:
Search for existing and potential look-alike domains
  • Get a report with aggregated results that includes risk indicators, and
  • Generate an online “domain safety” quiz based on the results to administer to your end users

This is a complimentary tool and will take only a few minutes. Domain Doppelgänger helps you find the threat before it is used against you.

Find your look-alike domains here:

 Find Your Look-Alike Domains!

Don't like to click on redirected buttons? Copy & paste this link into your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews