DomainTools Identifies Threat Group Actively Spoofing Fortune 500 Retailer

SEATTLE - August 6, 2019 - Today, DomainTools, the leader in domain name and DNS-based cyber threat intelligence, announced it has identified an ongoing domain name spoofing campaign specifically targeted at domain names associated with Fortune 500 retailer, Walmart, as well as online dating and popular movies. The DomainTools research team has explored more than 540 potentially malicious domains being used by a sophisticated threat actor or group with the possible intention of harvesting consumer credentials.

Domains discovered through DomainTools PhishEye and investigated in DomainTools Iris , uncovered registrant details that point to Pakistan and Bangladesh, but a majority of the IPs are located in the United States. Of the 540+ identified domains in the campaign, only 181 have appeared on industry blocklists. The others were given average risk scores of 93, which indicates that they have a very high likelihood of being added to blocklists in the future.

“The number of malicious domains that surfaced in this campaign is alarming and likely an indication of the threat actor or group’s resources and sophistication,” said Corin Imai, senior security advisor, DomainTools. “Our initial intent was to take a closer look at Fortune 500 companies, but our investigation led us down an unexpected path. Thanks to the robust investigative and pivoting features in our products, we were able to unearth an entire campaign. Although we successfully detected and to some degree identified the intent of this campaign, we are committed to uncovering its scale as well as more information about those behind it.”

A signal of this campaign’s level of sophistication and apparent intent to harvest credentials, is the ability to mimic the look and feel of the sites they are spoofing. Of the domains found to date, many appear to target job seekers and individuals interested in online dating. There is enough traffic to these sites to warrant further investigation into whether people are submitting their personally identifiable information and unknowingly turning over their credentials to threat actors.

While the DomainTools research team continues to unearth the intent of this campaign and potentially the actor/group behind it, here are some recommendations for organizations are consumers facing the pervasive issue of website spoofing:

For organizations:

• Take steps to surface domains that are attempting to spoof your brand. A vast majority of the domains associated with this campaign do not yet appear on industry blocklists, so taking a proactive strategy of potentially catching malicious activity before it affects your customer base can be crucial.
• Examine your current takedown process and see if there are ways to expedite it by minutes/days/hours.
• Also, evaluate the cost of the potential brand damage that would result if a campaign of this type was successful in harming your reputation or impacting your customer base.

For consumers:

• A good rule of thumb is to always verify a site’s legitimacy by checking the URL to ensure nothing looks suspicious before submitting credentials (username/password), credit card information, PII (personally identifiable information such as first name, last name, address and social security number), etc.
• Remember that if a deal seems too good to be true, it probably is.
• Don’t be afraid to verify by asking around, going to local resources, or finding a friend in InfoSec that can do some digging for you.

Given the scope of this campaign, there is still a significant amount of new data that will come to light over the coming months. To remain current on new developments in this investigation, monitor for updates by checking DomainTools’ blog .

About DomainTools

DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at http://www.domaintools.com or follow us on Twitter: @domaintools.