Don’t be duped by fake domains this Cyber Monday

At IronNet, Cyber Monday is about much more than just shopping online — it’s the perfect time for some important cybersecurity reminders. That’s why we want to share some of our recent threat intelligence that may have a direct impact on you during the height of the holiday shopping season. 

Although calls to action to be vigilant against email and online scams have been sounded all year in response to heightened hacker activity during the COVID-19 months, we don’t want to silence the drumbeat. The scammers are out there, and they are waiting to pounce on Cyber Monday by using common techniques to steal your personal data or money. 

Using behavioral analytics to spot out-of-the-ordinary activity, IronNet cyber analysts look for anomalous behaviors on networks to detect suspicious and malicious activity (such as fake website domain names) and act fast to stop it.

Our threat intelligence from the past few months can give you better insight into how easily hackers can launch phishing campaigns. We hope that knowing what’s been out there recently can help you protect yourself from fake websites, allowing you to enjoy the shopping season with confidence:

  • accessbny[.]com
    Deemed malicious, this is a phishing site imitating a Bank of New York login portal. The site appears to be targeting customers’ user credentials.
  • paypal-debit[.]com
    This suspicious domain is related to credit card skimming activity and could lead to the loss of personally identifiable information (PII).
  • bestbuystoreapple[.]com
    Although this site claims to sell Apple products, it has no association with Apple Inc. and is likely a scam website selling fake products. Open source threat intelligence tools also associate this domain with suspicious activity
  • my-account-amazon[.]com
    This was a suspicious phishing page (now down), but be mindful of how egregiously fake sites try to mimic legitimate ones (often by changing a single letter or character).
  • Ecandles[.]xyz 
    This suspicious site appears to be an online shopping website, but it is unclear if the site is legitimate. The site collects personally identifiable information (PII). We have marked this activity as suspicious and recommend blocking the domain because there is little information indicating it is a legitimate merchant site.
  • kmart-com[.]com
    This suspicious domain appears to be a spam domain used for click revenue generation. 

Blogging safely this holiday season

Are you big on blogging about cooking, shopping wins, family traditions, or coping with COVID-19 during the holidays? It’s worth noting that over recent months hackers are targeting vulnerable WordPress sites. Many companies use WordPress as their preferred content management system, and it’s a go-to for bloggers as well. 

On October 24, 2020, one IronNet behavioral analytic alerted on the domain polobear[.]shop. IronNet’s team investigated the domain in question and identified several tell-tale signs of a type of command and control (C2) system that was actively registering geographically identified IP addresses. Based on files hosted within the C2 domain, our further analysis revealed varied techniques of javascript and fictitious CSS file injection targeting vulnerable WordPress sites to compromise endpoints for potential PII harvesting. 

Be aware of malicious software, too

We also routinely monitor research distributed by the wider cybersecurity community and ensure threat rules are created for documented indicators. For example, an instance of malicious software targeting Mac users was recently identified by cybersecurity researcher Patrick Wardle. In a blog post, Wardle described a piece of malware that appears to have been legitimately “notarized” by Apple.

Apple introduced the notarization process with the release of Mac OS Catalina in late 2019, which requires software developers to submit applications to Apple for review and approval prior to distribution. Such notarization allows for applications to be trusted by the operating system. This incident calls into question the security of the notarization process itself. This particular payload was observed delivering the Shlayer malware, which in turn installs various Mac OS adware.

And, as always, think before you click! If you receive an email offer that sounds too good to be true, it probably is. Finally, beware of malicious texts. If you don’t know them, don’t click them. 

See our November Threat Intelligence Report for the latest updates from IronNet or feel free to subscribe to our blog.

*** This is a Security Bloggers Network syndicated blog from IronNet Blog authored by IronNet. Read the original post at: