Researchers from Finjan Inc.'s Malicious Code Research Center (MCRC) say hackers are using a loophole in the domain name registration process to circumvent Web site blockers and prolong the duration of their attacks.
Hackers are buying domain names made to look as though they belong to legitimate companies but contain hard-to-notice spelling errors. Users who miss the misspellings could find themselves on a Web page designed to infect their machines with malware, Finjan CTO Yuval Ben-Itzhak said in an interview Thursday. The MCRC came across the trick in October when searching for popular services with a slight change of the top-level domain.
Such spoofing tactics are popular among phishers, and the increased abuse of domain names lead to the creation of an organization to fight it earlier this year.
In one case, the researchers found a site taking advantage of a domain name similar to a legitimate popular service, laced with malicious code designed to download and execute a Trojan on the victim's machine. The malicious code itself is located on the abused domain name, Ben-Itzhak noted. The malicious site was still active as of Oct. 28, he said.
"IT departments are blocking specific domain names for whatever reason and hackers realize that if they keep putting malware on low-reputation sites the chances are greater that they will be blocked," he said. "As a result, they're stepping up efforts to go after respected and trusted servers, domains and IP addresses."
Since registering a domain name is not a process that is being adequately policed and scrutinized, he said, attackers have the potential to create a malicious Web site using any domain name they like, provided it isn't already taken. Finjan's research indicates that criminals have taken advantage of the so-called loophole to create "copycat" sites intended to host Web-based attacks.
He noted that when using URL classification or reputation as a security method, requests to URLs or domains known to be malicious can be blocked regardless of the content on the page. But the effectiveness of such blocking requests relies on maintaining an up-to-date list of sites. Because of the rapid growth and volume of malware hosted online, gathering sufficient data as quickly as malicious domains appear (and disappear) on the Web is almost impossible.
"As web site content is becoming more volatile and domain names can be set up for brief periods of time, keeping track of malicious content on the Web is becoming ever more difficult, and when attacks involve a domain name that is strikingly similar in spelling to the domains of legitimate sites and hosted on trusted IP addresses, this enables the bad guys to go unnoticed by most Webmasters," Ben-Itzhak added.
To protect users from such tactics, he urged businesses to adopt real-time inspection tools that analyze each piece of Web content regardless of its URL or IP address.
"If you base security on white and black lists you will fail," he said. "You need a layer that in real-time can spot sinister activity -- real-time scanning of Web content about to enter your enterprise."
While Finjan has identified a new variation of domain name abuse, the tactic is not necessarily new. Spoofing trusted brands and Web sites has long been a staple in phishing attacks. In fact, a new organization called the Coalition Against Domain Name Abuse (CADNA) was formed earlier this year partly in response to the threat.
CADNA members, some of whom have fallen victim to domain name fraud, include American International Group, Inc, Bacardi & Company Limited, Dell Inc., Hilton Hotels Corp., Marriott International, Inc., Verizon Communications Inc., Wyndham Worldwide Corp. and Yahoo! Inc.