Denys Rudyi - Fotolia
Taking down obviously malicious domains can be an arduous process, even when those sites are spoofing one of the most well-known brands in America.
Two domains that spoofed retailer Best Buy remain online, despite repeated attempts to report the sites to their e-commerce hosting providers. The domain spoofing was first discovered by researchers at Segasec, an Israeli cybersecurity startup that tracked the emergence of phishing sites and malicious domains prior to busy U.S. shopping periods around Mother's Day and Memorial Day.
Segasec said it found 160 new domains related to three brands -- Walmart, Wayfair and Best Buy -- that its researchers deemed "highly suspicious." The company provided sample data to SearchSecurity, which include eight suspicious domains and details about their registrars, hosts, certificates and more.
At last check with Segasec earlier this month, all of the domains had been taken down except two: Bestbuyus.org and Bestbuy-us.com. Despite using both the name and corporate logo of one of the largest and most well-known retailers in the U.S., the domains remain active. Both sites also use HTTPS and are hosted by legitimate e-commerce service providers, including one of the most popular platforms in the market -- Shopify.
Segasec said its research showed how easy it is for threat actors to capitalize on high-volume shopping periods through domain spoofing. But these sites also show how phishers and scammers use many enterprise services that help disguise the sites as legitimate destinations instead of fraudulent domains -- and how difficult it can be to get those domains taken down.
Abusing e-commerce platforms
Shopify, Inc., headquartered in Ottawa, is a major e-commerce service provider whose platform allows merchants to build and host online stores for as little as $29 per month. GearLaunch, an e-commerce startup based in San Francisco, offers similar services for undisclosed prices, though the company has also integrated with Shopify's services.
Segasec's research claims Bestbuy-us.com is "very likely to be a live attack" that uses the Best Buy name and corporate logos to trick unsuspecting visitors into making fraudulent purchases or submit their personal and financial data. The site says it's "Powered by Shopify," and according to WhoIs data from AbuseIPDB, the site's IP address belongs to the e-commerce company. AbuseIPDB also shows the IP address has been reported for abuse more than 130 times since December of 2017, including a dozen times since June for fraudulent orders and spam.
"We have seen similar sites which are not necessarily phishing but are scams, which use the Shopify platform," Schulman said. "We were not in touch with them around this site or any other sites in the past so we cannot say how they have or would react to such cases."
Bestbuyus.org also uses the Best Buy name and corporate logo, though Segasec said the site appears to be a shopping scam rather than a potential phishing domain. The site, which is also still active, says it's "Powered by GearLaunch" but it's unclear if the site actually uses the e-commerce platform; Bestbuyus.org's purchasing and shopping cart interfaces appear to be similar to those of GearLaunch-powered sites. AbuseIPDB and Segasec both list Google as the hosting provider (GearLaunch uses Google Cloud Platform), with a domain certificate provided by Let's Encrypt. According to AbuseIPDB, Bestbuyus.org's IP address was flagged for abuse four times during a three-week span in late May and mid-June.
While Shopify has a site for reporting abuse of the platform, GearLaunch does not and instead asks customers to email its legal department.
UPDATE 1: Following publication of this article, GearLaunch CEO Thatcher Spring contacted SearchSecurity and said the Bestbuyus.org site was completely disabled on July 12th and said all pages of the site were removed. However, several portions of the site still appeared to be active, including the GearLaunch shopping cart and track order pages, which Spring said "seems to be a bug which will need to be fixed."
UPDATE 2: Bestbuyus.org was completely removed from GearLaunch's platform on July 19.
Segasec CEO Elad Schulman said his company has seen other malicious domains that use platforms like Shopify to create fraudulent sites for either phishing campaigns or shopping scams.
Magni Sigurdsson, senior threat researcher at SaaS security provider Cyren, said his team has also seen a lot of spoofed domains that use e-commerce platforms like Shopify and GearLaunch to appear as legitimate sites and avoid IP address blacklists.
"That's very common," he said.
Best Buy has not responded to repeated requests for comment about the malicious domains.
Trial and error
Domain registrars have long been criticized by security professionals for their lax controls around selling domains that are obviously suspicious. But threat actors have also taken advantage of the simple and inexpensive services offered by companies like Shopify and GearLaunch. For example, last year My Pillow Inc. filed a lawsuit against Shopify for hosting a fraudulent domain -- mypillowstore.com -- that featured a near-identical version of the company's website.
According to the lawsuit, unnamed threat actors ("John Does 1-10") created the fraudulent website "as a means to steal credit card and other personal information from unwitting consumers." My Pillow described a series of events that were repeated over more than a week: The company would contact Shopify about the fake site, Shopify would send a trademark infringement notice to the "merchant," Mypillowstore.com would remove the company's name and logo for a brief time but would eventually resume using the trademarked material.
My Pillow claimed that because Shopify wouldn't simply delete the site, the e-commerce company "aided and abetted the violations of plaintiff's MY PILLOW intellectual property rights" and allowed the threat actors to continue to abuse the platform.
"Shopify clearly will not stop its unlawful conduct and will not terminate DOES 1-10's user account for www.mypillowstore.com unless enjoined by the Court," the complaint stated. (The mypillowstore.com domain is down as of press time.)
A similar version of events appeared to play out with the Bestbuy-us.com domain. SearchSecurity contacted Shopify on July 1st about the domain and SegaSec's research. While the company did not reply, SearchSecurity observed that several days later, the "Best Buy" name and logos on the domain were removed and replaced with "___-US," as seen in the following screenshot.
However, the Best Buy name and corporate logos reappeared on the site last week. SearchSecurity contacted Shopify again, and the company responded with a statement on July 12 that included links to its policies.
"Shopify believes in making commerce better for everyone, and we take concerns around the protection of intellectual property seriously," a Shopify spokesperson said. "We take action on notices of intellectual property infringement to remove, disable access to material, or terminate an account when it violates our policies. Our Copyright Policy is available here and our Trademark Policy is available here."
The company declined to comment on the changes made to Bestbuy-us.com. The company also declined to explain why it hasn't deleted the account after repeated offenses. As of the time of this post, the Bestbuy-us.com domain was still active on Shopify, without the Best Buy name and logos.
GearLaunch, meanwhile, did not respond to repeated requests for comment. The Bestbuyus.org domain is still live, though several portions of site, including the home page, now say "Sorry, this page is not available." It's unclear if the recent changes to the domain were the result of GearLaunch taking action against the account.
Like Shopify, GearLaunch has faced similar legal action from organizations such as Harley-Davidson and Duke University, alleging that the e-commerce provider allowed users to create fraudulent sites and offer counterfeit merchandise. But malicious domains can cost organizations more than a few thousand dollars through counterfeit merchandise or lost sales. Recently, British Airways was hit with a record GDPR fine of nearly $230 million for an incident where threat actors redirected visitors from the company's real website to a fake domain that tricked customers into giving their personal and financial data.
Removing malicious domains
Segasec didn't publish an official report about the domain spoofing and declined to share the full list of websites with SearchSecurity. In its research pitch, the company said it "has not notified the companies about its findings, meaning customers could still be at risk."
Schulman explained Segasec didn't contact Best Buy or other affected companies because they weren't clients; the company did, however, reach out to third-party hosting providers and certificate authorities about the suspicious domains. Some of the domains were taken down more quickly than others; for example, Schulman said Cloudflare, which was used by some of the sites for hosting and certificates, was "very responsive" to reported issues.
However, Schulman said Segasec didn't reach out to either Shopify or GearLaunch. "We were not in touch with them around these sites or any other sites in the past so we cannot say how they have or would react to such cases," he said.
Schulman said it's common to see suspicious domains with HTTPS provided by major certificate authorities (CAs) despite the fact that the sites are using well-known corporate brand names; using HTTPS gives malicious domains the appearance of legitimacy.
Elad SchulmanCEO, Segasec
"The majority of the domains do use certificates for HTTPS, and usually it's Let's Encrypt or other free certificate providers," he said. "Sometimes they'll go the extra mile with paid certificates or get extended validation certificates."
Other security vendors have noted the increased usage of certificates for malicious domains. According to Proofpoint's 2019 Domain Fraud Report, registration of malicious domains increased 11% last year, and one out of four of those domains had valid SSL certificates. In its Quarterly Threat Report for Q1 2019, the vendor noted that more than three times as many fraudulent domains had SSL certificates in the quarter than legitimate domains.
Schulman said he believes Let's Encrypt and other providers of free SSL certificates are a positive force for security, but he said all CAs need more processes to review certificate applications and prevent abuse.
Schulman also said the approach of purchasing domains that could be used in domain spoofing and phishing is no longer viable; there are simply too many legitimate platforms that threat actors can use to host their malicious domains, and too many ways to create look-alike URLs that fool users.
"There are an infinite number of domains out there that look similar to legitimate domains," he said. "Buying up domains so scammers don't get them is not a viable strategy. A brand can't invest hundreds of thousands of dollars buying and keeping all of these domains."