Blog

Uncategorized Threat Advisory: E-commerce Bots Use Domain Registration Services for Mass Account Fraud – Threatpost

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Jason Kent, hacker-in-residence at Cequence Security, discusses sneaky shopping bot tactics (i.e., domain parking) seen in a mass campaign, and what retail security teams can do about them.
While researching a recent large-scale bot campaign with CQ Prime Threat Research team lead, Dean Lendrum, we found attackers using domain parking and monetization services to register multiple domains, creating a large number of fake eCommerce accounts per domain.
Like it or not, malicious bot managers are business people and they are always looking for ways to reduce the cost of their eCommerce bot campaigns. Using domain parking and monetization services (e.g., Namecheap, ParkingCrew, etc.) is one way they can inexpensively create many fake accounts that they can then use in their large-scale bot campaigns. Fake accounts associated with the registered domains come complete with email-forwarding enabled. When used in the bot campaign, the emails will appear valid to the retailer, but behind the scenes, the forwarding service will just drop the mails.
Infosec Insiders Newsletter
To demonstrate how easy this is to do, we were able to establish an account for $1.18 in less than five minutes using Namecheap, one of several domain parking solutions available. Getting started was as easy as depositing funds into a Namecheap account and using its API to call namecheap.domains.create. We now had a domain and an associated account with free VPN and business email for two months; free email forwarding forever; and SSL as an option at $10 per year.
Shortly thereafter we were able to begin monetizing the new domain via the Namecheap-ParkingCrew partnership; a common practice for threat actors, evidenced by bot forums boasting of the money being made via rogue traffic hitting their parked domains.
When investigating any of the domains on their own, everything appears to be normal. But, when grouping the bad-acting domains by their companion web server A records and mail-redirect server MX records, clusters of behavior begin to form.
The lack of SSL is a clear sign that the domain is suspicious, given that nearly all legitimate domains will have it enabled. The only reason we can think of for the lack of SSL is the cost – it’s an added $10 per year, going back to the position that the bot operators are looking to reduce costs.
When analyzing suspected fraudulent user accounts and associated orders, retail security teams should investigate the email domain the web and email traffic are resolving to legitimate domains using tools like mxlookup and dig. If mail exchange servers are common between many different domains as shown in image 1, check the domain name and see if this resolves to a valid web application. Similarly, analyze whether many domains are pointing to a single web server A record and check the web application hosted, taking note of content, purpose and security features like SSL.
Just as bots-as-a-service have made botting available to the masses, the use of domain registration and monetization services is another example of the commercialization of the botting industry. In this example, threat actors are able to easily create many thousands of fake accounts for use in their large-scale bot campaigns which in turn, impacts the entire business. Security and fraud teams are overwhelmed trying to separate legitimate from malicious. In some cases, infrastructure costs will spike due to the increased volume, while sales and marketing metrics are skewed wildly by the illegitimate traffic.
Jason Kent is Hacker-in-Residence at Cequence Security.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.
Share this article:
Companies must take more ‘innovative and proactive’ approaches to security in 2022 to combat threats that emerged last year, researchers said.
UniCC controlled 30 percent of the stolen payment-card data market; leaving analysts eyeing what’s next.
Phishing is more successful than ever. Daniel Spicer, CSO of Ivanti, discusses emerging trends in phishing, and using zero-trust security to patch the human vulnerabilities underpinning the spike.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
1 month ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Author Details

Sign up for our newsletter to stay up to
date with tech news!