ImmuniWeb® by High-Tech Bridge


High-Tech Bridge Newsletter

Subscribe to our newsletter and receive some or all of our corporate news, invitations to security events or HTB Security Advisories – you choose what you want to receive.

Cyber squatters and phishers are winning the battle against antivirus companies

December 11, 2013

Nowadays, illegal online activities such as Phishing and Typosquatting are growing at an alarming rate. To understand the issue in detail High-Tech Bridge conducted research into how cyber-fraudsters are abusing domain names that are similar to the legitimate domains of most popular antiviruses:

  • Symantec Antivirus (www.symantec.com)
  • Kaspersky Antivirus (www.kaspersky.com)
  • McAfee Antivirus (www.mcafee.com)
  • Avast! Antivirus (www.avast.com)
  • Bitdefender Antivirus (www.bitdefender.com)
  • Avira Antivirus (www.avira.com)
  • Norton Antivirus (www.norton.com)
  • F-Secure Antivirus (www.f-secure.com)
  • G Data Antivirus (www.gdatasoftware.com)
  • Panda Antivirus (www.pandasecurity.com)

High-Tech Bridge used the ImmuniWeb® Phishing Monitor module of its proprietary web security assessment ImmuniWeb® SaaS (Software-as-a-Service), to analyze 946 domains that may visually look like a legitimate domain (for example replacement of “t” character by “l” character, or mutated domain names such as “kasperski.com” or “mcaffee.com”) or that contain typos (e.g. “symanrec.com” or “dymantec.com”). For the ten antivirus companies, ImmuniWeb detected 385 domains which can be classified by the following categories:

- 164 Fraudulent Domains. Domains registered by third-parties to make money on users erroneously visiting websites hosted on these domains (due to a typo in URL or a phishing campaign) by displaying ads, redirecting users to questionable websites selling illegal or semi-legal products and services, etc. 164 domains were detected (42.5%).

- 107 Corporate Domains. Domains registered by the antivirus companies to prevent potential Typosquatting and illegal usage of these domains. 107 domains were detected (27.7%).

- 73 Squatted Domains. Domains registered by cyber-squatters in the hope that the antivirus companies or third-parties will buy the domains at some point in the future. Websites on these domains are not active. 73 domains were detected (18.9%).

- 41 Other Domains. Domains registered by third-party businesses or companies that may have a legitimate reason to register the domain (e.g. similar Trade Mark or company name) without intention to spoof the identity or to benefit from user typos. 41 domains were detected (10.6%).

Detailed statistics are provided in the table below:

Domain nameFraudulent domainsCorporate domainsSquatted domainsOther domains
www.symantec.com355112
www.kaspersky.com1346170
www.mcafee.com74051
www.avast.com2501011
www.bitdefender.com22332
www.avira.com1901212
www.norton.com29239
www.f-secure.com3453
www.gdatasoftware.com1100
www.pandasecurity.com10672

Corporations, governments and law-enforcement agencies go to great lengths to prevent abusive or illegal domain name registration and usage. However, our research revealed that the average age of a fraudulent domain is as high as 1181 days, and the average age of a squatted domain is 431 days.

Research results show that some antivirus companies pay attention to such illegal activities and try to prevent them, for example Kaspersky and McAfee purchased more than 70% of the domains that could be potentially used for illegal purposes if registered by third-parties. While others should probably pay more attention to domain squatting, monitor illegal activities and block them.

We also wanted to understand which domain registrars are used by cyber crooks to register fraudulent and squatted domains. The most popular domain registrars for fraudulent or squatted domains are listed in a table below:

Registrar nameNumber of domains
FABULOUS.COM PTY LTD27
GoDaddy.com, LLC25
PDR Ltd. d/b/a PublicDomainRegistry.com24
ENOM, INC18
TUCOWS, INC15
ABOVE.COM PTY LTD13
MONIKER ONLINE SERVICES LLC12
MarkMonitor, INC8
Internet.bs Corp7
NAMEKING.COM, INC6

During the research we also collected statistics about the most popular countries in which to host websites with fraudulent content. The list is provided below:

CountryNumber of hosted websites
United States75
Australia 24
Switzerland19
Germany16
United Kingdom8

Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, comments on the research: "Our research clearly demonstrates that cyber criminals do not hesitate to use any opportunity to make money on domain squatting and subsequent illegal practices. There are many ways to make money from these domains: they can be resold at a profit to the legitimate owner of the Trade Mark, used to display annoying ads, redirect users to pornographic or underground pharmaceutical websites, or even to infect with malware user machines who accidentally made a typo in the URL or clicked a phishing URL. The last scenario is the most dangerous, for example a consumer wanting to purchase an antivirus for a new PC who accidentally mistypes the domain name in his browser could find that his machine will be infected by malware turning it into a zombie to perform DDoS attacks or send spam. Sometimes the attacks are so sophisticated that the victim will not even notice anything, as after quick and successful contamination he will be forwarded to the legitimate website. Some websites are just harmless doorways, unless you surf them from an IP address belonging to a specific country and/or your operating system and browser are not up-to-date."

Ilia Kolochenko, High-Tech Bridge CEO, says: "We can see that even such powerful businesses as antivirus companies are falling victim to cyber squatters and fraudsters. Today, not many countries have efficient laws against cyber crime, fraud and Trade Mark abuse. Jurisprudence in this domain is even less developed. Governments in many countries refuse to collaborate in cybercrime investigations. Law enforcement agencies don’t have enough skilled people, budget and experience to counter digital crime. Only by joining the efforts of the private sector, governments and law enforcement agencies can we prevent, or at least minimize, illegal activities in the digital space. I strongly recommend supporting various initiatives of the OTA Alliance and the IMPACT Alliance, as we have been doing at High-Tech Bridge since 2010."

Craig Spiezle, Executive Director and President of Online Trust Alliance (OTA), adds: "Brand jacking, cyber-squatting and phishing email continue to target consumer and tarnish the reputation of legitimate brands, sites and mobile applications. This underscores the importance of brands taking proactive measures to fight these threats and for the ecosystem to work together."

The full list of 385 domains [live on 08/12/2013] detected during the research can be found here.