threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
Submitted URL: https://threatpost.com/ecommerce-bots-domain-registration-account-fraud/177305///
Effective URL: https://threatpost.com/ecommerce-bots-domain-registration-account-fraud/177305/
Submission: On January 07 via api from US — Scanned from DE
Effective URL: https://threatpost.com/ecommerce-bots-domain-registration-account-fraud/177305/
Submission: On January 07 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /ecommerce-bots-domain-registration-account-fraud/177305/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/ecommerce-bots-domain-registration-account-fraud/177305/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Email</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177305" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="959e72de2e"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="ed8OjF1fcWucOJj8SQ4krVbuJ" name="PaMxM9QW3nUN4DrLMWctuCglY">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1641572023415">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Email
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Cryptomining Attack Exploits Docker API Misconfiguration Since 2019Previous
article
* APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit ToolsNext
article
InfoSec Insider
THREAT ADVISORY: E-COMMERCE BOTS USE DOMAIN REGISTRATION SERVICES FOR MASS
ACCOUNT FRAUD
InfoSec Insider
Jason Kent
December 29, 2021 2:13 pm
2:30 minute read
Write a comment
Share this article:
*
*
Jason Kent, hacker-in-residence at Cequence Security, discusses sneaky shopping
bot tactics (i.e., domain parking) seen in a mass campaign, and what retail
security teams can do about them.
While researching a recent large-scale bot campaign with CQ Prime Threat
Research team lead, Dean Lendrum, we found attackers using domain parking and
monetization services to register multiple domains, creating a large number of
fake eCommerce accounts per domain.
TL; DR
* Analysis of shopping-bot campaign data uncovered more than 850,000 fake
accounts associated with a relatively small number of domains.
* Clusters and common patterns point to domain-name registration and hosting
services (like Namecheap); with parking, monetization and email forwarding
being used to execute large-scale shopping bot campaigns.
* Retailers should analyze historic data to uncover patterns emanating from
suspicious domains using the same hosting infrastructure. Patterns observed
include irregular domain names, domain resolving to an untrusted web app, SSL
not enabled.
* Send email account-creation verification or consider the use of multifactor
authentication (MFA) when possible.
DETAILS
Like it or not, malicious bot managers are business people and they are always
looking for ways to reduce the cost of their eCommerce bot campaigns. Using
domain parking and monetization services (e.g., Namecheap, ParkingCrew, etc.) is
one way they can inexpensively create many fake accounts that they can then use
in their large-scale bot campaigns. Fake accounts associated with the registered
domains come complete with email-forwarding enabled. When used in the bot
campaign, the emails will appear valid to the retailer, but behind the scenes,
the forwarding service will just drop the mails.
To demonstrate how easy this is to do, we were able to establish an account for
$1.18 in less than five minutes using Namecheap, one of several domain parking
solutions available. Getting started was as easy as depositing funds into a
Namecheap account and using its API to call namecheap.domains.create. We now had
a domain and an associated account with free VPN and business email for two
months; free email forwarding forever; and SSL as an option at $10 per year.
Shortly thereafter we were able to begin monetizing the new domain via the
Namecheap-ParkingCrew partnership; a common practice for threat actors,
evidenced by bot forums boasting of the money being made via rogue traffic
hitting their parked domains.
ATTACK CHARACTERISTICS OBSERVED
When investigating any of the domains on their own, everything appears to be
normal. But, when grouping the bad-acting domains by their companion web server
A records and mail-redirect server MX records, clusters of behavior begin to
form.
* 863,874 fake accounts were mapped to 1,810 domains, generating heavy bot
traffic.
* Of those 1,810 domains, 440 were mapped to Namecheap and ParkingCrew, and
only 255 of them had SSL enabled.
The lack of SSL is a clear sign that the domain is suspicious, given that nearly
all legitimate domains will have it enabled. The only reason we can think of for
the lack of SSL is the cost – it’s an added $10 per year, going back to the
position that the bot operators are looking to reduce costs.
When analyzing suspected fraudulent user accounts and associated orders, retail
security teams should investigate the email domain the web and email traffic are
resolving to legitimate domains using tools like mxlookup and dig. If mail
exchange servers are common between many different domains as shown in image 1,
check the domain name and see if this resolves to a valid web application.
Similarly, analyze whether many domains are pointing to a single web server A
record and check the web application hosted, taking note of content, purpose and
security features like SSL.
IMPLICATIONS OF MASS SHOPPING BOT CAMPAIGNS
Just as bots-as-a-service have made botting available to the masses, the use of
domain registration and monetization services is another example of the
commercialization of the botting industry. In this example, threat actors are
able to easily create many thousands of fake accounts for use in their
large-scale bot campaigns which in turn, impacts the entire business. Security
and fraud teams are overwhelmed trying to separate legitimate from malicious. In
some cases, infrastructure costs will spike due to the increased volume, while
sales and marketing metrics are skewed wildly by the illegitimate traffic.
Jason Kent is Hacker-in-Residence at Cequence Security.
Enjoy additional insights from Threatpost’s Infosec Insiders community by
visiting our microsite.
Write a comment
Share this article:
* InfoSec Insider
* Web Security
SUGGESTED ARTICLES
ACTIVISION FILES UNUSUAL LAWSUIT OVER CALL OF DUTY CHEAT CODES
Activision is suing to shut down the EngineOwning cheat-code site and hold
individual developers and coders liable for damages.
January 6, 2022
1
GOOGLE VOICE AUTHENTICATION SCAM LEAVES VICTIMS ON THE HOOK
The FBI is seeing so much activity around malicious Google Voice activity, where
victims are associated with fraudulent virtual phone numbers, that it sent out
an alert this week.
January 6, 2022
ATTACKERS EXPLOIT FLAW IN GOOGLE DOCS’ COMMENTS FEATURE
A wave of phishing attacks identified in December targeting mainly Outlook users
are difficult for both email scanners and victims to flag, researchers said.
January 6, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* WHAT THE RISE IN CYBER-RECON MEANS FOR YOUR SECURITY STRATEGY
December 30, 2021
* THREAT ADVISORY: E-COMMERCE BOTS USE DOMAIN REGISTRATION SERVICES FOR MASS
ACCOUNT FRAUD
December 29, 2021
* GLOBAL CYBERATTACKS FROM NATION-STATE ACTORS POSING GREATER THREATS
December 27, 2021
* TIME TO DITCH BIG-BROTHER ACCOUNTS FOR NETWORK SCANNING
December 21, 2021
* CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE
December 17, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
1.8M+ attacks, against half of all corporate networks, are attempting to exploit
#Log4Shell, including with a new r… https://t.co/dDky1faadm
3 weeks ago
Follow @threatpost
NEXT 00:03 01:17 360p 720p HD 1080p HD 360p 720p HD 1080p HD Auto (360p) About
Connatix V144443 Closed Captions About Connatix V144443 1/1 Skip Ad Continue
watching This Day in History after the ad Visit Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE