threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
Submitted URL: https://threatpost.com/ecommerce-bots-domain-registration-account-fraud/177305///
Effective URL: https://threatpost.com/ecommerce-bots-domain-registration-account-fraud/177305/
Submission: On January 07 via api from US — Scanned from DE
Effective URL: https://threatpost.com/ecommerce-bots-domain-registration-account-fraud/177305/
Submission: On January 07 via api from US — Scanned from DE
Form analysis
4 forms found in the DOMPOST /ecommerce-bots-domain-registration-account-fraud/177305/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/ecommerce-bots-domain-registration-account-fraud/177305/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Email</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>
GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>
POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177305" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="959e72de2e"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="ed8OjF1fcWucOJj8SQ4krVbuJ" name="PaMxM9QW3nUN4DrLMWctuCglY">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1641572023415">
</form>
GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>
Text Content
Newsletter SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER Join thousands of people who receive the latest breaking cybersecurity news every day. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. * * * * * * * I agree to my personal data being stored and used to receive the newsletter * * * I agree to accept information and occasional commercial offers from Threatpost partners * Email This field is for validation purposes and should be left unchanged. This iframe contains the logic required to handle Ajax powered Gravity Forms. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. Threatpost * Cloud Security * Malware * Vulnerabilities * InfoSec Insiders * Webinars * * * * * * * Search * Cryptomining Attack Exploits Docker API Misconfiguration Since 2019Previous article * APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit ToolsNext article InfoSec Insider THREAT ADVISORY: E-COMMERCE BOTS USE DOMAIN REGISTRATION SERVICES FOR MASS ACCOUNT FRAUD InfoSec Insider Jason Kent December 29, 2021 2:13 pm 2:30 minute read Write a comment Share this article: * * Jason Kent, hacker-in-residence at Cequence Security, discusses sneaky shopping bot tactics (i.e., domain parking) seen in a mass campaign, and what retail security teams can do about them. While researching a recent large-scale bot campaign with CQ Prime Threat Research team lead, Dean Lendrum, we found attackers using domain parking and monetization services to register multiple domains, creating a large number of fake eCommerce accounts per domain. TL; DR * Analysis of shopping-bot campaign data uncovered more than 850,000 fake accounts associated with a relatively small number of domains. * Clusters and common patterns point to domain-name registration and hosting services (like Namecheap); with parking, monetization and email forwarding being used to execute large-scale shopping bot campaigns. * Retailers should analyze historic data to uncover patterns emanating from suspicious domains using the same hosting infrastructure. Patterns observed include irregular domain names, domain resolving to an untrusted web app, SSL not enabled. * Send email account-creation verification or consider the use of multifactor authentication (MFA) when possible. DETAILS Like it or not, malicious bot managers are business people and they are always looking for ways to reduce the cost of their eCommerce bot campaigns. Using domain parking and monetization services (e.g., Namecheap, ParkingCrew, etc.) is one way they can inexpensively create many fake accounts that they can then use in their large-scale bot campaigns. Fake accounts associated with the registered domains come complete with email-forwarding enabled. When used in the bot campaign, the emails will appear valid to the retailer, but behind the scenes, the forwarding service will just drop the mails. To demonstrate how easy this is to do, we were able to establish an account for $1.18 in less than five minutes using Namecheap, one of several domain parking solutions available. Getting started was as easy as depositing funds into a Namecheap account and using its API to call namecheap.domains.create. We now had a domain and an associated account with free VPN and business email for two months; free email forwarding forever; and SSL as an option at $10 per year. Shortly thereafter we were able to begin monetizing the new domain via the Namecheap-ParkingCrew partnership; a common practice for threat actors, evidenced by bot forums boasting of the money being made via rogue traffic hitting their parked domains. ATTACK CHARACTERISTICS OBSERVED When investigating any of the domains on their own, everything appears to be normal. But, when grouping the bad-acting domains by their companion web server A records and mail-redirect server MX records, clusters of behavior begin to form. * 863,874 fake accounts were mapped to 1,810 domains, generating heavy bot traffic. * Of those 1,810 domains, 440 were mapped to Namecheap and ParkingCrew, and only 255 of them had SSL enabled. The lack of SSL is a clear sign that the domain is suspicious, given that nearly all legitimate domains will have it enabled. The only reason we can think of for the lack of SSL is the cost – it’s an added $10 per year, going back to the position that the bot operators are looking to reduce costs. When analyzing suspected fraudulent user accounts and associated orders, retail security teams should investigate the email domain the web and email traffic are resolving to legitimate domains using tools like mxlookup and dig. If mail exchange servers are common between many different domains as shown in image 1, check the domain name and see if this resolves to a valid web application. Similarly, analyze whether many domains are pointing to a single web server A record and check the web application hosted, taking note of content, purpose and security features like SSL. IMPLICATIONS OF MASS SHOPPING BOT CAMPAIGNS Just as bots-as-a-service have made botting available to the masses, the use of domain registration and monetization services is another example of the commercialization of the botting industry. In this example, threat actors are able to easily create many thousands of fake accounts for use in their large-scale bot campaigns which in turn, impacts the entire business. Security and fraud teams are overwhelmed trying to separate legitimate from malicious. In some cases, infrastructure costs will spike due to the increased volume, while sales and marketing metrics are skewed wildly by the illegitimate traffic. Jason Kent is Hacker-in-Residence at Cequence Security. Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite. Write a comment Share this article: * InfoSec Insider * Web Security SUGGESTED ARTICLES ACTIVISION FILES UNUSUAL LAWSUIT OVER CALL OF DUTY CHEAT CODES Activision is suing to shut down the EngineOwning cheat-code site and hold individual developers and coders liable for damages. January 6, 2022 1 GOOGLE VOICE AUTHENTICATION SCAM LEAVES VICTIMS ON THE HOOK The FBI is seeing so much activity around malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers, that it sent out an alert this week. January 6, 2022 ATTACKERS EXPLOIT FLAW IN GOOGLE DOCS’ COMMENTS FEATURE A wave of phishing attacks identified in December targeting mainly Outlook users are difficult for both email scanners and victims to flag, researchers said. January 6, 2022 DISCUSSION LEAVE A COMMENT CANCEL REPLY This site uses Akismet to reduce spam. Learn how your comment data is processed. INFOSEC INSIDER * WHAT THE RISE IN CYBER-RECON MEANS FOR YOUR SECURITY STRATEGY December 30, 2021 * THREAT ADVISORY: E-COMMERCE BOTS USE DOMAIN REGISTRATION SERVICES FOR MASS ACCOUNT FRAUD December 29, 2021 * GLOBAL CYBERATTACKS FROM NATION-STATE ACTORS POSING GREATER THREATS December 27, 2021 * TIME TO DITCH BIG-BROTHER ACCOUNTS FOR NETWORK SCANNING December 21, 2021 * CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE December 17, 2021 Newsletter SUBSCRIBE TO THREATPOST TODAY Join thousands of people who receive the latest breaking cybersecurity news every day. Subscribe now Twitter 1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm 3 weeks ago Follow @threatpost NEXT 00:03 01:17 360p 720p HD 1080p HD 360p 720p HD 1080p HD Auto (360p) About Connatix V144443 Closed Captions About Connatix V144443 1/1 Skip Ad Continue watching This Day in History after the ad Visit Advertiser website GO TO PAGE SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY! Get the latest breaking news delivered daily to your inbox. Subscribe now Threatpost The First Stop For Security News * Home * About Us * Contact Us * Advertise With Us * RSS Feeds * Copyright © 2022 Threatpost * Privacy Policy * Terms and Conditions * Advertise * * * * * * * TOPICS * Black Hat * Breaking News * Cloud Security * Critical Infrastructure * Cryptography * Facebook * Government * Hacks * IoT * Malware * Mobile Security * Podcasts * Privacy * RSAC * Security Analyst Summit * Videos * Vulnerabilities * Web Security Threatpost * * * * * * * TOPICS * Cloud Security * Malware * Vulnerabilities * Privacy Show all * Black Hat * Critical Infrastructure * Cryptography * Facebook * Featured * Government * Hacks * IoT * Mobile Security * Podcasts * RSAC * Security Analyst Summit * Slideshow * Videos * Web Security AUTHORS * Tara Seals * Tom Spring * Lisa Vaas THREATPOST * Home * About Us * Contact Us * Advertise With Us * RSS Feeds Search * * * * * * * InfoSec Insider INFOSEC INSIDER POST Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Sponsored SPONSORED CONTENT Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content. We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information. ACCEPT AND CLOSE