Recently introduced TLDs create new opportunities for criminals

Earlier this year, the Internet Corporation for Assigned Names and Numbers (ICANN) released over 300 top-level domains (TLDs), and more are coming.

The TLDs are supposed to be a way to focus the Internet. In reality, they’ve become a boon for registrars who use them as an up sell when someone purchases a domain. Moreover, they’ve become a goldmine for criminals, who can often bypass network defenses guarding against phishing and C&C communications by using a domain that’s outside of the norm.

According to researchers at Malwarebytes, many of the newly released TLDs have been linked to various malicious activities on the Web in the last 60-days, including malware propagation and phishing.

Some of the TLDs that were singled out include .pictures, .club, .xyz, .email, .company, .directory, .support, and .consulting.

Salted Hash did some digging. In many cases, while these TLDs are registered, they actually forward the visitor to the organization’s primary domain. Others have basic site designs, such as a single page business portal or outdated CMS installations.

When Malwarebytes examined their collection of malicious TLDs, they discovered that many of them were properly registered. However, the web servers they’re pointed at were compromised.

Many of the compromised servers were being used to propagate the Angler Exploit Kit. The Angler kit targets vulnerable Internet Explorer browsers, Java installations, and Adobe products. It’s also known to attempt an infection without writing the malware to the system’s drive, leaving the code running in memory.

Angler mostly installs Zeus-based malware, targeting authentication credentials and financial data. At the same time, it’s able to deliver any payload available depending on the campaign. Earlier this year, it was linked to a massive phishing campaign, which compromised more than 46,000 systems.

Just last week, Daniel Wesemann at SANS ISC reported that .support was being used in a phishing scam targeting Bank of America customers. In addition to that campaign, Salted Hash has seen .support used in Phishing attacks targeting Chase Bank customers and PayPal users.

In each case, the attack is essentially the same. The email directs the user to follow the link, as there is a problem with their account. However, the emails use a passive voice, avoiding phrasing that’s intended to alarm or frighten. Then again, they don’t need to frighten the mark, because the .support URL included is supposed to look helpful.

The URL in question looks like this:

hxxps://url-bofa.support/BankOfAmerica.Com

“Phishing emails per se are nothing new. But it appears that URLs like the one shown in the phishing email above have a higher success rate with users. I suspect this is due to the fact that the shown URL “looks different”, but actually matches the linked URL, so the old common “wisdom” of hovering the mouse pointer over the link to look for links pointing to odd places won’t help here,” Wesemann wrote.

Making matters worse, the Bank of America Phishing attack was augmented by a legitimate SSL certificate issued by Comodo.

Comodo offers free 90-day trials on their SSL certificates, and each one is trusted by 99-percent of the world’s browsers. So in this case, victims who followed the .support link were presented with all the visual cues needed (when taken at a glance) to believe the scam.

“Addition of SSL to the phish means that another “scam indicator” that we once taught our users is also no longer valid. When a user clicks on the link in the phishing email, the browser will actually show the padlock icon of a secure site,” Wesemann added.

For the record, this isn’t the first time Comodo certificates were used by criminals. In 2009, criminals pushing fake anti-Virus used Comodo certificates almost exclusively.

While the Bank of America phishing attack wasn’t the most complex scam on the Web, it adds another variable to the problem of dealing with socially-based attacks.

Given the sheer volume of new TLDs offered by ICANN these days, criminals have a massive attack surface to exploit. This leaves defenders with little choice but to play catch-up and revamp their awareness initiatives.

In the meantime, if .support is a TLD that your organization never plans to support or implement, it might be wise to sinkhole the domain (and others like it) on your network and deny all traffic.