Real-World Example: The (really good) bad guys always seem to be one step ahead.

Darkscope recently onboarded a client whose business is in online shopping. Their challenge is that attackers/scammers use fake copycat pages to lure their customers to fake websites to steal their login/password details, private and personal info or credit card details.

It might seem that looking for fake or copycat domains is an easy task. Unfortunately, it’s more complex than it appears. Scammers are creative and use several methods to hide their actions with the time it takes to detect their crime being to their advantage.

Here’s how they do it:

  1. The scammer registers a new domain which is close to the original. We have seen domains which use IDN (Internationalized Domain Name) such as myservce.com instead of myservice.com or just straightforward permutations such as myservice.co, myservices.com, myserv1ce.com and so on.

  2. At this stage, there is nothing the owner of myservice.com can do as the site is legitimately registered.

  3. Next, the scammer adds the stolen look-alike content to it.

  4. This is the smart part. We have seen domain permutations which use geo-location identification to show different content based on where the visitor comes from. If the site visitors comes from within the region or country, they are presented with the fake copycat content. When the site visitor is from other parts of the world, they see a different innocuous page. Some scammers even go one step further and use browser detection to filter out common bots and crawlers.

  5. Once the scammer has collected enough personal info or card details or gets detected, the page is moved to a different domain, and the ‘game’ starts again.

 

Here’s the timeline from one real-world example we have detected.

  • Domain registration 17/10/2020 11:32 PM

  • Domain update (copycat content) 18/10/2020 8:15 AM

  • Page goes live on 18/10/2020 at 10:12 AM

    • The page had the following active defence measures:

      • Geo-location identification with active diversion

      • Browser detection to divert bots and web crawlers

  • Our system detected this page at 10.32 on the 18/10/2020 – 20 minutes after it went live. This was immediately reported to our client via email alert.

 

How do we help:

Darkscope has developed a service called Domainwatch. This service uses AI and automation to find these domain permutations. In this example, we are scanning 6,230 different domain permutations for this one customer domain. Domainwatch takes screenshots of the pages from the active sites using a Chrome browser. Theses screenshots then get processed and rated by our AI model to detect similarities to the original page. If the value is above the set threshold, our system sends an alert. The screenshots are stored in a secure environment as evidence which the customer can check and view via the Darkscope analytics portal.

We do that every hour! This customer has 10 of those domains, which means our system scans, and rates around 20 domains every second just for this customer.