Domain spoofing, also known as domain fraud, is a common form of fraudulent crime on the Internet. In this blog post we will use real case studies to explain how you as a company or website operator could also be affected by domain spoofing.
What is domain spoofing?
Domain spoofing is a form of Internet fraud and is defined as follows: When an attacker appears to be using a company’s domain to impersonate a company or an employee of that company. This can be done by sending emails with fake domain names that appear legitimate or by setting up websites with slightly altered domain address characters that are read as correct. You can find some real life examples of domain spoofing below.
Example 1 – Penta Bank Spoofing Website
Penta Bank is a German company that primarily offers accounts for business customers in Europe. At the beginning of 2021, Penta Bank became the target of domain fraudsters. The original domain of Penta Bank is getpenta.com – fraudsters simply registered the domain GetPenta-Bank.com and tried to collect customer login data with a fake website.
Although this attempted fraud was implemented very poorly in our opinion, it still offered enough potential for the cyber criminals to gain access to sensitive data. Despite the very different look of this fake website, Penta Bank immediately issued a warning to its customers to prevent any kind of damage. The similarity of the domain was probably the decisive factor here.
Example 2 – Media Markt Spoofing website
Media Markt is the largest home electronics chain in Germany. Of course, Media Markt also operates a website including an online shop under the domain MediaMarkt.de. This shop became the target of domain spoofing back in 2018.
Fraudsters secured the domain MediaMarktDirekt.de and operated a copy of the online shop under this address. The details were pretty convincing: Customers first had to register before they could complete the purchase including payment. The imprint of the site contained information about a Spanish branch and a German managing director. All of these facts ensured that quite a few people fell for the scam and placed orders via MediaMarktDirekt.de. The goods were of course never delivered by the fraudsters and the victim’s money was lost.
Example 3 – Maybank Spoofing website
Maybank is one of the largest banks in Malaysia and Southeast Asia and was the victim of a very sophisticated domain spoofing fraud in February 2021. The fraudsters registered the domain campaignmay2u.com and tried to lure unsuspecting victims to it through advertising on social media. Although the original Maybank domain (maybank2u.com.my) differs significantly from the spoofing domain, this makes perfect sense due to the promotional offer.
In a statement on its website, the bank said users were lured to the fake website by social media ads on Facebook promising to win prices like a new cell phone.
The social media post instructs users to click a link that will take them to the fake website. There the victims are asked to enter their username and password. These daten then could be used by scammers to gain access to the real banking accounts. The spoofing website differed only slightly from the original. This made it particularly difficult for unsuspecting Maybank customers to expose the hoax. Unfortunately, it is not known what damage was caused by this domain spoofing attack.
Example 4 – Amazon Spoofing Websites
Amazon is often a victim of domain spoofing. Especially on special occasions such as Black Friday or Prime Day, fraudsters try again and again to deceive unsuspecting victims with fake Amazon websites.
According to the security research company Check Point, the number of fake domains with the words “Amazon” and “Prime” doubled, especially around the Black Friday and Prime Day events. These domains are an easy way for hackers to trick customers into entering their most sensitive information, such as credit card information, names, birthdays, email and physical addresses, and other details, on the hacker’s malicious website.
A fraud campaign aimed at “returns” or “order cancellations” in connection with Prime Day. The URL www.amazoncustomersupport.net was registered to mimic an authentic Amazon site. In general, it happens again and again and at regular intervals that similar sounding Amazon domains with fake websites are published. Of course, the fraudsters also use the Amazon logo to harm millions of people around the world.
Enclosed you will find an example of the fake domain Amazonx.com, which uses a deceptively real-looking login form to access Amazon customer data.
Any website can be easily copied and used for fraud
To give you an idea of how easy it is for fraudsters to use an exact copy of your website for their own purposes on similar domains, we have prepared a small domain spoofing experiment for you here.
In our example we duplicate our own homepage Domainspace.io and copy it to a similar domain with the name Domainspacecloudhost.com.
Fraudsters would have uploaded a complete image of our website to a domain with a similar name in just a few minutes and could, for example, access customer login data without much effort.
Notice: It is not necessary to be connected to the website or have access to the origin server to complete the steps below. All you need is a public website and a modern web browser. Any layperson could therefore carry out the steps without any special IT knowledge!
Step 1 – A similar domain is registered
It all starts with the registration of a similar domain. Without appropriate protective measures (e.g. Trademark Protection) or monitoring techniques such as our keyword monitoring service, this registration usually remains unknown to the victims.
Step 2 – A server environment is set up
After registration, the fraudsters set up a server environment for the website. This can be anything from an anonymous professional server somewhere in China or Russia to simple cheap hosting packages on mass hosters.
In order to cover their tracks, cyber criminals often use proxy services such as Cloudflare. Additionally, it is usually the case that the data is hosted on special anonymous servers paid via crypto currency. In this way, scammers become next to nonexistent and very hard to identify.
Step 3 – The original website is copied
Now it’s time to copy the data of the original website. To do this, the fraudsters simply visit your website as a normal Internet user with a modern browser. After they download your data with just a few clicks. See how easy it actually is…
Step 4 – The copy of the website is uploaded to the fraudulent server
After excat copy of the website has been created, it has to be published on the Internet. This is also possible with minimal technical effort. In order to access data, minor changes to the website code are often necessary. For example, a shop / payment system is set up to access bookings and orders. Another example for modifications could be simple text fields, with which login data are collected. In order to make these changes, you normally only need a little knowledge of HTML. Most cyber criminals of this type certainly have these skills.
After uploading and modifying the copied website, the fake domain is connected to the server. Cloudflare is often used as a proxy. This services allows domain spoofers easily to disguise the real server IP.
Step 5 – An exact copy of the website is publicly available
Now that all these very simple steps have been carried out, a copy of your website is available under a fake domain name. In addition, fraudsters can also set up mail servers, which they use for phishing attacks. Here the fake domain also plays a decisive role and careless users are often very easily caught by these similar sounding domain names. As you can see, an exact copy of our business website is now available under a fake domain.
Step 6 – Fraudsters hijack data or misuse your name in other ways
The final step is ultimately to bring in the harvest. With the fake website, the fraudsters now access login or credit card data. Fake online shops or booking websites are also conceivable. To receive payments, the fraudsters often use accounts abroad that have been opened in other names. Also electronic payment providers are often used by cyber criminals. If the domain spoofing attack has been carefully planned, it is impossible to find the real people behind such scams.
The cyber criminals are often located in distant countries. Fraudsters of this kind feel particularly at home in countries where authorities only work with limited technical capabilities. Southeast Asia in particular is a mecca for cyber criminals from all over the world.
How to protect yourself from domain spoofing
We have already summarized in detail how you can protect your website against fraud, identity theft and domain spoofing in another blog post. In general, our cyber security solutions are designed to protect companies and brands from such crimes. Domainspace can help you to reduce the negative effects of domain and identity theft at domain level. Just leave us a message and we are looking forward to find the perfect security solution for you…
Do you have any more questions? Leave a comment or contact us here…