Versa Director Flaw Exposes Networks to API Exploits and Token Theft
Published on September 25, 2024
The practice of cybersquatting remains a simple yet effective method to trick internet users and exploit them in a variety of ways. Malicious actors register domains that look similar to those of well-known brands. Their purpose is to convince visitors that they have landed on a legitimate website they can trust.
These domains usually have a typo that's hard to spot, or feature a combination with other words, or replace a character with a Unicode letter, or set up a subdomain that contains the spoofed brand's domain in it.
Researchers at Palo Alto Networks have taken a set of 13,857 squatting domains registered from December 2019 until recently (450 registrations per day) and studied their nature to come up with solid deductions about the current status of the scene.
The key takeaways of their report include the following points:
The actors' objectives range widely, from supporting phishing and malware distribution campaigns, setting up command and control servers, engaging in domain parking to trying to victimize internet users with fake tech support platforms. Reward scams, PUP, and re-bill scams are also included in the mix.
Related: Massive Phishing Campaign in Brazil Targeting Netflix Users
On the detection front, the Palo Alto researchers found that the detection rates on the majority of internet security solutions vendors are leaving a lot to be desired. Even the best performing vendor would only alert users in about 25% of the malicious or high-risk squatting domains, whereas the detection rates on next-best solutions drop below 18%.
All that said, users cannot rely on security solutions alone, and they shouldn't trust any domain they happen to land on. When you want to visit online banking services, buy something from an e-shop, or just search something on the net, check the domain name thoroughly and validate that it's the correct/official one.
Moreover, confirm that the domain has a valid SSL certificate and that you are on the website's HTTPS version.