tips tools api

SecurityTrails Blog · Jul 30 · SecurityTrails team

Domain Security & Solutions, Part 2: Phishing & Trademark Infringement Attacks

Reading time: 16 minutes

Millions of emails are sent every day, and a few of them will surely hit your inbox. Apart from your personal, notification and corporate emails, you’ll undoubtedly be asked to open emails from “companies” inviting you to update your account’s personal details with a certain bank, or with other popular online services such as Google, Apple or Dropbox.

The thing is, the average user does open these emails, following all the instructions step by step without knowing they’re about to fall into a digital trap set by cybercriminals. The emails are well written, linked to a page fully encrypted with an SSL certificate, they contain information about your bank, and with the expected colors and official logo, look just like they’ve been sent from that company where you have an account. After all, they’re “only” asking you to follow instructions or update your personal details. Looks like a safe place … right? It’s actually not.

That wasn’t a legal email. It’s something called phishing, and along with trademark/service mark infringements, it’s one of the top cybersecurity issues that affect millions of users day by day.

In this article we’ll explain what phishing is, examine its different forms, and take a look at trademark issues and how to fight against these illegal activities.

What is phishing?

Phishing is one of the most common types of cybercrime around, one that focuses on stealing sensitive user information.

This method of social engineering attack targets users who are often contacted by email, by posing as a legitimate company to gain their confidence as well as their personal data—which can include, but is not limited to, username, passwords, credit card numbers, bank account numbers, and anything else you may consider private information.

How does it work?

Phishing uses human psychology¹ to succeed, and its method of operation is really quite simple: it works when an attacker masquerades as a trusted company or organization, and sets up a fake replacement website to snare victims from email or text messages.

These false communications will contain a link to the malicious website that, if visited, may lead to:

  • Personal data exposure (login credentials, credit cards, etc.)
  • Installation of malware
  • Installation of viruses that freeze your computer and turn it into a malicious bot
  • Encryption of your critical information, demanding money to unlock it

In almost all cases, a successful attack will expose your sensitive and critical information, and result in identity theft or high financial loss affecting both the personal and corporate entities involved.

In larger and more direct attacks, phishing can be launched not only against individuals, but also against organizations and governments as part of coordinated attacks against their networks. In these situations, attackers aren’t likely to go after credit card or bank accounts, but after restricted area login details, as well as solid access to filesystems where they can install malware or spread viruses.

The weakest chain in cybersecurity is always the human factor: the people behind the computers. That’s why this is labeled “social engineering.”

Depending on the phishing channel the attacker uses, there are a few different forms of phishing that may be distinguished from traditional email phishing:

Smishing

This form of malicious campaign uses SMS messages for its dirty work. Text messages may contain links that drive victims to ‘trap websites’ where they willingly type all their personal data.

Spear phishing

Traditional phishing campaigns usually involve sending emails to millions of unknown users worldwide. ‘Spear phishing,’ on the other hand, involves sending highly targeted phishing campaigns to one specific type of user.

Before sending a spear phishing email, attackers run a very complete OSINT investigation against the target, to learn almost every possible about him and his offline and online life. Therefore, it can be very difficult to recognize, and of course, involves a higher risk of getting tricked.

Vishing

Vishing is a form of phishing that uses ‘voice’ and ‘phishing’ techniques to obtain information from the victim. This usually involves a call over traditional phone lines, mobile or VoIP.

The deception is hardly perceptible. These days it’s really easy to obtain any person’s telephone number, and getting calls from someone claiming to be your bank or credit card company is not unusual at all.

Search engine phishing

Google can be your best friend, or your worst enemy. Let’s suppose for a minute that you’re searching for some specific product seen on Amazon or Ebay, then you go to Google.com and search for that specific product. Amongthe countless results for that specific keyword, you see one that looks like a legitimate e-commerce store—but it’s a fake, and it’s receiving live traffic from this everyday search engine.

This is another form of phishing, called “search engine phishing” because its content is legally indexed by Google, Yahoo, etc. yet also driving legal visitors to a fake website.

This type of technique doesn’t rely on email links, but in live links from search engines. Fortunately, these sites aren’t usually live for very long thanks to takedown notices and built-in search engine algorithms.

Whaling

Spear phishing is often confused with whaling, however, there is a big difference when it comes to this last one.

Whaling is only used against high-level positions like COO, CIO, CFO, CEO, VP and other big players (whales) with management-level positions.

In whaling, attackers try to trick executive and management staff, which can often lead to higher-level access to corporate accounts, logins and more.

Phishing examples

Let’s take a look at the most popular email subjects you may receive in phishing emails:

  • “UPS missed delivery notice” - This is one of the most common phishing emails you’ll see, which fools victims by referencing a tracking number with a link to a malicious page.
  • “Your bank account has been locked” - This fake email will look like it was legitimately sent from your banking institution (BOFA for example), letting you know that you must update your login details in order to unlock your bank account.
  • “Confirm your account” - This is a generic notice for all types of online services, including credit card companies, banks, online payment wallets like Paypal, or streaming services like Netflix, Spotify and others.
  • “Amazon refund due to system error” - This form of phishing tries to gain access to your online shopping accounts like Amazon or Ebay, stating that you have a pending refund due to a system error. In order to claim your refund, you’ll be asked to provide your login details.
  • “IRS tax refund” - This scenario would have you believe the IRS is sending you a note about a tax refund. Of course, it’s merely a grab for your personal and sensitive information.
  • “Unusual sign-in activity detected” - In this example, users get a notice from Microsoft, Google, Facebook, etc., stating they’ve found unusual sign-in activity in their logs. In order to get this cleared, they’ll point you to a fake webpage, or give you a phone number you can call, where they’ll ask you for login details.

Still other popular phishing examples include:

  • Gift card notifications
  • Dropbox notifications
  • Google docs downloads
  • Microsoft 365 shared file notifications
  • Help Desk Notices
  • U.S. Dept. of Labor “Record Updates”
  • New salary notifications

All these types of phishing emails can be used for data and identity theft, and can even ruin your reputation.

How can I prevent phishing attacks?

  1. Read twice before clicking. Never click links before analyzing the full message to decide whether it’s too suspicious, or something you never requested. You have to be smart, even if the temptation is really big with that hot announcement in the email body. Keep your eyes open, analyze, and if you have doubts, ask a colleague for a second opinion about it.

  2. Analyze the email headers. If you’re a technical user, you can analyze email headers to detect whether you’re looking ata spoofing attempt or a real email. And even if it’s real, keep in mind that there’s a big chance the email has been hacked..

  3. Use an anti-phishing browser extension. Most modern browsers offer phishing detection features from popular extensions (like the Netcraft Anti-Phishing² add-on available for both Firefox and Chrome).
    These extensions will check the background of the sites you’re visiting, and generate an alert whenever a phishing site is detected. While it won’t help you detect phishing in email messages, it will prevent you from falling prey to one of these fake websites.

  4. Stay up to date about phishing techniques. Every day, newspapers, IT magazines and cybersecurity companies release numerous publications about new phishing techniques detected in the wild. Staying current with the latest forms of phishing (even if you aren’t a technical user) will help you avoid getting tricked in the future.

  5. SSL is not a sign of security anymore. Don’t blindly put your trust in sites with SSL certificates. Ever since the massive SSL certificate adoption seen in recent years, and thanks to free SSL certificates, phishing websites now use SSL certificates to appear legitimate. They generate a false sense of security when users see the familiar green/grey lock in their browsers.

  6. Use two-factor authentication in all your online accounts. Most modern service providers already support 2FA³ as an additional layer to prevent third-party unauthorized users from accessing your account.
    Let’s suppose you fall victim to a phishing attack and the attackers get your user and password…if you have 2FA enabled, they’ll never be able to login because only you can access the code on your phone.

  7. Never share your private information. The number one rule to help you avoid phishing scams is to never share sensitive data over the Internet. It doesn’t matter who is requesting it. Your private information (personal details, or financial data) should always be “private”—by definition, that’s the very idea. Keep it all to yourself.
    If you’re unsure whether a message or website is real, use Google to search for the official website by using queries like: “yahoo official website.” That will surely trigger the real yahoo website, and not a fake one. In this day and age, web crawlers are now smart enough to respond with only the official resources, not scams that try to rank for “official” keywords in their black-hat SEO efforts.

Trademark and service mark infringement issues

Trademark infringement occurs when a third-party individual or company uses a trademark without previous authorization from the trademark holders. This could be a logo or brand symbol.

For example, if a computer that wasn’t created by Apple Inc. were to use the Apple logo with its famous bitten apple, the situation would likely generate a trademark infringement issue. The trademark protects your logo and company symbols. Therefore, a trademark is essentially used to protect company products.

There is another form of trademark that can affect your company, and it’s called a service mark. A service mark is used to protect services, and it’s related to the company name and their slogan. For example, eBay’s slogan “Connecting Buyers and Sellers Globally,” along with the “eBay” name, are service marks.

Amazon is characterized as both a trademark and a service mark. The service mark is designated because this online retailer provides online shopping services, and it’s also a trademark because Amazon sells branded products like the Kindle e-reader, Amazon Echo and many other “Amazon” products.

While a trademark and service mark seem similar, you may have noticed a tiny difference between the two.

Motivations behind trademark and service mark infringements can be driven by:

  • An attempt to make a profit by imitating a recognized global brand, setting up a website that looks like the original and tricking visitors intobuying stuff from their page instead of the official one.
  • Desired access through phishing pages to unsuspecting visitors’ credit card, banking and other personal information.
  • The planned distribution of malware across large computer networks to encrypt sensitive content and extort from victims to recover their personal data.
  • An attempt to spread virus infections across networks to build up zombie-bots.

Legal consequences of these activities may end up as monetary reimbursement for all involved losses, an official request to stop using and distributing products with the trademark, seizure of digital services that use the unauthorized service mark, as well as the total shutdown of all internet-based infrastructure that supports the infringing websites (web hosting, proxy services and domain names).

How to detect phishing and service mark infringement-based domains

While phishing and trademark issues are different illegal activities, both share some common facts and are definitely related, as most phishing campaigns involve trademark and service mark infringements in their “fake” website layouts.

How can you detect phishing or service mark infringement-based domains? For this purpose, we offer three major solutions that will help you track down every bit of information about the websites involved.

SecurityTrails App

Our public web app is the perfect starting point for checking out our main features, for all who need to manually investigate for domain phishing and trademark infringement cases. It offers quick access to 323 million domain names, along with critical intel about everything regardomg their DNS records and IP addresses.

Let’s test it to see what we can learn about a popular brand, like “eBay” for example.

In this case, we’ll want to search for all domain names that contain the word “ebay”.

This query will trigger around 17k results, including domains and subdomains that use the ‘ebay’ term. You’ll also get valuable information categorized by domain, alexa rank, web hosting and email provider.

This is just a small taste of the full security data found for this term. While analyzing the results, we found a couple of details that may point to service mark issues, if not actual phishing attempts:

  • http://www.ebay.design/
  • http://ebay.kiwi.nz/
  • https://ebay.info/
  • http://car.ebay.info/

Right now, there are no live phishing pages attached to those links; however, it remains a possibility in the coming months or years.

Are you willing to take risks in the future? Probably not. It’s a much better idea to discover infringing domains now, and nip such problems in the bud.

Here are some more facts that indicate the real power behind our intelligent database. Let’s see how many results we get for other popular brands like BestBuy, Amazon, Paypal and Microsoft:

  • bestbuy: 2,758 results
  • amazon: 9,702 results
  • paypal: 2,748 results
  • microsoft: 15,115 results

Imagine how many phishing and trademark infringement-based domains can be found in those results.

As you can see, using the SecurityTrails public app can definitely help you track down certain terms used with your domain names. However, most valuable information is found while exploring the additional attack surface data behind the domain names. Keep reading.

SurfaceBrowser

Now we’ve discovered a few domain names using the eBay brand name without authorization. Let’s explore how you can run a complete domain investigation with SurfaceBrowser, our enterprise- all-in-one product for security researchers, business owners and legal teams.

Who’s behind those domain names? Where are they hosted? Are these domains part of a larger phishing campaign? Let’s find out, usingthe first domain name we found: ebay.design.

The current DNS information is displayed immediately once the results are loaded, giving you the current A, MX, SOA, TXT and NS records.

Domain Security & Solutions, Part 2: Phishing & Trademark Infringement Attacks

However, that isn’t the entire picture. We also have our DNS Time Machine ready to explore past DNS records, as shown in the next screenshot:

Domain Security & Solutions, Part 2: Phishing & Trademark Infringement Attacks

Discovered subdomains include:

  • mail.ebay.design
  • mx.ebay.design
  • www.ebay.design

Our historical WHOIS database offers a detailed timeline to help you explore all current and past WHOIS values for this domain name. In this case, current WHOIS records were not available; however, moving one step forward to the previous WHOIS record leads us to personal details about this domain name, including full name, country, email and telephone number.

Domain Security & Solutions, Part 2: Phishing & Trademark Infringement Attacks

Who is hosting this website? This question is easily answered with our hosting checker feature, which allows you to determine the exact location of the server hosting this website, along with general details about the web hosting provider and network, as shown below:

Domain Security & Solutions, Part 2: Phishing & Trademark Infringement Attacks

And if that isn’t enough, you can also find the full IP address neighbor information, allowing you to explore all hosts in nearby IP address ranges.

Domain Security & Solutions, Part 2: Phishing & Trademark Infringement Attacks

When it comes to investigating phishing domains and trademark infringement-based websites, most of the time it isn’t an isolated case. Attackers can set up multiple websites to replace one another, once shutdown notices arrive to their different web hosting providers.

While ebay.design didn’t have any associated domains, we took a look at other domains registered using the ‘ebay’ term “ebay.info.”

All the domain names we found are hosted under the same provider (Unified Layer), and are part of a large ‘ebay’- and ‘facebook’-based campaign that includes multiple name variations, such as:

  • ebay.info
  • ebay-motors.top
  • ebay-motors.com
  • ebaymotors.top
  • ebaymotors.space
  • ebaymotors.website
  • ebaymotors.pro
  • ebayt.asia
  • ebayt.top
  • ebayt.us
  • faceboker.info
  • faceboker.com
  • facebookel.com

While we found no fake ebay websites it could be part of an old campaign, or one that can become active in the future. Further inspection revealed that one of the websites shows an active e-commerce site at http://ebayt.us/index.php (note the YT combination for domain typo mistakes, very common in domain typosquatting attacks), as shown below.

Domain Security & Solutions, Part 2: Phishing & Trademark Infringement Attacks

It isn’t the same content as the official ebay.com website, but…if you were on the eBay Inc. legal team, would you allow this typosquatting site to remain live? We wouldn’t.

This is just a tiny fraction of what our intelligent database can do. Complete and accurate certificate transparency logs, open ports and full IP block information are waiting for you!

SecurityTrails API

Now that you’ve explored the records manually, you may be asking yourself, Is there any way to automate this comprehensive intel-gathering process?

By using our free API tier, you can start querying our intelligent database and get the full results in your own apps.

Our API is fully compatible with modern languages such as PHP, Python, Javascript, Node, Go and many more, letting you boost your domain investigation tasks simply and easily.

A quick script in Node JS can be used to fetch associated domains, for example:

var request = require("request");
var options = { method: 'GET',
url:
'https://api.securitytrails.com/v1/domain/ebay.info/associated',
qs: { apikey: 'your_api_key' } };
request(options, function (error, response, body) {
if (error) throw new Error(error);
console.log(body);
});

You only need to replace your_api_key with the real API, and ebay.info with the real domain name.

The API documentation feature offers live tests to use with your API key, and it’s also a great resource for checking out different syntax examples in several programming languages with all the supported endpoints.

Conclusion

Phishing is one of the most common forms of cyberattack in this modern digital age, and there are different types of phishing targeting users every day. Fortunately, there are plenty of ways to prevent this activity from affecting you on both fronts, whether as a user or as a company owner with an online website.

Trademark issues are also one of the most popular reasons for legal disputes on the Internet, and while they may be a bit more difficult to detect than phishing campaigns, they can also be discovered through modern passive DNS and domain databases like the ones we use here at SecurityTrails.

Are you ready for the third part? ➡️ Domain Security & Solutions, Part 3: Stale DNS Records & Subdomain Takeover Attacks


Are you a lawyer specializing in cybercrime, or part of a legal team that protects companies from malicious activities? Check out our all-in-one domain investigation platform SurfaceBrowser, specially built for legal cybersecurity teams — book a demo with our sales team today.


¹ https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5826381/
² https://chrome.google.com/webstore/detail/netcraft-extension/bmejphbfclcpmpohkggcjeibfilpamia
³ https://en.wikipedia.org/wiki/Help:Two-factor_authentication