Explosion of look-alike domains poses phishing risks to online shoppers

According to eMarketer, retail e-commerce sales reached $2.3 trillion in 2017 alone, a 23.2% increase on the previous year. By 2021, mobile e-commerce could total upwards of $3.5 trillion, making up almost three quarters (72.9%) of e-commerce sales.

As the rate of online shopping increases, a new study by Venafi, the cyber security firm, found that online customers are being targeted through look-alike domains. Cyber attackers create false domains by substituting a few characters in the URLs. Because they point to malicious online shopping sites that mimic legitimate, well-known retail websites, it makes it increasingly difficult for customers to detect the fake domains.

>See also: What chief technology officers of online retailers learn from Amazon?

Additionally, given that many of these malicious pages use a trusted TLS certificate, they appear to be safe for online shoppers who unknowingly provide sensitive account information and payment data.

“Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique,” said Jing Xie, senior threat intelligence analyst for Venafi. “Because malicious domains now must have a legitimate TLS certificate in order to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates. In spite of significant advances in the best practices followed by certificate issuers, this is a really bad idea.”

>See also: 6 ways online shopping is transforming the retail landscape …

“No organisation should rely exclusively on certificate authorities to detect suspicious certificate requests,” continued Xie. “For example, cyber attackers recently set up a look-alike domain for NewEgg, a website with over 50 million visitors a month. The look-alike domain used a trusted TLS certificate issued by the CA who followed all the best practices and baseline requirements. This phishing website was used to steal account and credit card data for over a month before it was shut down by security researchers.”

>See also: Retail: the next big industry impacted by AI

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future

Related Topics

Phishing