Zscaler ThreatLabz’s 2024 Phishing Report highlights the rise of typosquatting and brand impersonation in phishing campaigns, analyzing over 30,000 lookalike domains and finding more than 10,000 malicious ones. Google, Microsoft, and Amazon were the top targets, with TLS from Let’s Encrypt and other operational details shaping attacker choices; understanding these tactics helps improve defenses against phishing. #Google #Microsoft #Amazon #LetsEncrypt #GoDaddy #ThreatLabz #AteraRAT #Typosquatting #BrandImpersonation
Keypoints
- Typosquatting and brand impersonation are common phishing techniques.
- From February to July 2024, over 10,000 malicious domains were identified.
- Google, Microsoft, and Amazon accounted for nearly 75% of phishing domains.
- 48.4% of phishing domains used Let’s Encrypt TLS certificates for legitimacy.
- The Internet Services sector was the most frequently impersonated vertical.
- GoDaddy was the most commonly abused domain registrar.
- Phishing domains often used popular TLDs like .com to deceive users.
- Case studies illustrated various phishing methods, including malware distribution and credential theft.
MITRE Techniques
- [T1566] Phishing – Threat actors use typosquatting and brand impersonation to create fraudulent domains that mimic legitimate brands. (‘Threat actors use typosquatting and brand impersonation to create fraudulent domains that mimic legitimate brands.’)
- [T1003] Credential Dumping – Domains like “offlice365[.]com” were used to trick users into entering their credentials. (‘Domains like “offlice365[.]com” were used to trick users into entering their credentials.’)
- [T1219] Remote Access Tools – Malware such as Atera RAT was distributed through impersonated domains. (‘Malware such as Atera RAT was distributed through impersonated domains.’)
Indicators of Compromise
- [Domain] IOCs – acrobatbrowser[.]com, googleupdate[.]vip, and 8 more domains used in typosquatting and brand impersonation phishing campaigns