Analysis of domains reported for phishing reveals a disturbing number of exact brand matches and brand deception
Dr. Colin Strutt and Dave Piscitello, Interisle Consulting Group
In Interisle’s 2023 Phishing Landscape Study, we analyzed brands identified by the phishing feeds that we collect at the Cybercrime Information Center to show which brands were most frequently phished from May 2022 to April 2023. In cases where no brand was identified by our feeds, we searched for exact brand matches in the domain name itself.
In the Study, we noted that the number of brands being targeted by phishing attacks has increased since we began reporting in 2020. For the current period, we reported the 10 brands most frequently impersonated brands in phishing attacks. For convenience and reference, we’ve copied the Study table to this post.
In this post, we share measurements where domain names reported for phishing included exact matches of brand names. We’ll draw some conclusions and recommendations based on what we found.
Fear, Uncertainty, and… Deception!
Criminals often register legitimate-looking domain names for phishing attacks as part of the impersonation or deception that facilitates the perpetration of a fraud. Some make no effort to create deceptively similar names but include the exact brand in the composition of domain names that they register for phishing campaigns (e.g., applesupport.cf, amazonpaymentservlce.ga, apple-verification.xyz).
We recently received “account recovery” phishing email that uses an exact-match domain - facebookmail.com - to impersonate Facebook.
Domains composed using “exact matches” often victimize the most vulnerable users, for example, the elderly or least technically savvy members of society.
Criminals don’t hesitate to register such names because they know from experience that most registrars and registry operators have no policy or legal obligation to screen for well-established brand names at the time of domain name registration.
| Exact Brand in Domain Name | Phishing Attacks |
| Apple | 10,985 |
| Amazon | 10,322 |
| United States Postal Service | 5,213 |
| 3,744 | |
| Chase | 3,078 |
| Softbank | 2,849 |
| Netflix | 2,801 |
| Citi | 2,604 |
| Steam | 2,295 |
| Coinbase | 2,257 |
| Impersonated Brand | Phishing Attacks |
| Mitsubishi UFJ NICOS | 133,433 |
| 112,073 | |
| United States Postal Service | 38,457 |
| Microsoft | 31,736 |
| Apple | 21,160 |
| Amazon | 18,569 |
| KDDI | 18,312 |
| AEON Financial Service | 16,156 |
| 15,664 | |
| AT&T | 15,402 |
We set out to determine how often phishers used exact-match brands in domain names they were able to register. For this analysis, we examined the domain names reported for phishing from May 2022 to April 2023. The 10 brands where exact-brand strings were used in phishing attacks were:
Accepting registrations with exact matches of brands in domains allows phishers to victimize the most vulnerable users, but when we examined our data, we found that while phishers could use any registrar for their exact-match domains, they clearly favored some over others.
Next, we present a list of registrars, ranked by the number of exact-match domains that they allowed to be registered which were subsequently reported as phishing domains. In the table, we also show, for each registrar, the number of different brands for which we were able to find exact matches.
| Registrar | Phishing Domains | Number of Exact-match Phishing Domains | Number of Distinct Brands Phished with Exact-match domains |
| Freenom | 180,841 | 12,605 | 238 |
| NameSilo, LLC | 75,582 | 9,217 | 249 |
| GoDaddy.com,LLC | 53,098 | 6,489 | 244 |
| Wix.com Ltd. | 6,368 | 5,465 | 44 |
| PDR Ltd.d/b/a PublicDomainRegistry.com | 69,608 | 5,386 | 273 |
| NameCheap, Inc. | 53,775 | 3,043 | 22 |
| Google LLC | 15,051 | 2,389 | 150 |
| NICENIC INTERNATIONAL GROUP CO., LIMITED | 13,568 | 1,773 | 148 |
| Registrar of Domain Names REG.RU LLC | 13,178 | 1,710 | 116 |
| Sav.com | 34,671 | 1,670 | 122 |
| Name.com, Inc. | 8,431 | 1,424 | 109 |
| TucowsDomains Inc. | 11,044 | 1,205 | 146 |
| REGRU-RU | 6,494 | 1,119 | 46 |
| Porkbun LLC | 11,007 | 1,065 | 135 |
| OwnRegistrar, Inc. | 12,930 | 1,040 | 150 |
| Hostinger,UAB | 12,228 | 947 | 134 |
| Dynadot, LLC | 8,556 | 912 | 118 |
| Web Commerce Communications dba WebNic.cc | 7,550 | 843 | 97 |
| Hosting Concepts B.V. d/b/a Registrar.eu | 10,801 | 786 | 158 |
| ALIBABA.COM SINGAPORE E-COMMERCE | 12,578 | 772 | 98 |
We next searched for registrars with the largest numbers of exact-match phishing domains of frequently impersonated brands (minimum 100 domains). Here’s where phishers go to register exact-match domains for specific brands:
BRAND (Trademark) |
Total # of exact-match domains |
|
|---|---|---|
Apple |
9,475 | |
| NameSilo, LLC | 1,897 | |
| Sav.com | 1,180 | |
Amazon |
9,162 |
|
| Wix.com Ltd. | 5,072 | |
| GoDaddy.com, LLC | 1,169 | |
United States PostalService |
4,105 |
|
| NameSilo, LLC | 1,705 | |
| Freenom | 907 | |
3,651 |
||
| Freenom | 3,386 | |
Chase |
2,781 |
|
| NameSilo, LLC | 519 | |
| GoDaddy.com, LLC | 379 | |
BRAND (Trademark) |
Total # of exact-match domains |
|
|---|---|---|
Netflix |
2,552 |
|
| Google LLC | 625 | |
| PDR d/b/a PublicDomainRegistry.com | 328 | |
Citi |
2,363 |
|
| GoDaddy.com, LLC | 609 | |
| NameCheap, Inc. | 183 | |
Coinbase |
2,117 | |
| NameSilo, LLC | 299 | |
| Japan Registry Services Co., Ltd. | 246 | |
Steam |
1,951 |
|
| REGRU-RU | 702 | |
| Registrar of Domain Names REG.RU LLC | 478 | |
Dirma Digital |
1,384 |
|
| Freenom | 764 | |
Effecting change
These findings suggest that preventing registration of domain names containing exact matches of brands would remove one form of deception from the phishers’ toolkit. This is a straightforward matter of searching for and preventing (or delaying) registration of trademarks. This one measure won’t prevent phishing, but it removes from the phishing supply chain the domain names that take advantage of the most vulnerable users.
Voluntary adoption of this or a similar policy and process appears to have had a positive effect. As we noted in our 2023 Phishing Landscape Study, the registrar NameCheap limits the “self-registration” of domain names with notable brand names and phrases in them. When Namecheap determines that a domain name submitted for registration matches a name in their restricted phrases list, it denies the request. The requester can contact support to argue their case or they can try a different name.
We reviewed phishing activity attributed to domain names registered at Namecheap and note that both the number of phishing domains has gone down, perhaps because of this new policy, and that the number of exact-match phishing domains and of phishing domains containing exact-match of brand has also gone down, quite significantly.
| Reporting period | Number of phishing domains reported | Number of exact-match phishing domains | Percent of phishing domains containing exact-match of brand |
|---|---|---|---|
| May-Jul 2022 | 12,734 | 1,031 | 8.1% |
| Aug-Oct 2022 | 16,439 | 904 | 5.5% |
| Nov-Jan 2023 | 15,520 | 918 | 6.0% |
| Feb-Apr 2023 | 11,920 | 417 | 3.5% |
| May-Jul 2023 | 9,394 | 334 | 3.5% |
Voluntary adoption is welcomed but global and uniform adoption is better
Voluntary adoption of preventative measures is a welcomed change. It’s too early to tell how phishers will respond, but if the domain industry relies on voluntary adoption alone, phishers will shop elsewhere for exact-match domains. A uniform policy across gTLD registrars and parties that register domains for ccTLD operators would be more effective, particularly one that would ensure the uniform adoption by domain registration service providers for gTLDs and ccTLDsof a formal list such as the WIPO Global Brand Database.
Litigation is an alternative to proactive measures to prevent brand impersonation.
In 2023, Meta sued Freenom for cybersquatting violations and trademark infringement, joining Microsoft, Verizon, Yahoo! and others who filed similar suits in prior years. In 2020, Meta sued NameCheapfor claims including false designation of origin and trademark infringement, and the parties settled in April 2022. We can only speculate whether Namecheap’s adoption of a “restricted phrases” policy was coincident to or a consequence of the lawsuit, but as we observed in our 2023 Phishing Landscape Study, “In the absence of more effective mitigation measures and broader cooperation, litigation has shown to be an effective tool in stemming abuse.”
We would not be surprised to see any of the frequently impersonated brands mentioned in this post were to take legal action against registrars where trademark infringement is most egregious.