Hackers Attacking Global Sporting Championships Via Fake Domains To Steal Logins

Cybercriminals online take advantage of well-known events to register malicious domains with keywords related to the event, with the intention of tricking users through phishing and other fraudulent schemes. 

The analysis examines event-related abuse trends across domain registrations, DNS and URL traffic, active domains, verdict change requests, and domain textual patterns, with specific examples from the 2024 Paris Olympics.

They leverage high-profile events to register deceptive domains mimicking official websites, aiming to defraud users with counterfeit goods and fraudulent services, potentially reaching millions of unsuspecting individuals.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

During the COVID-19 pandemic, threat actors capitalized on the crisis by launching targeted phishing attacks against government and medical institutions, as well as distributing malicious software disguised as COVID-19-related content to compromise systems and steal sensitive data.

Cybercriminals exploited the ChatGPT hype by creating fake tools and services, tricking users into revealing sensitive information or downloading malware, demonstrating their ability to capitalize on global trends.

By capitalizing on high-profile events, they are registering deceptive domains, leveraging DNS traffic anomalies, and employing unusual URL patterns, as analyzing domain registration trends, textual patterns in malicious domains, and verdict change requests can help identify and mitigate these threats.

Daily new domain registrations for event-related keywords are used to identify potential cyberthreats, as by comparing average daily registrations with suspicious domains linked to C2, ransomware, malware, phishing, or grayware, researchers highlight potential risks associated with trending events.

They used to identify textual patterns indicative of malicious intent, and by examining keywords, domain structure, and TLDs, we quantified the prevalence of suspicious domains associated with specific keywords and TLDs, providing insights into attacker preferences and potential red flags.

DNS traffic analysis reveals patterns in user behavior and potential malicious activity. Significant fluctuations or anomalies in DNS traffic, particularly for specific domains, may signify unusual network activity like command-and-control communications, especially during high-profile events. 

The analysis of NRDs through URL traffic reveals trends in both overall and suspicious traffic, including significant spikes during current events, which indicates potential attacker exploitation of event topics, likely through phishing website visits.

The top 10 frequently visited domains for DNS and URL traffic to identify trends, understand shifts in user interest, and potentially detect emerging threats posed by newly popular domains. 

Palo Alto Networks Test-A-Site experiences fluctuations in domain recategorization requests, including false positives and negatives, which are often triggered by sudden events and can cause significant spikes in request volume within short periods.

Threat actors target high-profile events, leveraging deceptive domains, phishing, and malicious traffic.

Security teams can proactively mitigate risks by monitoring domain registrations, textual patterns, DNS anomalies, and change request trends to identify and block malicious domains and thwart opportunistic scams.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses