Scammers gain trust through ‘aged’ domains

Like wine, cheese, and Ramones T-shirts, domains get better with age—at least from a hacker’s point of view. A trusted dot-com site that has been around for a while raises fewer red flags than that brand-new URL on the block.

Attackers, however, are using established, aged internet addresses and even Amazon accounts to provide a facade of legitimacy and a more convincing platform for sending scams—a confounding challenge that requires end-users and domain sellers alike to stay alert to fraud, even in previously trusted spaces.

This is how Daniel Fonseca Yarochewsky, security software engineer at the ad-security platform Confiant, presents the cyber-conundrum:

“How can you search for something that used to be good, and [find that] it’s no longer good?”

Domain frame. Domain age—the time between domain registration and the current date—is often considered a useful way to filter traffic. New domains, which can be acquired easily, are more mysterious (and therefore more potentially malicious) than addresses with a history. If an attacker grabs a trusted domain after its owner lets the contract expire, they’re already past the first hurdle.

Yarochewsky’s recent Confiant report showed how the “CashRewindo” group used old domains to serve up malicious code in advertisements. Malware-hosting domains (at least 487, according to Yarochewsky) were registered years before, even as far back as 2000.

The domains were probably bought as an “aging as a service” offering, said Yarochewsky, since attackers aren’t likely to wait for their site to ripen.

“That would be super counterproductive and not very scalable,” Yarochewsky told IT Brew.

Unsettling accounts. The cyberintelligence firm Cybersixgill found another asset that gets better-looking with age: Amazon accounts.

In a two-year scan of dark-web queries, the company saw 6,862 posts on underground forums, markets, and messaging platforms discussing aged Amazon accounts. Many are buying aged accounts to commit refund fraud, said the report. With an Amazon profile that has years of trustworthy history, a user has a better chance of fooling sellers into getting money back.

“Because e-commerce sites care so much about customer satisfaction, the burden of proof to say, ‘I didn’t get this item’ is very low,” Dov Lerner, security research lead at Cybersixgill, told IT Brew.

Amazon has machine-learning, fraud-detection capabilities, but a 240% increase in the monthly average of underground posts about aged Amazon accounts is notable, according to Lerner.

“That’s an indication that [the attack is] working,” said Lerner.

Trust-ration. The 2020 SolarWinds supply-chain attack also involved aging. A report from Palo Alto said that the attackers’ command and control (C2) domain was registered years in advance.

Dormant domains often show abnormally sudden traffic when cybercriminals revive them with malware, and some security platforms look at traffic patterns with such suspicious spikes. The aged threat calls for both anomaly monitoring from security vendors and the usual “don’t click”” attitude from end-users.

If an ad leads to a site that says, “Cryptocurrency trading is earning returns over 1700%,” it’s probably suspect. If a vendor is suddenly changing its inventory, be suspicious.

“That’s the common sense of an internet citizen that we should all have,” said Yarochewsky.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].