Ongoing investigation finds more than 540 high-risk domain names associated with Walmart brand disguised as career, dating and movie sites
SEATTLE - August 6, 2019 - Today, DomainTools, the leader in domain name and DNS-based cyber threat intelligence, announced it has identified an ongoing domain name spoofing campaign specifically targeted at domain names associated with Fortune 500 retailer, Walmart, as well as online dating and popular movies. The DomainTools research team has explored more than 540 potentially malicious domains being used by a sophisticated threat actor or group with the possible intention of harvesting consumer credentials.
Domains discovered through DomainTools PhishEye and investigated in DomainTools Iris , uncovered registrant details that point to Pakistan and Bangladesh, but a majority of the IPs are located in the United States. Of the 540+ identified domains in the campaign, only 181 have appeared on blacklists. The others were given average risk scores of 93 which indicates that they have a very high likelihood of being blacklisted in the future.
“The number of malicious domains that surfaced in this campaign is alarming and likely an indication of the threat actor or group’s resources and sophistication,” said Corin Imai, senior security advisor, DomainTools. “Our initial intent was to take a closer look at Fortune 500 companies, but our investigation led us down an unexpected path. Thanks to the robust investigative and pivoting features in our products, we were able to unearth an entire campaign. Although we successfully detected and to some degree identified the intent of this campaign, we are committed to uncovering its scale as well as more information about those behind it.”
A signal of this campaign’s level of sophistication and apparent intent to harvest credentials, is the ability to mimic the look and feel of the sites they are spoofing. Of the domains found to date, many appear to target job seekers and individuals interested in online dating. There is enough traffic to these sites to warrant further investigation into whether people are submitting their personally identifiable information and unknowingly turning over their credentials to threat actors.
While the DomainTools research team continues to unearth the intent of this campaign and potentially the actor/group behind it, here are some recommendations for organizations are consumers facing the pervasive issue of website spoofing:
About DomainToolsDomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at http://www.1081377.com or follow us on Twitter: @domaintools.