Deciphering Domain Name Phishing

9 minute read

In 2021, the United States FBI reported more than 320,000 victims of phishing scams, with reported losses totalling more than $44 million US Dollars. It comes as no surprise that phishing remains among the most common tactics used by threat actors to either defraud or steal sensitive data/access credentials from their victims. Phishing campaigns aren’t sophisticated or particularly technical, but because they prey on human behavior, they’re effective.

Digital adversaries employ a variety of phishing scams when targeting users at scale, including things like deactivation scares, advance fee/wire transfer scams, fake crisis notices, and fake giveaways – but there’s one type of phishing attack that’s used to target businesses directly. And it can have devastating consequences: domain name phishing.

In this blog, we’re taking a deep dive into domain name phishing, an insidious social engineering technique used by cybercriminals to take control of one of your most valuable digital assets: your web domain.

You’ll learn exactly what domain name phishing is, how it works, and how to secure your domain against takeover by digital threat actors.

What is Domain Name Phishing?

All forms of phishing can be described as social engineering tactics delivered electronically. 

The consumer-targeting scams mentioned above are examples of social engineering: they use deception and false pretenses to manipulate their targets into sharing sensitive data, divulging personal information, or sending hard currency to cybercriminals. 

Phishing attacks are most frequently executed via email, but cybercriminals increasingly expand their phishing attacks into other media channels, including SMS text message, voice messaging and voicemail, social media, and business collaboration/communication software.

In a domain name phishing attack, a digital adversary sends phishing emails to one or more employees of your organization with a very specific goal: to defraud the recipient into revealing administrative access credentials for your organization’s web hosting control panel. 

A successful domain name phishing attack provides the cybercriminal with initial access to your organization’s web hosting account. From there, the attacker wreaks havoc by diverting your web traffic to a malicious domain, making changes to your website that damage your reputation, or hijacking your domain and ransoming it back to you for a steep price.

How Does Domain Name Phishing Work?

Domain name phishing is a type of cybersecurity attack whose goal is to steal administrative access credentials for the target’s web hosting account. Let;s take a closer look at how a domain name phishing attack works:

Reconnaissance and Target Selection

Adversaries who specialize in domain name phishing begin their attacks with careful target selection, reconnaissance, and research. Choosing the best targets for domain name phishing scams gives cybercriminals the greatest chance of executing a successful attack.

Target selection can happen at the enterprise level (adversaries choose enterprise targets based on predetermined criteria), or at the hosting level (adversaries obtain a list of enterprises on a specific web host, then target those enterprises).

Having selected an enterprise target, digital adversaries can begin to ask questions like:

  1. Which web hosting company does my target use?
  2. Which employees at the target organization will have administrative access to the web hosting control panel?
  3. Who can I impersonate to win their trust?
  4. What email address(es) should I send phishing emails to?

Adversaries may attempt to answer these questions by accessing publicly available information (e.g. your company website and social media profiles, your employee social media profiles, WHOIS records, etc.), or via social engineering (e.g. impersonating a customer/vendor and contacting your employees to mine for information).

Resource Development

Having selected a juicy target for domain name phishing, a digital adversary will begin developing resources and infrastructure to support the attack. The exact approach taken in this step depends on the specific plan of attack.

A minimalist approach might involve creating a spoofed email that impersonates the CEO of your organization and directs the recipient to reply with the login information for the company web hosting account. 

A more sophisticated approach could involve the creation of a spoofed domain that impersonates the familiar login page of your web hosting control panel. A phishing email that appears to be from your domain registrar (but is actually from the attacker) would ask you to click a (malicious) link and login to your control panel – but instead, you’d be giving your access credentials to the attacker.

Resource development also involves the development, acquisition, and staging of capabilities that adversaries will need to successfully monetize their attack on your infrastructure – more on that soon.

Executing the Phishing Attack

Once the necessary resources to support the attack have been deployed and staged, the digital adversary will execute the attack by sending a carefully crafted phishing email to all of the selected targets.

The two most common strategies here are:

  1. Impersonating a CEO and asking the recipient to send the access credentials to the attacker via email.,
  2. Impersonating a domain registrar or web hosting company and sending a malicious link with a false pretext that encourages the recipient to reveal their access credentials to the attacker via a spoofed domain.

As the attack is executed, the adversary will be on high alert for any response from the target(s). If any valid credentials are captured, either via a return email or through a spoofed domain, the adversary will act quickly to secure the initial access, solidify their control of your domain, and begin monetizing the attack.

Monetizing the Attack

The outcome of a domain name phishing attack is a digital adversary gaining administrative access to your web domain. 

While some attacks are carried out by adversaries who wish to disrupt your operations and damage your reputation, the most common motivation is money and it’s most likely that digital adversaries will immediately start their attempts to monetize their unauthorized access to your website. 

Here’s how:

Traffic Diversion

A digital adversary with administrative access to your website can install malicious scripts that divert your traffic to spoofed or fraudulent web pages which they control. This can allow the adversary to scam your customers without your knowledge, degrading trust in your brand and damaging your reputation in the process.

Payment Diversion

If you process payments on your website, an attacker may be able to divert some of those payments to their own accounts, stealing from both you and your customers.

Domain Hijacking

Domain hijacking is one of the most common outcomes of a successful domain name phishing attack. If a digital adversary gains control of your DNS information, they can transfer your domain registration into their name, giving them full control of your domain. From there, you’ll be faced with two choices:

  1. Petition under ICANN to have the domain returned, which could take months or years during which you will have lost access to your web domain, or
  2. Pay whatever ransom is demanded by the attacker.

Domain Name Phishing Destroys Your Business

A domain name phishing attack that results in losing control of your web domain can have a massive impact on your business operations.

Unplanned Downtime

If your domain is hijacked via a DNS registration change, you could lose control of your web domain for an extended period of time. 

If you’re an eCommerce business, you’re dead in the water with no ability to run your store. 

If you’re a digital native business, you’ve just lost your whole platform for service delivery – and probably 95% of your customers, by the time you get back online. 

And if you’re dependent on digital marketing, you’ve lost the centerpiece of your customer acquisition funnel – it’s very bad news.

Revenue Loss

Unplanned website downtime results in measurable revenue loss for companies that do business online – and that’s not even considering the huge cost of restoring service for customers and remediating such an invasive security incident.

Reputation Damage

When you lose control of your domain, digital adversaries can make unwanted changes to your website that embarrass your company and damage your customer relationships. 

When customers visit your website, they won’t see the carefully crafted, on-brand messages written by your all-star marketing team – they’ll see the mess made by your digital adversary, and they’ll know that your website has been totally compromised.

As a result, your customers will notice your poor security controls and think twice before trusting you again with their data – or their business.

3 Ways to Defend Against Domain Name Phishing

Now that we’ve detailed the methodology and impact of domain name phishing, let’s focus on solutions. Below are three ways for organizations to successfully defend against domain name phishing attacks.

Conceal Your Digital Identity with WHOIS Privacy

WHOIS records are a type of Internet record that identifies the owner of a web domain and lists their contact information, usually an email address. A favorite tactic of digital adversaries is to access the WHOIS data for a domain, find the contact information for the domain registrant, and send them domain name phishing emails. 

The good news is that most web hosts offer WHOIS privacy, a service that hides your contact information in WHOIS records and replaces it with information for an email forwarding service. This simple step can prevent those insidious domain name phishing emails from ever reaching your inbox.

Detect Phishing Emails with Anti Phishing Software

Another way to block phishing emails from reaching your inboxes is to detect them automatically with anti-phishing software

Anti-phishing software tools are designed to automate the detection and removal of malicious emails at scale, effectively preventing your employees from being targeted by domain name phishing and other malicious communications across social media platforms and channels.

ZeroFox provides anti-phishing software that detects phishing at the source and blocks malicious emails. ZeroFox’s adversary takedown service works proactively to dismantle known and identified phishing domains, preventing future attacks against your organization.

Monitor the Public Attack Surface

A third way to prevent domain name phishing is to monitor the public attack surface (e.g. the surface, deep, and dark web, social media, business collaboration software tools, etc.) for malicious digital infrastructure that may be used to launch phishing attacks against your business. 

This includes things like:

  • Spoofed domains impersonating your business website,
  • Spoofed domains impersonating your web hosting login or domain registrar, and
  • Fake email accounts or social media profiles impersonating your company’s employees and executives.

ZeroFox leverages artificial intelligence to monitor the public attack surface automatically and at scale for potential threat indicators. Our domain monitoring capability can detect and identify fraudulent domains that impersonate your brand or use your assets (e.g. logo, trademarks, etc.) without your permission. When a threat is discovered, ZeroFox alerts your organization and works to takedown the fraudulent infrastructure before it can be used to target your employees and customers.

Protect Against Domain Name Phishing with ZeroFox

ZeroFox provides digital risk protection, proactive threat intelligence, and adversary disruption capabilities that safeguard your organization against domain name phishing and other malicious cyberattacks.

Want to learn more?

Download our free InfoSec Guide: Addressing the Rise in Phishing and Financial Fraud to discover how digital threat actors are mounting phishing attacks against enterprise targets, and how you can protect your business with ZeroFox.

See ZeroFox in action