URL obfuscation has long been a tactic of cybercriminals in their attempt to trick their potential victims. Yet again, another obfuscation technique has been observed by Team CTM360 to be on the rise – domain names being registered starting with “com-“, due to the ease of setting up a subdomain. An example of this would be “facebook.com- newstrending.co”, where the domain name is in fact “com-newstrending.co”. Normally, such websites imitate the design of a legitimate URL and alter it by adding special characters and/or misspelled words making it closely resemble the original website. Preliminary analysis has revealed that approximately 68,000 domains have been registered matching this pattern. Domains beginning with ‘com-‘ were mostly found to be either phishing websites, fake news websites, or were being used to send out spoofed emails.
Recommended Preventative Measures
- Quarantine emails from domains that begin with ‘com-‘ in your email gateway
- Define firewall rules to detect and block access to websites that have domain names beginning with ‘com-‘