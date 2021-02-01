gremlin / Getty Images

At the beginning of last week, the collective Malware Hunter, which monitors trends in the distribution of malicious programs, issued a warning from its Twitter account: “Prepare yourselves, Spaniards. The actors have bought multiple new domains to use them ”. These “actors” were cybercriminals and those pages, which pretended to be from the DHL parcel company, explained to the unsuspecting user how to download an application to track a shipment. “The purpose is basically to steal banking application credentials that the user has on their device and from there make money transfers to accounts controlled by criminals,” explains Josep Albors, an expert in computer security. Weeks before, these poisoned apples were disguised as communication from the Post Office, but we have also seen them in the form of fines from the DGT, notifications from the Treasury and even information related to pandemic restrictions.

To launch an impersonation campaign –phishing-, cybercriminals need a page from which to do so and even to which to associate the email accounts that they will use to distribute their deception attempts. For this reason, monitoring the creation of new domains becomes that look that we cast to the sky to know what the weather is going to do. Bricked sky, wet ground; wave of registrations with different variations of a known brand, cyber attack in the making. “In the case of DHL, it’s simple, you just have to do an automated follow-up of the domains that are registered every day,” says Albors. If newcomers appear with different appendages –DHL-app– and endings –.info, .space-, bad business. “In the case of DHL we have also seen that some legitimate pages were being infected to download the application from there, but it was something anecdotal”, adds the expert.

In the case of the parcel, Malware Hunter registered dozens of newly created domains. And those references to well-known brands, which seek to make the deception more credible, are precisely what gives them away. “It is strange that a well-known brand generates domains without rhyme or reason, in a short space of time and almost randomly,” explains Albors. “It is also true that certain companies that are in charge of registering domains are adopting quite lax policies regarding monitoring and taking down their contents when it is known that they are spreading malware [programas maliciosos]”.

From IONOS, the main registrar for .es domains, they explain that they establish checks to identify possible fraudulent registrations and include in their terms and conditions policies that allow them to remove sites that incur abuses. But control is not easy: “It is basically impossible to stop these campaigns at registration. The reason is that most of the data they use is not invented, but information from real people that scammers obtain without much effort from the dark internet, ”explains Thomas Keller, head of domain services at the company. For the future, hopes are pinned on machine learning systems that detect suspicious patterns in newly created pages.

Short but intense stocks

The longer the life span of these domains, the greater the chances that the viruses they harbor will spread. In general, they live fast. They create a few hours of the broadcast of messages – e-mails or SMS – and, sooner or later, they end up being withdrawn, but they do not die in vain. “If they hold out for a few hours or a day, they can make enough profit to launch another campaign the following week,” Albors explains.

The key is to anticipate shipments, detect anomalies in the generation of domains and update security solutions that disable the possibilities of interaction with these pages. “Most of the banking Trojan campaigns [programas maliciosos que abren la puerta de entrada a otros ] in recent months we detected them even before the samples began to be downloaded ”, says the expert. Surveillance is key in other aspects of computer security as well. Monitoring variations in the code of these threats and looking closely at movements that deviate from normal records in user activity allows experts to stay one step ahead. “It is an eternal battle that we will never win, but we are totally committed not to lose it,” says Keller.

Would it help if we were all on notice? Albors does not rule out that a new communication model for these matters could serve to slow down the advance of campaigns such as the one that recently supplanted Correos. “It has worked too well. The mechanism was very similar to that of previous campaigns, but many people have fallen, ”he laments. Knowing the threats in circulation in the same way that we know about weather alerts would allow us to take extreme precautions. “This information needs to be something more constant, more visible. That it reaches all those who are using technology and without technicalities ”.

