Threat Advisory: E-commerce Bots Use Domain Registration Services for Mass Account Fraud

Jason Kent, hacker-in-residence at Cequence Security, discusses sneaky shopping bot tactics (i.e., domain parking) seen in a mass campaign, and what retail security teams can do about them.

While researching a recent large-scale bot campaign with CQ Prime Threat Research team lead, Dean Lendrum, we found attackers using domain parking and monetization services to register multiple domains, creating a large number of fake eCommerce accounts per domain.

TL; DR Analysis of shopping-bot campaign data uncovered more than 850,000 fake accounts associated with a relatively small number of domains. Clusters and common patterns point to domain-name registration and hosting services (like Namecheap); with parking, monetization and email forwarding being used to execute large-scale shopping bot campaigns. Retailers should analyze historic data to uncover patterns emanating from suspicious domains using the same hosting infrastructure. Patterns observed include irregular domain names, domain resolving to an untrusted web app, SSL not enabled. Send email account-creation verification or consider the use of multifactor authentication (MFA) when possible. Details

Like it or not, malicious bot managers are business people and they are always looking for ways to reduce the cost of their eCommerce bot campaigns. Using domain parking and monetization services

Read More: