Beginning of July 2022, new erupted over the arrest of a CEO who allegedly sold bogus Cisco networking devices. While he used e-commerce sites as sales channels, the idea that counterfeit products are also being peddled via cybersquatting domains isn’t too far-fetched. In fact, we demonstrated this during the 13th operation of Europol on our sites (IOS), with other organizations of the cybersecurity community.

Besides counterfeiting, cybersquatting domains can also serve as vehicles for other types of cybercrime, such as spear phishing, scams, and spam. In line with this, WhoisXML API researchers monitored the Domain Name System (DNS) for cybersquatting domains targeting Cisco and its main competitors: Avaya, Broadcom, Juniper Networks and Netgear. Our discoveries include:

  • Over 2,700 cybersquatting domains and subdomains targeting all five network hardware vendors were added from June 1 to August 8, 2022
  • Over 99% of properties could not be publicly attributed to legitimate businesses
  • Approximately 86% of properties actively resolved to IP addresses
  • Although relatively new, more than a dozen properties have already been flagged as malicious

A sample of additional artifacts obtained from our analysis is available for download from our website.

Dissection of Cybersquatting Properties Targeting Provided Network Hardware

We used company names as search strings to retrieve relevant properties using Discovery of domains and subdomains. To reduce the number of false positives, we’ve added restrictions, such as excluding domains containing the string “francisco” for Cisco cyber resources.

We found 2,797 cybersquatting properties added from June 1 to August 8, 2022. We then scanned these resources using IP, WHOIS, and other DNS intelligence tools.

Who owns the properties?

Before proceeding with any other analysis, we thought it would be interesting to establish the attribution of the properties. Does the target company own it? Based on Bulk WHOIS lookup results, cybersquatting properties could hardly be attributed to network hardware vendors.

In particular, only eight domains shared the same publicly available registrant details as the official corporate domains, and they were all owned by Cisco. Approximately 85% of non-publicly attributable domains have been actively resolved to over 1,400 unique IP addresses.

Where are cybersquatting resources located?

Over 60% of properties resolved to geolocated IP addresses in the United States, while the rest were spread across 49 other countries. The locations didn’t differ much from the depositing countries of most domains. About 46% of them were also registered in the United States, and the remaining domains were registered in 47 other countries.

The table below shows the top 10 countries in terms of IP geolocation and WHOIS registration, along with the percentage of properties attributed to them.

Table 1: Top 10 cybersquatting property locations
Top 10 IP geolocations Top 10 registered countries
1. United States (60.34%)
2. Germany (6.54%)
3. Canada (4.85%)
4. United Kingdom (4.85%)
5. France (3.16%)
6. Ireland (2.39%)
7.Switzerland (2.21%)
8. Russia (1.94%)
9. Netherlands (1.67%)
10. China (1.32%)
1. United States (45.59%)
2. Iceland (5.74%)
3. Canada (5.50%)
4. Austria (4.28%)
5. United Kingdom (2.75%)
6. France (1.78%)
7. Germany (0.89%)
8. China (0.89%)
9. Japan (0.65%)
10. Finland (0.49%)
What organizations oversee the properties?

Part of our study was to determine who had authority over the properties. For domains, that would be GoDaddy, as it is the leading registrar of cybersquatting resources, accounting for 16% of registrations. It was followed by MarkMonitor, Namecheap, Network Solutions, Google, Amazon, PDR Ltd., 123-Reg Limited and Wix. The rest was distributed among 154 other registrars.

Chart 1: Top 10 registrars of cybersquatted domains

Most cybersquatting domains in the study (19%) resolved to Amazon-owned IP addresses. Google accounted for 10%, followed by Cloudflare, Microsoft, Fastly, OVH, Linode, Hetzner, Digital Ocean and Wix.

Figure 2: Top 10 Internet Service Providers (ISPs) Cybersquatting Domains Resolved

Malicious Properties Ale

More than a dozen cybersquatting resources have been flagged as malicious since August 8, 2022. Among them is netgearextendersetups[.]com, which resolved to 190[.]115[.]26[.]62. Five other similar-looking cybersquatting domains have also been resolved with the same IP address, but have not yet been reported. These are:

  • netgearwifiextendersetupen[.]com
  • netgearextendersetupwifi[.]com
  • netgearextender setup[.]com
  • netgearwifiextendersetup[.]we
  • netgearwifyextendersetupgo[.]com

In addition to resolving to the same IP address, these domains also shared the same registrar and name server. The rest of their WHOIS details have been redacted except for netgearwifiextendersetup[.]we. We recovered a public email address that was historically linked to 17 suspicious domains, according to Reverse WHOIS Lookup. Some seemed to mimic the login pages of routers and entertainment sites. These are shown in the screenshot below.

Only time can tell if they will also be weaponized, but keeping an eye out for them and other cybersquatting properties might be good cybersecurity practice.

We started with cybersquatting properties, some of which might be benign. Still, a deep dive into malware has led us to more suspicious properties that could harm users and their networks.

The suspicious properties we discovered in this article can be used to sell fake network devices. They can also be weaponized to serve as vectors for phishing, scamming, and malware distribution.

If you wish to carry out a similar survey or have access to the complete data of this research, do not hesitate to Contact us.