To a phisher, one tiny hyphen can make a big mark.
SANS Technology Institute Dean of Research Johannes Ullrich alerted users to a “clever” phishing tactic that uses a URL containing a “com-” domain prefix. With that tiny, easy-to-miss hyphen, threat actors can disguise a malicious destination.
Ullrich noted on the SANS site that the phishing tactic was placed into fraudulent messages alerting a user of unpaid tolls. (The FBI warned the public of toll trolls in April 2024, when there were over 2,000 complaints of attacks using fake text messages.)
How the “.com-” tactic works. A legitimate site involving Florida’s toll system (SunPass) would involve a forward slash and look something like: “sunpass.com/tolls.”
In instances discovered by Ullrich and shared on the SANS site, the phisher registers for and receives a domain that begins with “com-,” followed by seemingly random letters, then ending with a top-level domain, like .info, .top, .xyz, and even .com.
To a reader, the phishy URL appears as something like: “sunpass.com-[random letters].top”—a tricky difference to notice when you’re quickly looking on a tiny phone screen and it appears that you owe toll money.
Fraud jobs. URL obfuscation is a favorite tactic of opportunistic threat actors, who register mimicking domains to trick fans of events like the Super Bowl or the Olympics. (Business administration company CSC identified 5,000 unique domain registrations mimicking well-known sportsbooks, between Jan. 1, 2023, and Dec. 24, 2024, for example.)
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
According to the FTC, government impersonation scammers led to $618 million in losses in 2023, up from $497 million in 2022 and $428 million in 2021.
Dash money. Ullrich told IT Brew that he continues to see “com-” domains registered: 315 on Feb. 11, 428 on Feb. 10, and 269 on Feb 9. (The sites are often short-lived and quickly shut down as fraudulent, he added.)
Many of the questionable domains point to the same IP address, Ullrich said, suggesting one actor is registering and rotating between them.
Ullrich also shared with IT Brew a new twist on the hyphen-ishing trend: A “com.-” domain prefix with a “.com” ending to the URL, and a “case number” in between to convince targeted users that the sender is from an IT support team.
“They can use any prefix for the domain to impersonate arbitrary .com domains,” Ullrich told us in an email.
In his Feb. 5 post, Ullrich advised IT pros to review DNS queries for these kinds of prefixes.