Subscribe to receive notifications of new posts:

Hackers Spill the Wine: Lockdown Led to Rise in Wine Domains and Wine Scammers

2021-04-07

4 min read

This blog originally appeared in April 2021 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.

This report was produced jointly with researchers from Area 1 Security. Area 1 Security preemptively stops Business Email Compromise, malware, ransomware and targeted phishing attacks and as such has a multi-petabyte corpus of real time active phishing campaigns.  Recorded Future thanks the team at Area 1 for their support on this research.

Staying connected with friends, family, and even co-workers during the pandemic and especially during lockdown periods is important. Often, this connection came in the form of virtual happy hours friends and family could get together over Zoom, or another video conferencing platform, to catch up over drinks. Companies were quick to jump on this trend with established companies hosting virtual livestreams and startups helping you plan the best virtual happy hour, whether that means inviting a goat to your virtual call or providing you everything you need to make the perfect drink.

As the interest in virtual happy hours and get-togethers increased so did the increase in wine-themed domain registrations. Recorded Future noted a significant increase in the number of new wine-themed domains registered starting in April 2020 and continuing through at least March 2021.

To conduct this search, we queried new domain registrations containing 1 or more of the following words:

  • Wine

  • Vino

  • Champagne

  • Bordeaux

  • Burgundy

  • Chardonnay

  • Merlot

  • Cabernet

  • Sauvignon

  • Pinot

The total number of wine-themed domains registered during this period is higher as there are search terms that were intentionally excluded to avoid too many false positives (for example Rosé or Napa) or were unlikely to be used by scammers (less popular grapes such as Riesling, Carménère, or Tannat did not significantly add to the total number of domain registrations or generate any potentially malicious matches).

New wine-themed domain registrations hovered between 3,000 and 4,000 per month until March 2020. In March 2020, Recorded Future noted a small uptick of new domain registrations at almost 5,500. In April 2020, the number jumped to almost 7,200, then in May 2020 the number skyrocketed to 12,400. From June 2020 onward, the number of new wine-themed domain registrations fluctuated between 7,000 and 9,500, in other words 2 to 3 times the number registered pre-COVID-19. The total number of wine-related domains registered between April 2020 and March 2021 containing the above keywords was 96,489.

Malicious (for the purpose of this report, the term malicious encompasses domains that Recorded Future scored as Suspicious, Malicious and Very Malicious) wine-themed domains followed a similar, though slightly delayed, timeline. Recorded Future tracked 278 malicious wine-themed domains registered in April 2020, which jumped from 668 in May 2020 to 473 in June 2020. This pattern has continued to fluctuate between 230 and 430 new malicious wine-themed domains registered each month. The total of malicious wine-themed domains identified from April 2020 through the end of March 2021 was 4,389.

It appears that it took some time for cyber criminals to catch on to the idea of using wine in malicious activities. Tracking malicious wine-themed domains as a percentage of total wine domains registered shows that the peak as a percentage of total wine-themed domains was in June 2020 at 7%. Since then, the percentage has remained between 3% and 5%, which is relatively low compared to other domain registrations commonly used for malicious activity, such as COVID-19.

Partnering with Area 1

Working with Area 1 Security we wanted to understand how these newly registered and newly observed wine related domain names were being weaponized in phishing campaigns.  From April 2020 through April 1st 2021 Area 1 caught over 25,000 examples of the above domains being used in email campaigns targeting companies ranging from Fortune 500 companies to small and medium-sized businesses and across all major industries from consumer products, to financial services, to healthcare, aerospace and beyond.  74.71% of the email campaigns were classified as SPAM, meaning while they were unsolicited or unwanted at face value, they might be early stage reconnaissance campaigns.

More seriously, about 13.5% of the emails associated with the identified domains contained suspicious or malicious content (links or files), 11.74% of the emails were Type 1 Business Email Compromise phishing emails (Basic) that attempt to trick the recipient into believing they were being sent by a recognized sender. Finally, a very small percentage, .03%, of the emails were tied to Type 3 and Type 4 Business Email Compromise phishing (Sophisticated), a type of attack that is increasing in volume and is directly responsible for significant amounts of business losses these days.

Overall, these results show that spam and phishing campaigns are aware of the growing interest in wine and are using that interest to push malicious activity.

In 1 example, a voicemail phishing campaign detected by Area 1 Security that was missed by Microsoft Office 365 - APT.  Malicious link leads to subdomain of lueriawinery[dot]com/.

Actionable Advice

  • Protect your organization against the domains listed in the appendix, as these domains represent the biggest threat from our findings.

  • While this report focuses on wine, spam and phishing campaigns increasingly use trends and current events, such as COVID-19 or increased interest in online retail and food delivery apps, as lures. Ensure that any phishing awareness programs run by your organization emphasize the adaptability of attackers and their ability to quickly switch out topics in their email lures.

  • Whenever possible, filter potentially malicious emails at the edge. Employee training is important, but preventing the email from ever reaching an employee is a much better deterrent.

  • Running your own custom email infrastructure requires network administrators to be perfect every single day. We recommend the use of cloud email infrastructure such as Google’s GSuite or Microsoft’s Office 365 in combination with a cloud email security solution.

  • Augment cloud inbox providers such as GSuite and O365 with intelligence from Recorded Future and Area 1 Security. As with any other aspect of network security, a defense in depth strategy for email protection offers the best chance for success.

Oren J. Falkowitz, Founder and CEO of Area 1 Security, is a serial entrepreneur and cybersecurity industry visionary. He led Area 1 Security as its co-founder and CEO for the first seven years, with the mission to discover and eliminate targeted phishing attacks before they cause damage. Previously, Oren held senior positions at the National Security Agency (NSA) and United States Cyber Command (USCYBERCOM), where he focused on Computer Network Operations & Big Data. That’s where he realized the immense need for preemptive cybersecurity.

Allan Liska is an intelligence analyst at Recorded Future. Allan has more than 15 years’ experience in information security and has worked as both a blue teamer and a red teamer for the intelligence community and the private sector. Allan has helped countless organizations improve their security posture using more effective and integrated intelligence.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Email SecurityCloud Email SecuritySecurityGuest Post

Follow on X

Allan Liska (Guest Author)|@uuallan
Cloudflare|@cloudflare

Related posts

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...