Websites with an undefined trust level: avoiding the trap

What Happened

Scammers are creating suspicious websites that trick people into losing money or giving away personal information. These sites include fake online stores, phony investment platforms, and fake browser extensions that track your online activity. This matters because these sites often bypass traditional security filters since they do not look like typical hacking attempts. To stay safe, users should watch out for unrealistic deals, check if a website is newly created, and use security software that blocks untrusted sites.

Key Takeaways

• Suspicious websites operate in a gray area, manipulating users into paying for non-existent services, hidden subscriptions, or disclosing personal data.
• Fake browser extensions mimicking security products are the most widespread global threat in this category, detected in 9 out of 10 analyzed regions.
• Key technical indicators of suspicious sites include newly registered domains (under 6 months), cheap TLDs (.xyz, .top), hidden WHOIS data, and missing HTTP security headers.
• Regional threats vary significantly: Africa is dominated by online trading scams, Latin America by fake betting sites, and CIS countries by crypto scams.
• Kaspersky has introduced an 'undefined trust level' category to filter these sites based on domain age, IP reputation, DNS configuration, and SSL certificates.

Affected Systems

• Web Browsers
• Windows
• macOS
• Linux
• Android
• iOS

Attack Chain

Users are lured to suspicious websites via advertisements, redirects, or social engineering. Once on the site, they are manipulated into making payments for non-existent goods, signing up for hidden subscriptions, or downloading fake browser extensions. If extensions are installed, they hijack browser settings, swap default search engines, inject advertisements, and harvest sensitive data such as session cookies and search history. In some cases, the sites act as intermediaries for further phishing campaigns or drive-by malware distribution.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Python

The article provides Python script snippets in the images to programmatically check for missing HTTP security headers (CSP, HSTS, etc.) and missing DNS records (SPF, DMARC, MX, NS).

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the installation of malicious browser extensions and subsequent abnormal browser child processes, but cannot easily inspect the web traffic or the initial social engineering lure. Network Visibility: High — Network tools can inspect DNS requests, missing HTTP security headers, newly registered domains, and connections to known bad IP addresses. Detection Difficulty: Moderate — Distinguishing between a poorly configured legitimate site and a malicious suspicious site requires correlating multiple weak signals (domain age, missing headers, WHOIS privacy).

Required Log Sources

• DNS Logs
• Web Proxy Logs
• Browser Extension Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for web traffic to newly registered domains (less than 6 months old) that lack standard security headers like HSTS and CSP.	Web Proxy Logs	Initial Access	High
Identify endpoints installing browser extensions from outside official web stores or extensions that request excessive permissions to read/change site data.	Browser Extension Logs	Execution	Medium

Control Gaps

• Standard phishing filters may miss these sites as they do not always host traditional malware or credential harvesting forms.
• Lack of visibility into browser extension activity on unmanaged devices.

Key Behavioral Indicators

• Domains registered within the last 6 months
• Missing SPF/DMARC records
• Missing Content-Security-Policy and Strict-Transport-Security headers
• Use of cheap TLDs like .xyz, .top, .shop

False Positive Assessment

• High - Many legitimate small business websites or newly launched sites may have hidden WHOIS data, missing security headers, or use cheap TLDs, triggering false positives if blocked solely on these indicators.

Recommendations

Immediate Mitigation

• Block access to known suspicious IPs and domains.
• Review installed browser extensions across the environment and remove unapproved ones.

Infrastructure Hardening

• Implement web filtering policies that block or warn on newly registered domains (NRDs).
• Enforce strict browser extension policies via Group Policy or MDM to prevent unauthorized installations.

User Protection

• Deploy endpoint security solutions with web threat protection and anti-phishing capabilities.
• Ensure browsers are configured to block third-party cookies and restrict extension permissions.

Security Awareness

• Train users to identify signs of fake online stores, such as unrealistic prices, countdown timers, and cryptocurrency-only payment options.
• Educate employees on the risks of installing unverified browser extensions.

MITRE ATT&CK Mapping

• T1176 - Browser Extensions
• T1189 - Drive-by Compromise
• T1539 - Steal Web Session Cookie
• T1566.002 - Phishing: Spearphishing Link

Additional IOCs

• Domains:
  • *a*o*[.]com - Masked domain: suspicious image processing platform used as an intermediary for phishing.
  • *n*s*[.]com - Masked domain: fake antivirus browser extension that hijacks search queries.
  • *w*a*[.]com - Masked domain: fake privacy-enhancing tool that intercepts browser data.
  • *o*r*[.]com - Masked domain: fake security service that steals session cookies and injects ads.
  • *n*p*[.]xyz - Masked domain: fake AI image prompt repository capturing browser data.
  • *i*s*[.]com - Masked domain: browser hijacker posing as a safe search tool.
  • *h*t*[.]com - Masked domain: private browsing extension acting as a browser hijacker.
  • *o*t*[.]com - Masked domain: safe search extension injecting ads.