C0STC0 Is Not Costco: How Leet-Speak Brand Spoofing Slips Past Your Filters

# C0STC0 Is Not Costco: How Leet-Speak Brand Spoofing Slips Past Your Filters

The subject line read "What You Should Know About C0STC0's Membership Update." Look closely: those aren't the letter O. They're zeros. This single-character substitution turned a recognizable retail brand into a filter-evading lure that landed in the inbox of an employee at a UK housing organization, complete with a polished membership benefits table, a red call-to-action button, and a three-domain redirect chain designed to obscure the final payload.

One Character, Total Bypass

Traditional Secure Email Gateways (SEGs) that check display names against brand impersonation lists typically rely on exact string matching. "Costco" triggers a flag. "C0STC0" does not. This is leet-speak at its most practical: not the 1990s hacker aesthetic of "l33t sp34k," but a calculated evasion technique that exploits a fundamental limitation in rule-based filters.

The FBI IC3 2024 Internet Crime Report documented $2.77 billion in losses from business email compromise and phishing. Brand impersonation remains one of the most effective initial access vectors because it weaponizes trust that employees already have in household names.

The attacker paired the subject-line trick with a From display name of "Costco Member Perk" sent from costcomemberperk@gadgetsport[.]com. The domain has nothing to do with Costco. It was registered on April 29, 2025, through Dynadot, giving it roughly 11 months of age at the time of delivery. Just old enough to avoid the youngest-domain blocklists, but with zero legitimate sending history.

The Redirect Chain: Three Hops, Three Domains

Every link in the email body displayed the same anchor text: "View Your Membership Changes." But those links resolved to three different destinations, creating a layered redirect architecture mapped to MITRE ATT&CK T1608.005 (Link Target):

The third hop is particularly notable. The .su country-code TLD (assigned to the former Soviet Union) is a known haven for cybercriminal infrastructure because of relaxed registration requirements and limited abuse enforcement. The URL itself contains explicit affiliate tracking parameters: aff_id=1938, offer_id=437, aff_sub=costco. This is not just phishing. It is affiliate fraud piggybacking on a phishing lure, generating revenue for the attacker at each click-through.

According to the Microsoft Digital Defense Report 2024, threat actors increasingly chain multiple redirect domains to defeat URL reputation scanning, since each individual domain may not yet appear in threat intelligence feeds.

Authentication Theater: SPF Fails, DKIM Passes, DMARC Watches

The email's authentication results tell a contradictory story. SPF returned a hard fail because the sending IP (173.240.221.3, a SonicWall relay) was not authorized by gadgetsport[.]com's published SPF record (v=spf1 ip4:103.153.244.253 -all). The originating mail server at 103.153.244[.]121 also falls outside that single-IP allowlist.

DKIM, however, passed. The attacker controlled gadgetsport[.]com and published a valid signing key, so the cryptographic signature verified correctly. This is a textbook example of why DKIM alone cannot prove sender legitimacy. Any domain owner can sign their own mail. The question is whether the domain itself is trustworthy.

DMARC was configured as p=none; pct=10, meaning failures are monitored on just 10% of traffic with no enforcement action. DKIM alignment allowed the message to pass DMARC despite the SPF failure. The result: Microsoft's infrastructure flagged it as CAT:PHISH with SCL:5 and quarantined it, but only after it had already transited through the SonicWall gateway.

See Your Risk: Calculate how many threats your SEG is missing

One additional forensic detail stands out. The Message-ID header contains the string 20240804095204, suggesting August 4, 2024. That date predates the domain's own creation by eight months. Fabricated or recycled Message-IDs are a strong indicator of automated phishing toolkits that generate headers from templates without adjusting internal timestamps.

The Visual Lure: A Polished Membership Table

The email body was designed to look like a legitimate Costco membership notification. It featured the Costco Wholesale logo, a structured HTML table listing "Feature" and "Updated Value" columns (including a "$100 Costco card" benefit and "Complimentary 12 months" membership term), and a prominent red "VIEW YOUR MEMBERSHIP CHANGES" button. The footer referenced "Costco Wholesale membership communications" to reinforce brand legitimacy.

This level of visual fidelity matches what the Verizon 2024 Data Breach Investigations Report describes as "commodity phishing kits" that bundle brand templates, infrastructure automation, and affiliate monetization into turnkey packages. The kit handles everything from domain registration to HTML rendering; the operator just selects a brand and launches.

IOC Table

What Defenders Should Do Right Now

Deploy fuzzy brand matching, not just exact string rules. Display-name filters that check for "Costco" will never catch "C0STC0." AI-driven email security platforms that analyze visual similarity and character-level anomalies in sender names and subject lines close this gap. The IRONSCALES community of 35,000+ security professionals flagged this campaign with 90% confidence through collective threat intelligence before any signature existed.

Enforce DMARC at p=reject for your own domains. This attack exploited a p=none policy. While you cannot control what external brands do with their DMARC records, you can ensure your own SPF and DMARC configuration does not leave a similar gap for attackers impersonating your organization.

Treat affiliate tracking parameters in email links as a high-confidence phishing signal. Legitimate Costco membership emails do not route through aff_id and offer_id parameters on freshly registered .su domains. URL inspection that parses query strings for affiliate patterns (combined with domain age checks) catches these redirect chains before the first click.

Block .su TLD at the email gateway. Unless your organization has legitimate business correspondence originating from .su domains, blocking this TLD at the mail flow level eliminates an entire class of infrastructure that threat actors exploit specifically because of its permissive registration policies. The IBM Cost of a Data Breach Report 2024 found that phishing remains the most expensive initial attack vector at $4.88 million per incident on average. Cutting off known-hostile TLDs reduces the attack surface before any content analysis is required.

The gap between what filters look for and what attackers actually send continues to widen. Leet-speak substitution is not new. But as a deliberate evasion technique against display-name matching, it works precisely because most defenses still expect threats to spell their lures correctly.