Domain Protection Against Typosquatting
Malicious domains are established daily that mimic legitimate companies. This practice is known as typosquatting or URL hijacking. The domains are used by threat actors to impersonate and deliver cyber attacks to companies and their customers.
For companies and brands, the harm from being impersonated are numerous. When your brand is associated with a scam, the brand value goes down. Customers are less likely to trust real messages coming from your company. In addition, your own employees may be tricked into believing they are receiving company correspondence when in fact they are being deceived and may potentially fall victim to email phishing.
Methods of Deceit
There are many ways to create a domain that inspires the victim to believe the site or received email is legitimate. Here are several overall categories of angles criminals take in registering domains.
Typos: As the name implies, criminals can use typos to fool people. For example, the domain name for American Express is www.americanexpress.com. The criminal might register the domain with an extra letter like www.americanexpresss.com.
Alternate Domains: Choosing a different top-level domain is another way of scamming. Instead of site having a .com domain, the fake site might be .net. In a phishing email, the victim might overlook this change.
Extra Dot: Adding or removing a period in the middle of a domain is another method of deceit. For example, [email protected] instead of [email protected]. The scammer has control of the alternate version.
How Criminals Use Domains
Now that the bad actor has their hands on a domain that looks similar enough to your brand, the nefarious activities begin.
Phishing: The elements of phishing in this case are email addresses and websites. Both utilize the misleading domain name. They lure people to open and click a link. The simple act of opening the email could trigger a malware download. The link might also attempt to trick you into sending money or lead to a spoofed website. The website could capture credentials, install malware or do other illicit activities.
Re-Sell: If a domain name is prized enough by the brand target, the person who registered might attempt to re-sell at a markup.
Competition: A less-than-ethical competitor might register the domain in order to redirect to their site.
Click Fraud: Traffic from a misspelled domain can be converted to money for the registrant by filling the site with ads and other money-making elements.
Pranksters and criminals alike have used URLs for their entertainment or criminal gain. The most bombastic examples come from the political world. During the 2016 elections, the The Coalition Against Domain Name Abuse did a study of the candidates and their domain names. They found URL hijacking was widespread. “On average, a member of Congress only owns 1.38 of the 21 possible domain name combinations examined,” the report found.
How to Detect Typosquatting: The Manual Way
Information about who registers for domains is available to the public via the Whois Record. Websites offer searching for this record free of charge. Using the example of American Express, we can see that they have registered many variations of their core URL. This was done to ensure brand integrity and prevent fraud most likely.
Looking at the two records, we can see that the original name was registered five years before the variation. During those years, how many fraudulent activities happened resulting from typosquatting? Manually checking variations of your brand name and products is time-consuming and some variations will be missed.
How to Detect Typosquatting: Automated
Tools exist to monitor brand domain names. CipherBox is Cipher’s Managed Detection & Response offering. Companies get Domain Protection as part of CipherBox. Domain Protection gives you the ability to detect the registration of malicious Internet domains that impersonate your company and may be used to attack you, your customers or the public.
Cipher analyzes the following variables to detect typosquatting:
- Certificate analysis (issued by, issued to, etc)
- Location analysis (geolocation of WhoisDS registrant <-> server location)
- Website analysis (text and image comparison)
- Email analysis (MX record established, SPF record, DMARC/DKIM, etc)
Fixing the Problem
Knowledge is the first step. After detecting a malicious domain, the next step is getting the domain name taken. The main action-item to get a takedown is to reach out to the Registrar Abuse Contact for the owner of the domain name. That information is publicly available in the Whois lookup. Describing the situation and rationale should resolve the issue in most cases.
The sooner you can detect the problem, the sooner a takedown can occur.