Domain brand squatting can be defined as the unauthorized or dishonest use of a brand or company identifiers in domain names. It is often linked to the use of look-alike domains in bad faith, and we see it all the time. The threat actors behind these domains are called different names, though a prevalent one would be “typosquatters.” The Hot on the Trail of Compulsive Brand Squatters webinar showcased how these people are infiltrating the Internet.

The first page of PhishTank‘s valid phish search alone as of this writing tells us that domain brand squatting is a real and present danger. Many phishing URLs imitate legitimate companies like Amazon and Sumitomo Mitsui Banking Corporation (SMBC). The succeeding pages would unravel more potential cases of domain brand squatting.

There are several ways threat actors can squat on a brand’s domain name. They don’t need to hijack the domain name since that is a significant feat, given the security measures registries and registrars put in place. Most of the time, domain brand squatting is done by:

• TLD exploitation: Using different top-level domains (TLDs). For example, threat actors may register google[.]ml to mimic google[.]com.
• Typosquatting: This method takes advantage of common misspellings of the brand or domain name, such as gogle[.]com.
• Homoglyph attack: Using internationalized domain names (IDNs) that look similar to the Latin alphabet. Some examples include goögle[.]com and äpple[.]com. In other cases, threat actors may replace characters with a similar-looking one, such as go0gle[.]com.

Domain brand squatting is no longer limited to brand or company names, though. We’ve seen a fair share of domains that use the names of the C-suite executives of some of the largest companies worldwide. Some of these domains have been flagged as malicious, most notably those that use the names of CEOs Tim Byrne (Lincoln Property Company), Sundar Pichai (Google), Brian T. Moynihan (Bank of America), Rene Jones (M&T Bank), and Kevin Murphy (Ferguson Enterprises).

Uncontrollable But Detectable

Cybersquatting domains are beyond the direct control of the entities they imitate. Even when a few of them get reported, what would stop domain brand squatters from registering more? They only need a few clicks to register domain names in bulk.

But there’s still a way to lessen or avoid the damage domain brand squatters cause—early detection. I propose a three-step process to make this possible:

1. Monitor Bulk Registrations

Typosquatting and other domain brand squatting domains are commonly registered in bulk. Therefore, monitoring bulk registrations allows you to stay at the forefront of the threat. Typosquatting Data Feed, for example, can detect groups of domain names that look alike and were registered on the same day. In the webinar, we presented around 2,400 groups, which amounted to more than 13,000 domains.

2. Analyze Group Dynamics

Each group should be further analyzed to see if the domains indeed belong to one group. At this point, we aim to answer the following questions:

• Do the domains have the same registrar and registrant details?
• Do the domains resolve to the same IP address or IP range?
• Were the domains really created on the same day?

Knowing all these provide more context to the domain groupings, which is critical to the subsequent step.

3. Detect Malicious Groups

Threat intelligence platforms (TIPs) and security incident and event management (SIEM) or security orchestration, automation, and response (SOAR) solutions can flag domains as they get listed in malware databases. Once a domain gets flagged, we can trace it back to its group and flag all of the domains in that group. After all, they are likely to share identical WHOIS records, creation dates, and IP address resolutions.

Out of the 2,400 groups presented in the webinar, we found 176 with one malicious group member. Their group dynamics serve as an early warning mechanism that tells security teams to monitor them more closely.

Threat Footprint Expansion

The characteristics of a malicious typosquatting group can also be used to detect more threats. In one group comprising eight domains, half of its members were flagged as malicious. In particular, this group had these characteristics:

• All the domains contain the text string “paypal-ticketid.”
• The domains’ registrant country (where available) was the U.S.
• The publicly available registrant email addresses followed the same pattern—firstname.lastname[.]@hotmail[.]com.
• Their registrar is BigRock Solutions.
• They resolved to the same IP address—162[.]240[.]8[.]85.

We used the group’s dynamics to discover other suspicious domains and found thousands more.

If you’d like to discuss the findings of our research on domain brand squatting, don’t hesitate to connect with me on LinkedIn.