|
Domain brand squatting can be defined as the unauthorized or dishonest use of a brand or company identifiers in domain names. It is often linked to the use of look-alike domains in bad faith, and we see it all the time. The threat actors behind these domains are called different names, though a prevalent one would be “typosquatters.” The Hot on the Trail of Compulsive Brand Squatters webinar showcased how these people are infiltrating the Internet.
The first page of PhishTank‘s valid phish search alone as of this writing tells us that domain brand squatting is a real and present danger. Many phishing URLs imitate legitimate companies like Amazon and Sumitomo Mitsui Banking Corporation (SMBC). The succeeding pages would unravel more potential cases of domain brand squatting.
There are several ways threat actors can squat on a brand’s domain name. They don’t need to hijack the domain name since that is a significant feat, given the security measures registries and registrars put in place. Most of the time, domain brand squatting is done by:
Domain brand squatting is no longer limited to brand or company names, though. We’ve seen a fair share of domains that use the names of the C-suite executives of some of the largest companies worldwide. Some of these domains have been flagged as malicious, most notably those that use the names of CEOs Tim Byrne (Lincoln Property Company), Sundar Pichai (Google), Brian T. Moynihan (Bank of America), Rene Jones (M&T Bank), and Kevin Murphy (Ferguson Enterprises).
Cybersquatting domains are beyond the direct control of the entities they imitate. Even when a few of them get reported, what would stop domain brand squatters from registering more? They only need a few clicks to register domain names in bulk.
But there’s still a way to lessen or avoid the damage domain brand squatters cause—early detection. I propose a three-step process to make this possible:
Typosquatting and other domain brand squatting domains are commonly registered in bulk. Therefore, monitoring bulk registrations allows you to stay at the forefront of the threat. Typosquatting Data Feed, for example, can detect groups of domain names that look alike and were registered on the same day. In the webinar, we presented around 2,400 groups, which amounted to more than 13,000 domains.
Each group should be further analyzed to see if the domains indeed belong to one group. At this point, we aim to answer the following questions:
Knowing all these provide more context to the domain groupings, which is critical to the subsequent step.
Threat intelligence platforms (TIPs) and security incident and event management (SIEM) or security orchestration, automation, and response (SOAR) solutions can flag domains as they get listed in malware databases. Once a domain gets flagged, we can trace it back to its group and flag all of the domains in that group. After all, they are likely to share identical WHOIS records, creation dates, and IP address resolutions.
Out of the 2,400 groups presented in the webinar, we found 176 with one malicious group member. Their group dynamics serve as an early warning mechanism that tells security teams to monitor them more closely.
The characteristics of a malicious typosquatting group can also be used to detect more threats. In one group comprising eight domains, half of its members were flagged as malicious. In particular, this group had these characteristics:
We used the group’s dynamics to discover other suspicious domains and found thousands more.
If you’d like to discuss the findings of our research on domain brand squatting, don’t hesitate to connect with me on LinkedIn.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign