This blog is taken from our recent Domain Monitoring Solutions Guide, which provides best practices and free tools to begin monitoring for impersonating domains.
In my last blog, I outlined some of the key considerations for security professionals who want to collect domains. This includes sources like domain registration feeds, certificate transparency logs, DNS data, and so on. The blog also spoke to some of the challenges of storing and normalizing this data.
How do you then detect the domains you care about from the vast amount of domain-related data you have collected?
Let’s first turn to the different types of typo and combosquats that are available.
Character Changes and Typosquatting
“Character changes” is an umbrella term that encompasses all manner of sins. It can include swapping, switching, adding, and omitting characters. Most domain monitoring programs will search for registered domains with these character changes using a tool such as DNS Twist. This is a good approach, albeit one made more complicated amid the burgeoning increase in registered top-level domains.
You can see some of the most common types of typosquatting in our infographic, below. To learn more about the world of typosquatting, you can read more in our Typosquatting Protection 101 blog.
Detecting all types of character changes and permutations is already a challenge enough, yet attackers add further layers of complication by combining these changes with other tactics. One of the common combinations is to register these typosquatting domains on different subdomains to avoid detection.
Domain Typosquat: digitalshdows.com
Subdomain Typosquat: digitalshdows.scarydomain.com
For subdomain monitoring, teams cannot use a generic, one-size-fits-all approach. Teams should instead identify the specific keywords relevant to their organization. For example, a coffee shop brand might be interested in subdomains with keywords like “Coffee,” “Cart,” “Check Out,” or “Coupon.” As these terms would not apply to most businesses, these terms help ‘filter the noise’ of domain monitoring while focusing detection on relevant risk areas.
Analyzing the Content
Due to the sheer volume of domains, it is impossible to enumerate all possible permutations of your domain. Even if you only focus on live domains, this approach can generate hundreds of thousands–if not more–of potential domains for you to assess.
That’s where content analysis comes in. This will enable you to identify if:
- Company and brand references. Attackers will often clone legitimate sites to ensure their spoofs are convincing. By monitoring mentions of your company in the HTML, it can help to identify these efforts.
- Use of Logo(s). Like the above, if a website has your logo and looks to be a typosquat, you probably want to check it out.
Combining content analysis with typosquat detection will give the best shot at identifying the most critical domains.
The Parking Page Conundrum
When a domain is purchased, it does not necessarily immediately come into use. Before it has any associated web services, the domain owner may choose to display a message offering the domain for sale. Some individuals know that organizations are looking to detect domain impersonation. If they register some of the top, most similar domain names, they can convince the organization to repurchase it off them at a profit.
This becomes a problem for security teams. If a highly convincing domain spoof is a parking page, this limits what can be done to respond. As it is not infringing the brand or being used for phishing, it’s challenging to have this taken down. Security teams, therefore, have a choice
- Buy the domain. This is easy to do once but sets a precedent and does not scale.
- Track the domain for any changes, such as added DNS or MX records. This is ideal but hard to do.
Key Questions to Answer
Once you have collected domains from a comprehensive variety of data sources and detected impersonations of your domains, the next step is to analyze if those domains pose a legitimate threat to your business. Answering these key questions will help to focus on what the remediation ought to be.
- Is the content mimicking my website?
- Is the website selling counterfeit goods?
- Is it just a parking page?
- Has the domain been registered by your organization?
Is the WHOIS or DNS consistent with corporate owned websites?
- Is the WHOIS contact a member of your organization?
- Could the domain send emails?
- Is it attempting to capture credentials?
- Has the domain been flagged on a threat feed before?
Get Started with our Domain Monitoring Solutions Guide
In the next blog, I will dig into the final key area of domain monitoring: remediation.
In the meantime, download your own copy of the Domain Monitoring Solutions Guide to get started.