A three-step process to drive out compulsive domain-branded squatters
Domain brand squatting can be defined as the unauthorized or dishonest use of brand or corporate identifiers in domain names. This is often linked to the use of look-alikes in bad faith, and we see it all the time. The threat actors behind these domains are called by different names, although one of the most common is “typosquatters”. The Hot on the Trail of Compulsive Brand Squatters webinar showed how these people are infiltrating the Internet.
The first page of PhishTank’s Valid Phishing Research alone at the time of this writing tells us that the domain brand squat is a real and present danger. Many phishing URLs mimic legitimate companies like Amazon and Sumitomo Mitsui Banking Corporation (SMBC). The following pages would unveil more potential cases of domain branding squats.
There are several ways for threat actors to squat a brand’s domain name. They don’t need to hijack the domain name because that’s a tall order, given the security measures put in place by registries and registrars. Most of the time, the domain brand squat is done by:
- Exploitation of TLDs: Use of different top level domains (TLDs). For example, threat actors can register google[.]ml to mimic google[.]com.
- Typosquatting: This method takes advantage of common brand or domain name misspellings, such as gogle[.]com.
- Homoglyph attack: Use of internationalized domain names (IDNs) that resemble the Latin alphabet. Some examples include goögle[.]com and äapple[.]com. In other cases, threat actors can replace characters with similar ones, such as go0gle[.]com.
However, the domain brand squat is no longer limited to brand or company names. We’ve seen a good chunk of the domains that use the names of senior executives from some of the biggest companies in the world. Some of these domains have been reported as malicious, including those using the names of CEOs Tim Byrne (Lincoln Property Company), Sundar Pichai (Google), Brian T. Moynihan (Bank of America), Rene Jones (M&T Bank), and Kevin Murphy (Ferguson Enterprises).
Uncontrollable but detectable
Cybersquatting domains are beyond the direct control of the entities they mimic. Even when a few of them are reported, what would prevent domain trademark squatters from registering more? They only need a few clicks to register domain names in bulk.
But there is still a way to reduce or avoid the damage caused by domain-branded squatters: early detection. I propose a three step process to make this possible:
1. Monitor mass registrations
Typosquatting and other domain branded squatting domains are usually registered en masse. Hence, mass recording monitoring keeps you on the forefront of the threat. Data Feed typosquatting, for example, can detect groups of similar domain names that were registered on the same day. In the webinar, we featured approximately 2,400 groups, which represented over 13,000 domains.
2. Analyze group dynamics
Each group needs to be analyzed further to see if the domains actually belong to a group. At this point, we aim to answer the following questions:
- Do the domains have the same registrar and holder details?
- Do the domains resolve to the same IP address or the same range of IP addresses?
- Were the domains really created on the same day?
Knowing all of these provides more context for domain groupings, which is essential for the next step.
3. Detect malicious groups
Threat Intelligence Platforms (TIP) and Security Incident and Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) solutions can report domains as they occur. as they are listed in malware databases. Once a domain is flagged, we can trace it back to its group and report all domains in that group. After all, they’re likely to share identical WHOIS records, creation dates, and IP address resolutions.
Of the 2,400 groups featured in the webinar, we found 176 with a member of the malicious group. Their group dynamics serve as an early warning mechanism that requires security teams to monitor them more closely.
Expanding the threat footprint
The characteristics of a malicious typosquatting group can also be used to detect more threats. In a group comprising eight domains, half of its members were reported as malicious. In particular, this group had these characteristics:
- All domains contain the text string “paypal-ticketid”.
- The country of registration of domains (if applicable) was the United States
- The e-mail addresses of registrants available to the public followed the same model: firstname.lastname[.]@Hotmail[.]com.
- Their registrar is BigRock Solutions.
- They resolved to the same IP address — 162[.]240[.]8[.]85.
We used group dynamics to uncover other suspicious areas and found thousands more.
If you would like to discuss the results of our domain brand squatting research, please feel free to contact me on LinkedIn.