Certain threats that organizations face online often involve the attacker registering a domain that is very similar to the targeted organization’s domain. This is done to support the attacker’s goal, enabling them to better impersonates the company in order to fool potential victims, employees or customers.
As Domains are relatively cheap and easy to register through one of the many registrars worldwide, it’s a small investment on behalf of the attacker, an investment that can dramatically improve the results of the attack.
Here are some of the threats that involve such domain registration:
Phishing attacks have been incredibly popular for over 15 years as a method of compromising credentials. While there have been trends and the evolution over time, they have generally remained quite similar. An attacker would set up a site impersonating the targeted service they wish to obtain credentials for, then spam the link to it to as many people as possible. Among the recipients, some would most likely be the customers of the service and would fall for the scam. It’s generally a numbers game, where the large number of recipients ensures that at least some of them would be relevant account holders on the targeted service and out of those some would take the bait.
As a more tailored and convincing Phishing attack translates to additional victims falling for the scam, resulting in additional compromised credentials, many fraudsters invest in improving their Phishing attacks as much as possible. One such way is to acquire a domain that is similar to the targeted service, as this means the URL of the attack (which users have been taught to inspect) would resemble the legitimate one. For example, “bankofisreal.com” is much more convincing at impersonating “bankofisrael.com” than a generic IP address or a completely different domain.
Spear Phishing attacks are a variant of Phishing with some key differences. While the goal of a Phishing attack is to target users of a service and obtain their credentials, Spear Phishing attacks usually target employees. The attack is called “Spear Phishing” as it is much more targeted than its Phishing counterpart, where a wide net is cast – instead of spamming the Phishing letter en masse, specifically crafted letters are sent to individual E-mail addresses. Spear Phishing letters can be addressed by name to the employees who receive them and they can be also tailored to the specific function of the recipient in the organization.
While Spear Phishing attacks do not always contain a link to a website, often time they contain malware-laden attachments, those who do would most likely involve a similarly registered domain to ensure they are as convincing as possible.
Business E-mail Compromise, or BEC Fraud, is a type of scam involving a fraudster sending an E-mail to a relevant stakeholder within the organization, usually the CFO, requesting a money transfer to be made to their account. As part of the scam, the fraudster impersonates someone who is normally entitled to make such requests, such as a CEO, vendor or partner of the company.
BEC fraud is extremely popular, as it has a high success rate and big payouts. BEC incidents are not all the same, with some more sophisticated than others. Some incidents are technically unsophisticated, akin to a Nigerian prince scam, involving a simple E-mail sent from an unknown address. Other cases involve the fraudster accessing a compromised E-mail account of a company employee, sending their scam E-mail from their mailbox to maximize the appearance of legitimacy.
In some of the known BEC fraud incidents, a similar domain name has been used. The attackers couldn’t obtain access to a compromised E-mail address of the targeted company so they opted for the next best thing, registering a domain that they hoped would fool the recipient into believing that their E-mail came from within the company.
Brand Abuse is a very general term, one with many different variations, which describes any unauthorized use of a company’s brand. The intent of usage can differ, from impersonation (the attacks we’ve described so far could be construed as a type of brand abuse) to damaging the brand’s reputation. For example, an unhappy customer can set up a site with the purpose of warning potential customers to stay away from the company and its products. Some common cases are not as nefarious and may not be attacks at all, such as a local distributer of the company building a site specifically for their market. In any of these cases, the organization may not wish to allow for such an infringing site to operate.
As in all the mentioned cases a site is created for the brand, a similar domain is most likely going to be used.
Many users still arrive to a company’s website by manually typing in the URL in their browser. This opens up the possibility of typos, which third parties can abuse. Having a similar domain with a slight difference can guarantee a certain amount of traffic of users who attempted to reach the legitimate site but had a typo in the URL. The incoming traffic can be monetized, mainly by displaying ads. This is known as Typo Squatting.
The term Cyber Squatting, however, is broader and includes other motivations for registering similar domains. Some register these domains in hope that the company would eventually have to buy their domain out, while paying a premium. Such domains could be localized versions of international brands (i.e. with a local TLD), or domains that contain the brand name with slight variations or added words.
E-mail interception is a niche and rarer threat that is derived from typo squatting. While most typo squatting domains are registered to gain incoming traffic from users interested in accessing the legitimate site, some are registered with the intent of intercepting E-mails intended for the company’s employees.
Just as users manually type the domain of a site to access it, many also do so when sending E-mails, instead of using the mail application’s address book or auto complete. By registering a typo squatting domain, then placing a mail server that can capture and retain all E-mails sent to that domain (regardless of whether the specific address exists or not), it is possible to capture sensitive E-mails intended for the company’s employees.
The Silver Lining
While registering similar domains provide benefits in many forms of threats, they also provide an opportunity for the targeted organization to identify them.
As part of IntelFinder’s intelligence coverage, we monitor newly registered domains, analyse those who are deemed suspicious and provides our customers with the needed details in order to take it down.
IntelFinder covers many more threats, including leaked employee credentials, rogue mobile apps, leaked source code, E-mail vulnerability, exposed subdomains, and more. All for a fraction of the cost of comparable services – as low as $250/month per brand.
Sign up now for a two-week trial at https://dash.intelfinder.io/signup.php. No strings attached, no payment information required.