April 19, 2017
Anissa Khalid

Why Brand Monitoring is a Security Issue - Typosquatting

<p>Corporate brands are generally thought of as intangible objects that carry the company’s image and reputation. However, your brand is very tangible in the eyes of attackers and can absolutely be targeted and damaged with cyber threats. To prevent such damage, companies can engage in “brand monitoring”. More specifically, this means searching for typosquatting and compromised credentials. While different in intent and practice, both tactics rely on human behaviors to achieve their goals. Such attacks are difficult to detect because the damage can occur outside of a company’s domain, and difficult to prevent because they involve a change in habit rather than corporate policy. In the first part of this series we’ll explore what typosquatting is, why it matters, and what courses of action a company can take to effectively protect their brand.</p><h2>Typosquatting</h2><p>Typosquatting (also known as URL hijacking) refers to when malicious 3rd parties will register domains that are similar to legitimate corporate domains. The motives for registering a similar domain are numerous, but all are guaranteed to have a nefarious intent. With a deceptive domain typosquatters have the potential to:</p><ul><li>Orchestrate phishing schemes to collect customer credentials</li><li>Install malware onto visitor devices</li><li>Coerce the targeted company into buying the domain</li><li>Redirect traffic to competing or malicious sites</li><li>Embarrass the company by displaying inappropriate messaging</li></ul><p>The exact variation of the domain will depend on the adversary’s intent. There are two general options- register a domain that looks visually similar or register a domain that looks credible. True to the “typo” part of typosquatting, visually similar domains consist of slight misspellings of either the root domain or country-code top level domain. Potentially credible domains will instead add keywords that viewers won’t find suspicious. For example, malicious domains “anomalibank.com” and “domain.com” might look like:</p><p style="text-align: center;"><img alt="Malicious Domain Variations" src="https://cdn.filestackcontent.com/FngZpRaXQ2izeHrGGTzQ"/></p><p>Such domains might seem obviously fake when examined with scrutiny, but even these examples could be surprisingly effective. Malicious actors know that the most effective attacks are those based on human predispositions, some of which are to be trusting of visual cues and inattentive in routine situations. If a webpage and its domain look similar enough to what an individual is accustomed to then it is unlikely to raise any red flags.</p><p>To investigate the widespread use of malicious domains, the Anomali Labs Team released a report of the <a href="https://wwwlegacy.anomali.com/files/FTSE_100_REPORT.pdf" target="_blank">Financial Times Stock Exchange 100 (FTSE 100 Index)</a>. The Anomali Labs Team examined the FTSE 100 companies over a period of three months and found 81 of the 100 companies had potentially malicious domain registrations against them. A total of 527 malicious domains were detected.</p><p style="text-align: center;"><img alt="Industries with the highest instances of domain name compromise" src="https://cdn.filestackcontent.com/1JQuQbcFRva13l2aRwUs"/></p><div style="padding:20px 20px 30px 20px;background:#cfe6f5;margin-bottom:30px;-webkit-border-radius:8px;-moz-border-radius:8px;border-radius:8px;"><div class="row"><div class="col-xs-12 col-sm-4 center"><a href="{page_1608}"><img alt="Typosquatting Infographic" src="https://cdn.filestackcontent.com/slT6oOWyRxOcKqTfKUZn" style="margin-bottom:10px;"/></a></div><div class="col-xs-12 col-sm-8"><h4 class="nobottommargin"><a href="{page_1608}">Typosquatting: More Than Just a Typo</a></h4><p style="margin-bottom:20px;">Get an in depth view of typosquatting techniques and statistics with this infographic.</p><p class="nobottommargin"><a href="{page_1608}">VIEW NOW</a></p></div></div></div><h2>What to do About Typosquatting</h2><p>So what can companies do in response to such a frequent and effective attack? As always, educating employees on the possibility of false domains is critical. Companies can also take large-scale measures to ensure that their brand is protected.</p><p>For one, organizations can purchase any domains similar to, or affiliated with, their own. Think of any large company and it’s likely that they currently own “theircompanyname”sucks.com. This is a time-consuming endeavor, but ultimately worthwhile as it prevents malicious actors from forcing them into buying the domain or using it to garner negative publicity.</p><p>Unfortunately, many companies are often unable to anticipate which domains might be used against them, and the creativity of malicious actors to dream up confusing or damaging domains seems unlimited. Or they are simply too slow to the draw and those domains have already been registered. In this case organizations can work with any number of 3rd party services to issue take down notices. Companies like Verizon, Lufthansa, and Lego are known to aggressively chase down typosquatters, with Lego having spent upwards of $500,000 to get malicious domains taken down.</p><p>Companies can also block any known malicious domains in their proxies or email security products, which protects employees from phishing scams. In this case the malicious domain might not be their own – it could relate to any and all known phishing sites. If such a domain is found, organizations may wish to triage the registrant information to see if there are other associated domains targeting the company.</p><p>One of the more effective tools for researching and monitoring malicious typosquatting is a <a href="https://www.anomali.com/products/threatstream">Threat Intelligence Platform (TIP)</a>. The ThreatStream platform from Anomali provides users the ability to define base domains – the platform will monitor existing and newly registered domains and flag any similarities. The tool also provides the ability to define more complex pattern detection via Regular Expression matching. A machine learning algorithm is used to make the search for new domain registrations more sophisticated, and those found are added to individual customer threat bulletins. The Anomali Labs team also provides a feed of domains registered by disposable domains that customers can access.</p><p>Once a malicious domain is identified, users can then attempt to identify the country of origin, other domains they’ve created, and all IPs associated with the domain. This allows companies to not only investigate suspicious domains, but also to predict a potential attack vector. For example, with the right tools you can discover that a typosquatted domain belongs to an actor who has registered other malicious domains, uses a specific set of IP addresses, and is known to utilize a particular type of attack (phishing, malware, etc). With this information you can then apply appropriate firewall, SIEM, endpoint, IDS/IPS, etc. rules to block and/or monitor for suspicious activity.</p><p style="text-align: center;"><img alt="Bad domain monitoring" src="https://cdn.filestackcontent.com/Qy5mra9fTyK4mw9gvfQZ"/></p><p>Taking Brand Monitoring a step further, organizations should also scan the <a href="https://www.anomali.com/blog/shedding-some-light-on-the-dark-web">Dark Web</a> for mentions of corporate domains. Anomali automates this type of scanning and keyword matching and will also scan the Dark Web for internal project names (yes, like the ones you’d hear in movies), mentions of executive names or emails, and company’s public IP ranges.</p><h2>Conclusion</h2><p>Malicious actors do damage to a company’s reputation and steal data by typosquatting. This tactic relies on predictable human behaviors, and is best mitigated through education, research, and tighter regulations. A <a href="https://www.anomali.com/products/threatstream">Threat Intelligence Platform</a> can simplify the process, and ultimately protect employees, customers, and brands.</p><p>Similar reports to the FTSE 100 were conducted for the <a href="https://wwwlegacy.anomali.com/files/anomali-labs-reports/DAX-100.pdf" target="_blank">DAX 100</a> and <a href="https://wwwlegacy.anomali.com/files/anomali-labs-reports/OMX-30.pdf" target="_blank">OMX 30</a>.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.