Today, businesses around the world rely on owned websites and domains to grow brand awareness and promote and sell products and services. With e-commerce and online shopping at an all-time high, securing owned domains and removing malicious or spoofed domains is imperative for protecting modern consumers and their personal information from cybercrime. As cybercriminals often buy ‘look-alike’ domains with the goal of impersonating a targeted organization online, domains offer attackers a wide, and potentially lucrative surface for attacks.
Impersonating an organization or brand may involve swapping in similar characters (homoglyphs) or appending keywords such as “help,” “support,” or other plausible concatenations to the end of the URL. Similarly, attackers will append long strings of randomized characters to a legitimate-looking domain, so that a user clicking on this domain will only see the first, credible-looking part of the domain before realizing they have become a victim.
With domain-based attacks on the rise across industries, investing in domain protection should be a top priority for organizations of all sizes. Given the various tactics used by attackers to perform domain-based attacks, it’s important for enterprises to understand the top tactics bad actors use so that they can better defend their brand and protect their customers.
Strategy number 1: Piggybacking
We often see attackers utilizing spoofed or look-alike domains in an attempt to appear credible by piggybacking off the name recognition of well-known brands. These look-alike domains may be parked or serving live content. Commonly, parked domains are used to generate ad revenue, however, these domains could very easily be used to rapidly serve malicious content as well. These specific attack tactics can also be used to serve other content that can be harmful to a brand’s image, like counterfeit goods.
Strategy number 2: Copycatting
Another common tactic used by attackers is called copycatting and involves creating a site that directly mirrors an organization’s legitimate webpage. This is often done by picking a top-level domain (TLD) that the legitimate domain isn’t using, or by attaching multiple TLDs to a domain name. When attackers use these methods, users are more likely to be deceived, and will believe that they are interacting with the legitimate organization.
Malicious domains will often utilize information and visuals that customers would expect to see on a legitimate site, such as their logo and brand name. This instills a sense of familiarity and trust that could convince unsuspecting victims to divulge personal or financial information or purchase counterfeit goods from these sites.
Strategy number 3: Typosquatting and Homoglyphs
Today, bad actors are always looking for ways to mislead unsuspecting internet users. We commonly see them using two tactics being used that are effective in users not knowing they are being spoofed. They are homoglyphs and typosquatting .
Homoglyph attacks are a variant of domain spoofing. The basic principles of domain spoofing remain the same, however, attackers using this tactic may substitute a look-a-like character of an alphabet other than the Latin alphabet — For example, the Cyrillic “а” for the Latin “a.” Although these letters are visually identical, their Unicode values differ so that they will be processed differently by the browser. Given that there are over 100,000 existing Unicode characters, attackers have unlimited opportunities to use this tactic for attacks. Impersonators also abuse homoglyph attacks to fool traditional string matching and anti-abuse algorithms.
Typosquatting involves the use of common URL misspellings that either a user is likely to make on their own accord or that they may not notice. If an organization has not registered additional domains that are close to their legitimate domain name, attackers will often purchase them to take advantage of common typos. Attackers may also infringe upon trademarks by using legitimate graphics or other intellectual property to make malicious websites appear more legitimate.
Protect your domains and your customers
Domains, and the websites they host, are critical to an organization’s online image and brand as they are often the first source of engagement between a consumer, partner, prospective employee and their organization. Cyberattackers recognize this and use it as an opportunity to capitalize on these engagements.
Here are a few steps your organization can take to protect your domains and web presence:
- Ensure you have multi-factor authentication set-up for internal website management and external access, such as account login forms
- Identify domains that are similar to your own and proactively register them before someone else can
- Continually monitor for fraudulent and impersonating domains
- Monitor for abuse of your brand within subdomains
Many organizations monitor domains related to their brand in order to ensure that their brand is represented in the way it is intended, but for larger organizations composed of many subsidiary brands, this can be even more challenging. Because the attack surface is so large, and attacks against domains are so common, it is easy for organizations to feel inundated with alerts. This is why it is crucial that organizations precisely monitor for domains that may be impersonating or pirating their brand, products, trademarks or other intellectual property. Only by actively monitoring for domains infringing on organization’s brands can legitimate threats be prioritized and potential loss mitigated.
Zack Allen, Director of Threat Operations, ZeroFOX
