The Big 3: Top Domain-Based Attack Tactics Threatening Organizations

Friday, January 17, 2020

Zack Allen

4ebb71b142fbe23222c175ac358e4700

Nowadays, businesses across all industries are turning to owned websites and domains to grow their brand awareness and sell products and services. With this dominance in the e-commerce space, securing owned domains and removing malicious or spoofed domains is vital to protecting consumers and businesses alike. This is especially important because domain impersonation is an increasingly popular tactic among cybercriminals. One example of this is ‘look-a-like’ urls that trick customers by mimicking brands through common misspellings, typosquatting and homoglyphs. With brand reputation and customer security on the line, investing in domain protection should be a top priority for all organizations.

Domain-based attacks are so popular, simply because of how lucrative they can be. As mentioned above, attackers often buy ‘look-alike’ domains in order to impersonate a specific brand online. To do this, bad actors can take three main approaches: copycatting, piggybacking and homoglyphs/typosquatting. From mirroring legitimate sites to relying on slight variations that trick an untrained eye, it’s important to understand these top tactics cybercriminals use so you can defend your brand and protect customers. Let’s explore each in more detail.

1. Copycatting Domains

One tactic used by bad actors is to create a site that directly mirrors the legitimate webpage. Cybercriminals do so by copying a top-level domain (TLD), or TLD, that the real domain isn’t using, or by appending multiple TLDs to a domain name. With these types of attacks, users are more likely to be tricked into believing they are interacting with the legitimate organization online. This simplifies the bad actor’s journey as the website appears to be legitimate, and will be more successful than an attack using a generic, throwaway domain. To amplify these efforts, bad actors will also use text and visuals that customers would expect to see on a legitimate site, such as the logo, brand name, and products. This sense of familiarity and trust puts potential victims at ease and less aware of the copycat’s red flags. 

2. Piggybacking Name Recognition

The first approach attackers utilize is spoofed or look-alike domains that help them appear credible by piggybacking off the name recognition of established brands. These domains may be either parked or serving live content to potential victims. Parked domains are commonly leveraged to generate ad revenue, but can also be used to rapidly serve malicious content. They are also often used to distribute other brand-damaging content, like counterfeit goods.

3. Tricking Victims with Homoglyphs and Typosquatting

This last tactic has two main methods --  typosquatting and homoglyphs -- and looks for ways to trick unsuspecting internet users where they are unlikely to look or notice they are being spoofed. 

  • Typosquatting involves the use of common URL misspellings that either a user is likely to make on their own accord or that users may not notice at all, i.e. adding a letter to the organization’s name. If an organization has not registered domains that are close to their legitimate domain name, attackers will often purchase them to take advantage of typos. Attackers may also infringe upon trademarks by using legitimate graphics or other intellectual property to make malicious websites appear legitimate.
  • With homoglyph, the basic principles of domain spoofing remain the same, but an attacker may substitute a look-a-like character of an alphabet other than the Latin alphabet -- i.e., the Cyrillic “а” for the Latin “a.” Although these letters look identical, their Unicode values is different and as such, they will be processed differently by the browser. With over 100,000 Unicode characters in existence, bad actors have an enormous opportunity. Another benefit of this type of attack is that they can be used to fool traditional string matching and anti-abuse algorithms. 

Why domain protection is necessary

Websites are a brand’s steadfast in the digital age, as they are often the first source of engagement between a consumer, partner, prospective employee and your organization. Cyberattackers see this as an opportunity to capitalize on that interaction. If businesses don’t take this problem seriously, their brand image, customer loyalty and ultimately financial results will be at risk. 

While many organizations monitor domains related to their brand in order to ensure that their brand is represented in the way it is intended, this is challenging for larger organizations composed of many subsidiary brands. Since these types of attacks are so common and the attack surface is so large, organizations tend to feel inundated with alerts and incidents. As such, it is crucial that organizations proactively and constantly monitor for domains that may be pirating their brand, products, trademarks or other intellectual property.

About the author: Zack Allen is both a security researcher and the director of threat intelligence at ZeroFOX. Previously, he worked in threat research for the US Air Force and Fastly.

Possibly Related Articles:
90103
Security Training Impersonation
Typosquatting homoglyphs top-level domain copycatting
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.