Today, businesses around the
world rely on owned websites and domains to grow brand awareness and promote
and sell products and services. With e-commerce and online shopping at an
all-time high, securing owned domains and removing malicious or spoofed domains
is imperative for protecting modern consumers and their personal information
from cybercrime. As cybercriminals often buy ‘look-alike’
domains with the goal of impersonating a targeted organization online,
domains offer attackers a wide, and potentially lucrative surface for attacks.
Impersonating an organization
or brand may involve swapping in similar characters (homoglyphs) or appending
keywords such as “help,” “support,” or other plausible concatenations to the
end of the URL. Similarly, attackers will append long strings of randomized
characters to a legitimate-looking domain, so that a user clicking on this
domain will only see the first, credible-looking part of the domain before
realizing they have become a victim.
With domain-based attacks on
the rise across industries, investing in domain protection should be a top
priority for organizations of all sizes. Given the various tactics used by
attackers to perform domain-based attacks, it’s important for enterprises to
understand the top tactics bad actors use so that they can better defend their
brand and protect their customers.
Strategy number 1: Piggybacking
We often see attackers
utilizing spoofed or look-alike domains in an attempt to appear credible by
piggybacking off the name recognition of well-known brands. These look-alike
domains may be parked or serving live content. Commonly, parked domains are
used to generate ad revenue, however, these domains could very easily be used
to rapidly serve malicious content as well. These specific attack tactics can
also be used to serve other content that can be harmful to a brand’s image,
like counterfeit goods.
Strategy number 2: Copycatting
Another common tactic used by
attackers is called copycatting and involves creating a site that directly
mirrors an organization’s legitimate webpage. This is often done by picking a
top-level domain (TLD) that the legitimate domain isn’t using, or by attaching
multiple TLDs to a domain name. When attackers use these methods, users are
more likely to be deceived, and will believe that they are interacting with the
legitimate organization.
Malicious domains will often
utilize information and visuals that customers would expect to see on a
legitimate site, such as their logo and brand name. This instills a sense of
familiarity and trust that could convince unsuspecting victims to divulge
personal or financial information or purchase counterfeit goods from these
sites.
Strategy number 3: Typosquatting and Homoglyphs
Today, bad actors are always
looking for ways to mislead unsuspecting internet users. We commonly see them
using two tactics being used that are effective in users not knowing they are
being spoofed. They are homoglyphs and typosquatting .
Homoglyph attacks are a
variant of domain spoofing. The basic principles of domain spoofing remain the
same, however, attackers using this tactic may substitute a look-a-like
character of an alphabet other than the Latin alphabet — For example, the
Cyrillic “а” for the Latin “a.” Although these letters are visually
identical, their Unicode values differ so that they will be processed
differently by the browser. Given that there are over 100,000 existing Unicode
characters, attackers have unlimited opportunities to use this tactic for
attacks. Impersonators also abuse homoglyph attacks to fool traditional string
matching and anti-abuse algorithms.
Typosquatting involves the
use of common URL misspellings that either a user is likely to make on their
own accord or that they may not notice. If an organization has not registered
additional domains that are close to their
legitimate domain name, attackers will often purchase them to take advantage of
common typos. Attackers may also infringe upon trademarks by using legitimate
graphics or other intellectual property to make malicious websites appear more
legitimate.
Protect your domains and your customers
Domains, and the websites
they host, are critical to an organization’s online image and brand as they are
often the first source of engagement between a consumer, partner, prospective
employee and their organization. Cyberattackers recognize this and use it as an
opportunity to capitalize on these engagements.
Here are a few steps your
organization can take to protect your domains and web presence:
- Ensure you have multi-factor authentication set-up for internal website management and external access, such as account login forms
- Identify domains that are similar to your own and proactively register them before someone else can
- Continually monitor for fraudulent and impersonating domains
- Monitor for abuse of your brand within subdomains
Many
organizations monitor domains related to their brand in order to
ensure that their brand is represented in the way it is intended, but for
larger organizations composed of many subsidiary brands, this can be even more
challenging. Because the attack surface is so large, and attacks against domains
are so common, it is easy for organizations to feel inundated with alerts. This
is why it is crucial that organizations precisely monitor for domains that may
be impersonating or pirating their brand, products, trademarks or other
intellectual property. Only by actively monitoring for domains infringing on
organization’s brands can legitimate threats be prioritized and potential loss
mitigated.
Zack Allen, Director of Threat Operations, ZeroFOX
