Character Additions

C

In the context of domains and cybersecurity, character additions refer to a type of domain manipulation where an attacker adds one or more characters to a legitimate domain name to create a fraudulent, look-alike domain. The goal is to deceive users into thinking they are visiting a trusted site, often to carry out phishing attacks, spread malware, or impersonate a brand.

This technique is a standard method of "cybersquatting" or "typosquatting." Attackers rely on the fact that users may not scrutinize every character in a web address, especially in emails or social media links.

There are two primary forms of character additions:

  1. Domain Suffixing: This is when a word or phrase is added to the end of a legitimate domain. The added word often mimics a trusted service or a call to action. Examples include adding words like "-login," "-support," "-verify," or "-bank" to the original domain, such as mycompany-login.com or mycompany-support.com. This method is designed to trick users into entering credentials on a fake site.

  2. Character Insertion: This involves adding an extra character somewhere within the domain name itself. The inserted character can be a letter, number, or symbol that creates a subtle misspelling. For example, adding an "s" to apple.com to create apples.com or duplicating a letter in a brand name, such as googgle.com instead of google.com.

ThreatNG helps with character additions by providing a comprehensive, outside-in approach to external discovery and assessment. It can identify these fraudulent domains, analyze their characteristics, and provide actionable intelligence to mitigate risk.

External Discovery and Assessment

ThreatNG performs purely external, unauthenticated discovery. This means it looks at your organization's digital presence from an attacker's perspective, without needing internal access. For a company like "mycompany.com," ThreatNG would automatically generate and look for variations with character additions, such as mycompany-login.com or mycompany-support.com. These fraudulent sites are then evaluated for various security risks.

The platform's external assessment capabilities directly address the threats posed by character additions:

  • Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application accessible from the outside world to identify potential entry points for attackers, which could include a fake login page created with character additions like mycompany-login.com.

  • BEC & Phishing Susceptibility: The platform's score is derived from Domain Intelligence, which includes the Domain Name Permutations capability. This helps identify look-alike domains that could be used for phishing attacks, such as those with character additions to create a fake service portal.

  • Brand Damage Susceptibility: ThreatNG uses digital risk intelligence from its Domain Intelligence module to find domain permutations, directly addressing the brand damage that could result from fraudulent sites like mycompany-help.com.

Investigation Modules and Intelligence Repositories

ThreatNG's Domain Intelligence module is central to this process. Within it, the DNS Intelligence capability includes Domain Name Permutations. This capability specifically detects and groups manipulations and additions of a domain, providing the associated IP addresses and mail records for the taken domains. It also uses a pre-packaged set of Targeted Key Words and allows users to define their own to create specific permutations, such as those with the words "login," "support," or "pay".

Additionally, ThreatNG's intelligence repositories, known as DarCache, play a key role. For example, DarCache Rupture (Compromised Credentials) and DarCache Dark Web can be used to see if the fraudulent domain is associated with known data breaches or mentions in the dark web, providing additional context and risk factors.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk. This means it constantly checks for new domain permutations with character additions, ensuring that newly created threats are detected as soon as they appear.

The platform's reporting features provide clear, actionable information. The reports include risk levels to help organizations prioritize their security efforts, along with reasoning and recommendations for mitigation. For a character addition threat, the report would detail the fraudulent domain (e.g., mycompany-login.com), its associated risk, and a recommendation to initiate a takedown request.

Complementary Solutions

ThreatNG's proactive discovery and detailed intelligence make it a strong complement to other security solutions.

  • Security Orchestration, Automation, and Response (SOAR): ThreatNG can feed its findings to a SOAR platform. For example, when ThreatNG identifies a new, taken domain with a character addition like mycompany-login.com, it can automatically trigger a SOAR playbook. This playbook could then be used to immediately alert the brand protection team and initiate an automated takedown request for the fraudulent domain, all before it can be used in a widespread phishing campaign.

  • Incident Response Platforms: If an organization discovers an active phishing campaign using a domain with a character addition, the ThreatNG platform can be used to provide the incident response team with critical, actionable intelligence. They can quickly look up the fraudulent domain, obtain its associated IP address, and review its mail record to accelerate their investigation and take immediate action.

  • Brand Protection Services: While many services are reactive, ThreatNG's capability is proactive. It can be used to discover a full range of domain permutations beyond simple character additions, including bitsquatting and homoglyphs. This provides a broader view of the brand threat landscape, supplementing other services and allowing for a more comprehensive defense.

Previous
Previous

Certificate Transparency Logs (CTL)

Next
Next

Character Impersonation