Character Impersonation

In the context of domains and cybersecurity, character impersonation is a deceptive tactic where an attacker creates a fraudulent domain name that closely mimics a legitimate one by altering one or more characters. This is a broad category of attacks that exploits human trust and the visual similarity of characters across different languages and alphabets. The goal is to deceive individuals into believing they are visiting a trusted site, often to steal sensitive data or distribute malware.

Attackers use several methods for character impersonation:

• Homoglyphs: This involves swapping a character with another from a different character set that looks visually identical or very similar. For example, replacing the Latin 'a' with the Cyrillic 'а' to create microsofта.com.

• Character Substitutions: This is a form of typosquatting where attackers replace a character with a similar-looking one, often a number for a letter (e.g., g00gle.com for google.com) or one letter for another (rnicrosoft.com for microsoft.com).

• Character Omissions or Additions: These are common misspellings where a character is either added (googgle.com) or removed (gogle.com) from the domain name.

• TLD Impersonation: An attacker registers a domain with the same name as a legitimate one but with a different top-level domain (e.g., mycompany.net instead of mycompany.com).

Once a fraudulent domain is registered, attackers use it for various malicious activities, including phishing attacks, financial fraud, and brand exploitation. The effectiveness of these attacks is due to their subtlety, as the user often overlooks the minor alterations.

ThreatNG helps an organization with character impersonations by proactively discovering and assessing domains that use this manipulation, providing detailed intelligence to mitigate risk before an attack can cause damage.

External Discovery and Assessment

ThreatNG performs purely external and unauthenticated discovery. This means it looks at your organization's digital presence from an attacker's perspective, without needing internal access. ThreatNG automatically generates and looks for a full range of domain variations that use character impersonations, such as Homoglyphs like exampIe.com (using a Cyrillic 'I') or Replacements like micros0ft.com (using a zero for an 'o').

The platform uses this discovery to assess an organization's susceptibility to risks directly related to character impersonations:

• Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application to identify potential entry points for attackers. A fraudulent impersonated domain could be used to create a fake login page, which would be identified as a potential web application hijack risk.

• BEC & Phishing Susceptibility: This score is derived from Domain Intelligence, which includes the Domain Name Permutations capability. This helps identify impersonated domains that could be used in phishing attacks.

• Brand Damage Susceptibility: By identifying impersonated domains, ThreatNG can determine potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation.

Investigation Modules and Intelligence Repositories

The Domain Intelligence module is the primary tool for detecting threats related to character impersonations. Within this module, the DNS Intelligence capability specifically detects and groups these manipulations. ThreatNG's platform identifies both available and taken impersonation permutations, providing the associated IP address and mail record for those that are already registered.

ThreatNG's intelligence repositories, known as DarCache, provide valuable context. For example, DarCache Rupture (Compromised Credentials) can reveal if a fraudulent domain is tied to compromised user data. At the same time, DarCache Dark Web can show if a planned phishing campaign using such a domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk. This ensures that new impersonated domains are detected as soon as they appear, enabling a swift and proactive response to mitigate the impersonation before it causes significant damage. The platform's reports, which can be Executive, Technical, or Prioritized, highlight any discovered fraudulent domains and their associated risks. The Prioritized reports use risk levels to help organizations focus on the most critical risks and make informed decisions about mitigation.

Complementary Solutions

ThreatNG's proactive intelligence makes it a strong complement to other security solutions. For example, suppose ThreatNG identifies a newly registered impersonated domain and its associated IP address. In that case, this information can be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site. Alternatively, if ThreatNG detects that a fraudulent domain has active mail records, this intelligence can be shared with an email security gateway. This allows the gateway to proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes before it even begins.