Character Repetition

In the context of domains and cybersecurity, character repetition is a form of typosquatting where an attacker registers a domain that duplicates one or more characters from a legitimate brand's domain name. This manipulation exploits users' tendency to type quickly, make minor errors, or fail to scrutinize a URL.

The attacker's objective is to create a fraudulent domain that looks almost identical to the real one, thereby capturing web traffic and user trust. For example, if a legitimate company's domain is company.com, an attacker might register comppany.com or commpany.com. These minor, repeated character mistakes are common in typing and can be easily missed, especially in a long URL or within an email.

Once a user is redirected to the fraudulent domain, they are often presented with a counterfeit website designed for malicious activities such as:

• Phishing: Tricking users into entering their login credentials or personal information on a fake site.

• Malware Distribution: Automatically downloading malicious software to a user's device.

• Brand Impersonation: Damaging the legitimate brand's reputation by hosting scam content or aggressive advertisements.

This simple but effective technique is a key tool in a cybercriminal's arsenal for exploiting human error.

ThreatNG helps an organization with character repetition by proactively discovering and assessing domains that use this manipulation, providing detailed intelligence to mitigate risk before an attack can cause damage.

External Discovery and Assessment

ThreatNG performs a purely external, unauthenticated discovery to find potential threats from an attacker's perspective. It automatically generates and looks for variations that use character repetition, such as myycompany.com or myccompany.com, which are explicitly categorized as Repetition within its Domain Name Permutations capability.

The platform uses this discovery to assess an organization's susceptibility to risks directly related to character repetition, including:

• Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application accessible from the outside world to identify potential entry points for attackers. A fraudulent domain with a character repetition could be used to create a fake login page, which would be identified as a possible web application hijack risk.

• BEC & Phishing Susceptibility: This score is derived from Domain Intelligence, which includes the Domain Name Permutations capability. This helps identify domains with character repetitions that could be used in phishing attacks.

• Brand Damage Susceptibility: By identifying domains with character repetitions, ThreatNG can determine potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation.

Investigation Modules and Intelligence Repositories

The Domain Intelligence module is the primary tool for detecting threats related to character repetition. Within this module, the DNS Intelligence capability specifically detects and groups these manipulations. ThreatNG's platform identifies both available and taken character repetition permutations, providing the associated IP address and mail record for those that are already registered and potentially in use by malicious actors.

ThreatNG's intelligence repositories, known as DarCache, provide valuable context. For example, DarCache Rupture (Compromised Credentials) can reveal if a fraudulent domain is tied to compromised user data. At the same time, DarCache Dark Web can show if a planned phishing campaign using such a domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk. This ensures that new domains with character repetitions are detected as soon as they appear, enabling a swift and proactive response to mitigate the impersonation before it causes significant damage. The platform's reports, which can be Executive, Technical, or Prioritized, highlight any discovered domains and their associated risks. The Prioritized reports use risk levels to help organizations focus on the most critical risks and make informed decisions about mitigation.

Complementary Solutions

ThreatNG's proactive intelligence makes it a strong complement to other security solutions. For example, if ThreatNG identifies a newly registered domain with a character repetition like myycompany.com and its associated IP address, this information can be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site. Alternatively, if ThreatNG detects that a fraudulent domain has active mail records, this intelligence can be shared with an email security gateway. This allows the gateway to proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes before it even begins.