Character Replacements

In the context of domains and cybersecurity, character replacements are a form of typosquatting where an attacker registers a domain by swapping a character from a legitimate brand's name with a similar-looking character. This tactic exploits the visual similarity of certain letters and numbers, as well as common typing errors.

The primary goal is to create a fraudulent domain that closely resembles the real one, thereby tricking users who are in a hurry or not paying close attention to the URL. Attackers often use one of two methods:

1. Visually Similar Characters: This involves replacing a letter with a number that looks alike, such as swapping the letter 'o' with the number '0' or the letter 'l' with the number '1'. For example, g00gle.com or paypa1.com. Another common variation is replacing one letter with another that is visually similar, such as swapping the letter m with rn to create rnicrosoft.com instead of microsoft.com.

2. Keyboard Proximity: Attackers can also replace a character with a neighboring key on the keyboard, anticipating a common typing mistake. For example, a user might accidentally type mycompny.com instead of mycompany.com because the 'n' key is close to the 'a' key.

Once a user is redirected to the fraudulent domain, they are often presented with a counterfeit website designed for malicious purposes like phishing, malware distribution, or brand impersonation. The effectiveness of this technique lies in its subtlety, as the minor change in the URL is often overlooked.

ThreatNG helps an organization with character replacements by proactively discovering and assessing domains that use this manipulation, providing detailed intelligence to mitigate risk before an attack can cause damage.

External Discovery and Assessment

ThreatNG performs purely external and unauthenticated discovery. It automatically generates and looks for variations that use character replacements, such as myc0mpany.com (replacing 'o' with '0') or mycompny.com (replacing 'a' with 'n'). This is explicitly covered by the Replacements (Character Replacement) category within its Domain Name Permutations capability.

The platform uses this discovery to assess an organization's susceptibility to risks directly related to character replacements:

• Web Application Hijack Susceptibility: ThreatNG's score is based on its analysis of external web application parts. A fraudulent domain with a character replacement could be used to create a fake login page, which would be identified as a potential entry point for attackers.

• BEC & Phishing Susceptibility: This score is derived from Domain Intelligence, which includes the Domain Name Permutations capability. This helps identify domains with character replacements that could be used in phishing attacks.

• Brand Damage Susceptibility: By identifying domains with character replacements, ThreatNG can determine potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation.

Investigation Modules and Intelligence Repositories

The Domain Intelligence module is the primary tool for detecting threats related to character replacements. Within this module, the DNS Intelligence capability specifically detects and groups these manipulations. ThreatNG's platform can find both available and taken character replacement permutations and provides the associated IP address and mail record for those that are already registered.

ThreatNG's intelligence repositories, known as DarCache, provide valuable context. For example, DarCache Rupture (Compromised Credentials) can reveal if a fraudulent domain is tied to compromised user data. At the same time, DarCache Dark Web can show if a planned phishing campaign using such a domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk. This ensures that new domains with character replacements are detected as soon as they appear, enabling a swift and proactive response to mitigate the impersonation before it causes significant damage. The platform's reports, which can be Executive, Technical, or Prioritized, highlight any discovered domains and their associated risks. The Prioritized reports use risk levels to help organizations focus on the most critical risks and make informed decisions about mitigation.

Complementary Solutions

ThreatNG's proactive intelligence makes it a strong complement to other security solutions. For example, if ThreatNG identifies a newly registered domain with a character replacement like myc0mpany.com and its associated IP address, this information can be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site. Alternatively, if ThreatNG detects that a fraudulent domain has active mail records, this intelligence can be shared with an email security gateway. This allows the gateway to proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes before it even begins.