Dictionary Additions

In the context of cybersecurity, dictionary additions, also known as domain suffixing, are a type of domain manipulation where an attacker appends a common, familiar word to a legitimate domain name to create a fraudulent site. The added word often describes a service or function that a user would expect to find on the real company's website.

The goal is to deceive users who are expecting a specific service, such as a login portal, a support page, or a help desk. Attackers register domains like mycompany-support.com or mycompany-help.com and use them in phishing campaigns. A user who sees this domain may assume it is a legitimate extension of the company's brand, especially since the words "support" or "help" are common in customer service. This method is highly effective because it leverages user trust in common service terminology.

These fraudulent domains are then used to trick users into providing personal information, login credentials, or other sensitive data, which can then be used for financial fraud or identity theft.

ThreatNG helps an organization with dictionary additions by providing a comprehensive, unauthenticated discovery and assessment of its external digital footprint. It identifies and analyzes these fraudulent domains from an attacker’s perspective, offering actionable intelligence to mitigate the risk.

External Discovery and Assessment

ThreatNG performs purely external discovery, without using any connectors or agents, allowing it to act like a security researcher looking for potential entry points. For a company, it automatically generates a full range of permutations and manipulations, including those with dictionary additions, to create fraudulent sites such as mycompany-support.com or mycompany-login.com. The platform then assesses these domains for various risks:

• Web Application Hijack Susceptibility: ThreatNG analyzes web applications to identify potential entry points for attackers, which could include a fake login page created via dictionary additions, like mycompany-login.com.

• BEC & Phishing Susceptibility: This susceptibility score is derived in part from Domain Intelligence. The Domain Name Permutations capability is critical for identifying look-alike domains that could be used for phishing attacks, helping to protect against business email compromise.

• Brand Damage Susceptibility: The platform uses digital risk intelligence and domain intelligence to find permutations that could lead to brand damage, such as a fraudulent support portal at mycompany-help.com.

Investigation Modules and Intelligence Repositories

ThreatNG's Domain Intelligence module is central to this process. Within it, the DNS Intelligence capability includes Domain Name Permutations, which detects and groups these manipulations. It uses pre-built and user-defined keywords to create specific permutations, such as those with the words "login," "support," or "pay". ThreatNG identifies both available and taken permutations, providing the associated IP address and mail record for those that are taken.

The intelligence repositories, known as DarCache, provide crucial context for these findings. For instance, DarCache Rupture (Compromised Credentials) can reveal if the fraudulent domain is tied to compromised credentials from past data breaches. Similarly, DarCache Dark Web can show if the domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk, ensuring that newly created domains with dictionary additions are detected as soon as they appear.

The platform's comprehensive reports, which include Executive, Technical, and Prioritized views, detail the fraudulent domains found. Reports provide risk levels, reasoning for the findings, and recommendations for mitigation, enabling organizations to make informed decisions. For a dictionary addition threat, a report would detail the fraudulent domain (e.g., mycompany-support.com), the associated risk of phishing or fraud, and recommend a takedown request.

Complementary Solutions

ThreatNG's proactive discovery and actionable intelligence make it a strong complement to other security solutions. It can feed its findings to a Security Orchestration, Automation, and Response (SOAR) platform. For instance, when ThreatNG identifies a new, taken domain created via a dictionary addition, it can trigger a SOAR playbook to automatically notify the brand protection team and initiate a takedown request, all before the domain can be used in a widespread phishing campaign. The platform's ability to provide an IP address and mail record for a fraudulent domain is also invaluable for Incident Response teams, allowing them to quickly identify the source of a threat and accelerate their investigation.