Digital Typo

D
Written By Threat NG Staff

In the context of domains and cybersecurity, a digital typo refers to a domain name that is a slight variation or misspelling of a legitimate, well-known domain. Attackers create these domains to exploit common human errors or to deceive users visually. This practice is also widely known as typosquatting.

The primary purpose of a digital typo domain is to hijack traffic intended for a legitimate site. An attacker registers a domain that is off by just one or two characters, anticipating that users will accidentally type the incorrect URL into their browser. These fraudulent sites can be used for a variety of malicious purposes, including:

  • Phishing: The most common use is to create a fake login page that mimics a legitimate one to trick users into entering their credentials or other sensitive information.

  • Malware Distribution: The site may automatically download malicious software onto a user's device through a drive-by download or trick the user into installing it.

  • Brand Impersonation: The site can be used to damage a brand's reputation, spread misinformation, or sell counterfeit products.

A related, and more technical, form of this attack is called bitsquatting. This involves a domain that is only one bit different from a legitimate domain in its binary representation. While the resulting domain name may look like a random string of characters, attackers register them to capture traffic from rare, random bit-flip errors that can occur in computer hardware.

ThreatNG helps an organization with digital typos by providing a proactive, outside-in approach to uncover these fraudulent domains, assess their risk, and offer actionable intelligence.

External Discovery and Assessment

ThreatNG performs purely external, unauthenticated discovery to find digital typo domains. From an attacker’s perspective, it automatically generates and looks for variations of a legitimate domain that could be used for an attack. For example, it would look for a domain like gogle.com as a "Bitsquatting / Digital Typo" of google.com. Once these domains are found, ThreatNG assesses their risk and susceptibility to various attacks.

  • Web Application Hijack Susceptibility: ThreatNG's score is substantiated by analyzing web application components accessible from the outside world to identify potential entry points for attackers. A digital typo domain could be used to create a look-alike login page, which would be flagged as a possible web application hijack risk.

  • BEC & Phishing Susceptibility: The platform's susceptibility score for BEC and phishing is derived in part from its Domain Intelligence. This capability is critical for identifying digital typo domains that could be used in phishing campaigns.

  • Brand Damage Susceptibility: This score is derived from digital risk intelligence and domain intelligence. By finding and flagging digital typo domains, ThreatNG helps to protect a brand's reputation from the damage caused by these fraudulent sites.

Investigation Modules and Intelligence Repositories

The Domain Intelligence module is central to how ThreatNG handles digital typos. Specifically, the DNS Intelligence capability includes Domain Name Permutations, which detects and groups these manipulations and additions. ThreatNG can uncover all of these permutations, including those created by bitsquatting. For every domain flagged as taken, ThreatNG provides the associated IP address and mail record, giving an organization the critical information needed to respond.

ThreatNG's intelligence repositories, known as DarCache, provide additional context. The DarCache Rupture repository can show if a digital typo domain is associated with compromised credentials, and DarCache Dark Web can reveal if it's being mentioned in dark web forums. This helps an organization understand the full scope of a potential threat.

Reporting and Continuous Monitoring

ThreatNG provides continuous monitoring of an organization's external attack surface and digital risk. This ensures that newly created digital typo domains are detected as soon as they appear.

The platform's comprehensive reports, including Executive, Technical, and Prioritized views, detail the fraudulent domains found. These reports also provide a risk level to help an organization prioritize its security efforts, as well as reasoning and recommendations for mitigation. For a digital typo threat, the report would detail the fraudulent domain (e.g., gogle.com), its associated risk of a phishing attack, and a recommendation to initiate a takedown request.

Complementary Solutions

ThreatNG's proactive discovery and detailed intelligence make it a strong complement to other security solutions. It can feed its findings to a Security Orchestration, Automation, and Response (SOAR) platform. For example, when ThreatNG identifies a new, taken digital typo domain, it can automatically trigger a SOAR playbook to alert the brand protection team and initiate a takedown request before the domain can be used in a widespread phishing campaign.

For Incident Response platforms, the intelligence provided by ThreatNG is invaluable. Suppose an organization discovers an active phishing campaign using a digital typo domain. In that case, the incident response team can use ThreatNG to quickly get the associated IP address and mail record to accelerate their investigation and take immediate action.

Threat NG Staff
Previous

Dictionary Additions
Next

Digital Asset Management