Domain Name Permutations

D
Written By Threat NG Staff

Domain name permutations are variations of a legitimate domain name created by cybercriminals to deceive users. These malicious domains are often used in typosquatting attacks, where the goal is to trick people who mistype a website's address. The variations are typically very similar to the real domain, making them hard to spot.

How Permutations Are Created

Cybercriminals use several techniques to generate these permutations. The goal is to make the fake domain look as close to the real one as possible. Here are the primary methods:

  • Typographical Errors (Typosquatting): This is the most common method. Attackers register domains that are common misspellings of a legitimate site. For example, gooogle.com instead of google.com.

  • Transposition: Swapping two letters in the domain name, such as exmaple.com for example.com.

  • Omission: Removing a letter from the domain name, like yahho.com instead of yahoo.com.

  • Homoglyphs: Replacing a letter with a visually similar character from a different alphabet. For instance, using the Cyrillic 'а' which looks identical to the Latin 'a'. apple.com could be spoofed with a domain containing this homoglyph.

  • Repetition: Doubling a letter in the domain name, such as faceboook.com instead of facebook.com.

  • Hyphenation: Adding a hyphen to the domain, like secure-login.com instead of securelogin.com. This is often used to make a fake site seem more official.

Why Domain Permutations Are a Threat

The primary danger of domain name permutations is their use in phishing and malware distribution. When a user mistakenly enters a permuted domain, they are redirected to a malicious site. This fake site is often a replica of the legitimate one, designed to steal sensitive information like login credentials, credit card numbers, or other personal data.

Cybercriminals can also use these domains to:

  • Deliver Malware: The fake site might automatically download malicious software onto the user's device.

  • Ad Fraud: The site could be used to generate fraudulent advertising revenue.

  • Brand Hijacking: Attackers can damage a brand's reputation by hosting inappropriate content on a fake domain.

Cybersecurity Defenses

Organizations and individuals can use several strategies to protect against domain name permutations.

  • Proactive Monitoring: Companies often use specialized tools to scan for and monitor permutations of their brand's domain name. This allows them to identify and take down malicious domains before they cause significant damage.

  • Domain Registration: Some organizations proactively register common misspellings and variations of their brand to prevent attackers from using them.

  • Email and Web Filters: Many email and web security solutions have built-in features to detect and block access to known malicious domains, including permuted ones.

  • User Education: Training employees and users to be vigilant about checking URLs and looking for security indicators (like the padlock icon in the address bar) is a simple but effective defense.

ThreatNG helps with domain name permutations by detecting and grouping manipulations and additions of a domain and providing the associated mail records and IP addresses to facilitate brand and phishing defense.

ThreatNG's Approach to Domain Name Permutations

ThreatNG's capabilities help address the threat of domain name permutations across several of its features.

External Discovery and Assessment

ThreatNG performs an external, unauthenticated discovery to find and analyze these domain permutations. This is done through its Domain Intelligence module, which is a core part of its external attack surface and digital risk intelligence.

The platform assesses susceptibility to various risks based on its findings:

  • BEC & Phishing Susceptibility: This score is derived from Domain Intelligence capabilities, which include identifying domain name permutations that are both available and taken. This helps to uncover domains that could be used for Business Email Compromise (BEC) and phishing attacks.

  • Brand Damage Susceptibility: The platform uses Domain Intelligence, including domain name permutations, to determine if fake domains exist that could be used to damage a brand's reputation.

  • Data Leak Susceptibility: Domain Intelligence, which includes domain name permutations, is a factor in calculating this score.

Investigation Modules

The Domain Intelligence investigation module is where the detailed analysis of domain name permutations takes place. The DNS Intelligence sub-module specifically detects these manipulations and additions.

Examples of manipulations detected include:

  • Substitutions: Changing a character, like replacing 'o' with '0' in g00gle.com.

  • Bitsquatting: This is a more technical manipulation that involves a single bit flip, such as changing 'g' to 'f' to create foogle.com.

  • Homoglyphs: Using characters that look visually similar, such as using a Cyrillic 'a' to impersonate the Latin 'a' in a domain like аpple.com.

  • Typosquatting: This can be represented by transpositions (e.g., gogle.com instead of google.com), omissions (e.g., goole.com), or insertions (e.g., gooogle.com).

ThreatNG also looks for the presence of these permutations in different Top-Level Domains (TLDs), including generic TLDs like .com and .net, country-code TLDs like .us and .uk, and new TLDs like .tech and .shop. Additionally, the platform checks for the presence of "Authentication" terms (e.g., login, verify) and "Derogatory" terms (e.g., sucks, boycott) in combination with domain name permutations. This helps identify specific threats like fake login pages or sites intended for brand defamation.

Reporting and Continuous Monitoring

ThreatNG provides various reports, including Prioritized (High, Medium, Low, and Informational) and Security Ratings (A through F). These reports would highlight the risks associated with discovered domain name permutations, allowing organizations to prioritize their remediation efforts. The platform's continuous monitoring capability ensures that the external attack surface, including these deceptive domains, is constantly tracked, and any new permutations are identified as they appear.

Complementary Solutions

ThreatNG's capabilities can be enhanced by working with other security solutions.

  • ThreatNG and a Security Information and Event Management (SIEM) Solution: ThreatNG's discovery of a malicious domain name permutation could be ingested into a SIEM. The SIEM could then correlate this information with network traffic logs to identify if any employees have accessed the fraudulent site. For example, if ThreatNG identifies payypal.com as a phishing domain, the SIEM could alert the security team if it sees an internal IP address connecting to that domain.

  • ThreatNG and a Domain Name System (DNS) Firewall: Once ThreatNG discovers a malicious domain name permutation, this information can be fed into a DNS firewall. The firewall can then block any internal requests to this fraudulent domain, preventing employees from accidentally visiting the site and falling victim to a phishing attack. For example, if ThreatNG flags micorsoft-login.com, the DNS firewall can be configured to block access to it network-wide.

  • ThreatNG and an Email Security Gateway: ThreatNG's findings on domain name permutations could be used to inform an email security gateway. The gateway could then block emails originating from domains that are known to be malicious permutations of the organization's brand, preventing phishing emails from reaching employees' inboxes.

Threat NG Staff
Previous

Doppelganger Domains
Next

Double Extortion