Domain Permutations Analysis

Domain Permutations Analysis is a cybersecurity technique, primarily for digital risk protection and threat intelligence, that proactively identifies potentially malicious domain names that are highly similar to an organization's legitimate brand, domain, or trademark. The core goal is to detect cybersquatting and typosquatting—domains registered by malicious actors to trick customers or employees into providing sensitive information or downloading malware.

Mechanism and Types of Permutations

The analysis works by systematically generating variations of a target domain name (e.g., mycompany.com) across different linguistic, typographical, and technical manipulation types, and then checking whether these generated names exist and what their status is.

1. Typographical and Linguistic Permutations

These variations exploit common errors or look-alike characters to deceive users:

• Omission: Removing a letter from the original domain (e.g., mcompany.com).

• Insertion: Adding an extra letter to the original domain (e.g., myycompany.com).

• Transposition: Swapping the order of two adjacent letters (e.g., myocmpany.com).

• Substitution: Replacing a letter with an adjacent key on a standard keyboard (e.g., nycompany.com if 'n' is next to 'm').

• Vowel Swaps: Replacing one vowel with another (e.g., mycompuny.com).

• Homoglyphs: Using characters from different alphabets that look identical or very similar (e.g., using the Cyrillic 'а' instead of the Latin 'a', resulting in a visually indistinguishable domain).

• Bitsquatting: Exploiting single-bit errors in computer memory or transmission that change one character to another, often within a small, predictable set of changes.

2. Additive and Structural Permutations

These variations add words or characters to the domain to create domains for targeted attacks:

• Hyphenations: Inserting hyphens (e.g., my-company.com).

• Subdomains: Placing the brand name within the subdomain or adding common, high-value keywords as subdomains (e.g., login-mycompany.com or mycompany.co).

• Dictionary Additions: Adding common, high-value words like "security," "login," "support," or "pay" (e.g., mycompanysecurity.com).

3. Top-Level Domain (TLD) Swaps

This involves checking the original domain name across various TLDs, including generic TLDs (gTLDs) and Country Code TLDs (ccTLDs), as well as popular new TLDs:

• Using a similar or commonly mistaken TLD (e.g., mycompany.org, mycompany.net, mycompany.co).

• Using a specific TLD to target a geographic region or industry (e.g., mycompany.fr for France, or mycompany.bank for financial targets).

Cybersecurity Context and Application

Once the permutation domains are generated, the analysis checks the domain's status and records to determine the level of risk:

• Available Domains: If a malicious permutation is available for registration, the organization can register it itself, which is known as defensive registration, to prevent a future attack.

• Taken Domains: If a third party has already registered a malicious permutation, further analysis is performed using DNS enumeration to identify associated IP addresses and Mail Records (MX records).

• Phishing Detection: If a domain has an active email record, it suggests the domain is being prepared or is actively used for phishing attacks (Business Email Compromise, or BEC) against customers or employees, which is a critical finding.

• Impersonation: If the domain is active and hosts a website visually similar to the legitimate site, it is a high-confidence sign of brand impersonation.

By continuously monitoring these permutations, organizations can shift from a reactive to a proactive security posture, identifying and mitigating external threats before they target users.

ThreatNG is an all-in-one external attack surface management (EASM) and digital risk protection (DRP) solution that directly addresses the risks uncovered by Domain Permutations Analysis—namely, typosquatting, cybersquatting, and brand impersonation. Its continuous, attacker-centric view enables organizations to proactively detect and mitigate malicious lookalike domains used for phishing and brand damage.

Proactive Defense with ThreatNG

External Discovery and Continuous Monitoring

ThreatNG’s foundation is purely external unauthenticated discovery, which is essential for identifying external digital risks without any internal access. This discovery process is used for continuous monitoring of all domains associated with the organization, including permutation domains.

• Example of ThreatNG Helping: ThreatNG continuously monitors newly registered lookalike domains by running its Domain Name Permutations module across various TLDs, including classic, new, and country-code TLDs. If an attacker registers myc0mpany.com (using a '0' for an 'o'), ThreatNG’s continuous monitoring immediately flags this new registration as a potential risk before the attacker can set up a phishing site.

External Assessment (Security Ratings)

ThreatNG’s security ratings provide a quantified assessment of the material risk posed by domain permutations.

• BEC & Phishing Susceptibility Security Rating: This rating is directly based on findings across Domain Name Permutations (both available and taken) and Domain Permutations with Mail Record. This assessment provides a clear, actionable metric (A-F) for the board and security teams to monitor their exposure to phishing and brand impersonation.

• Detailed Example: If ThreatNG finds a taken permutation, such as mycompany-login.com, with an active Mail Record, this fact is a substantial negative input into the BEC & Phishing Susceptibility rating. A low 'D' or 'F' rating signals a high, existing risk that a specific lookalike domain is being actively used to conduct a phishing campaign against employees or customers.

• Brand Damage Susceptibility Security Rating: This rating is also based on findings across Domain Name Permutations (available and taken) and Domain Permutations with Mail Record. This directly assesses the risk of brand dilution or reputational harm from impersonation.

• Detailed Example: ThreatNG checks for domain permutations that incorporate Targeted Key Words, such as Offensive Language or Critical Language (e.g., boycott-mycompany.com). The registration of such a domain contributes to a low Brand Damage Susceptibility rating, quantifying the risk of reputation-based attacks.

Investigation Modules

The Domain Intelligence Investigation Module is specifically designed to perform Domain Permutations analysis.

• Domain Name Permutations Module: This module detects and groups specific manipulations and additions of a domain, providing the associated mail records and IP addresses. It uncovers permutations in the form of substitutions, additions, bitsquatting, hyphenations, insertions, omissions, repetition, replacement, subdomains, transpositions, vowel-swaps, dictionary additions, TLD-swaps, and homoglyphs.

• Detailed Example: A security team uses this module to investigate an alert about a potential phishing domain, mycornpany.com (transposition). The module confirms that the domain is taken and identifies an associated mail record, proving that the domain is configured to send email. The analyst can then check the Targeted Key Words to see if the permutation domain includes terms like pay or login, confirming the intent is financial fraud.

Intelligence Repositories and Reporting

The Intelligence Repositories provide context, and the reporting capability ensures the information reaches the necessary stakeholders for action.

• Reporting: ThreatNG provides Prioritized Reports and Security Ratings reports.

• Example of ThreatNG Helping: When a malicious permutation is found, an Executive Report highlights the low BEC & Phishing Susceptibility rating. A Prioritized Technical Report details the specific permutation and provides Recommendations on how to reduce the risk, which could include defensive registration or issuing a takedown request.

• DarCache Dark Web: This repository tracks mentions of the organization.

• Example of ThreatNG Helping: An investigation into a permutation domain can be correlated with the Dark Web repository to see if the domain name or a related phishing scheme is being discussed or offered for sale by threat actors.

Complementary Solutions

ThreatNG’s external domain intelligence is valuable for working cooperatively with other solutions to mitigate and defend.

• Email Security and Phishing Protection Solutions: ThreatNG’s detection of a taken Domain Permutation with Mail Record is crucial intelligence for external email protection systems.

• Example of ThreatNG and Complementary Solutions: ThreatNG identifies a high-risk phishing domain, mycompany-access.com (dictionary addition of "access") , and its active mail server via Domain Name Record Analysis. This domain information is sent to the organization's email security solution, which preemptively blocks all incoming and outgoing emails that originate from or link to this specific permutation domain, protecting employees from targeted spear-phishing attacks.

• DNS Registrars and Brand Protection Services: ThreatNG identifies available permutation domains that the organization should register defensively.

• Example of ThreatNG and Complementary Solutions: ThreatNG identifies that mycompany-verify.com (security verification keyword) is an Available Domain Permutation. This information is fed to a brand protection service or directly to a domain registrar, allowing the organization to automatically register and acquire the domain defensively before a malicious actor can use it for criminal purposes.