Domain Stuffing

In the context of cybersecurity, domain stuffing is a deceptive practice where a malicious actor adds a seemingly legitimate word or phrase, often a brand or service name, to a fraudulent domain. This is done to trick users into believing they are visiting a trusted site. The goal is to either steal credentials, install malware, or conduct fraudulent activities. This technique leverages how users skim URLs, particularly on mobile devices or in emails, where the domain name's central part captures their attention, not the whole, detailed URL.

There are two primary forms of domain stuffing:

1. Prefix or Suffix Stuffing: An attacker adds a word related to a company's service, such as "login," "secure," or "support," to a different domain name they control. For example, an attacker could register secure-login.com and then use it in a phishing email to appear as a secure portal, even though it has no connection to the real company.

2. Subdomain Stuffing: In this more sophisticated form, the attacker registers a domain and then uses a legitimate brand name or service as a subdomain. This can be very convincing to a user. For example, they might register mycompany.com.hackerdomain.tld or secure-payment.paypal.com.hackerdomain.tld. The user sees "mycompany.com" or "paypal.com" and may assume the entire URL is legitimate, not realizing that the true domain is "hackerdomain.tld" at the very end.

The danger of domain stuffing lies in its ability to bypass standard user vigilance and exploit trust.

ThreatNG helps with domain stuffing by providing a comprehensive, unauthenticated discovery and assessment of an organization's external digital footprint. It identifies and analyzes these fraudulent domains from an attacker’s perspective, offering actionable intelligence to mitigate the risk.

External Discovery and Assessment

ThreatNG performs a purely external discovery, without using any connectors or agents, allowing it to act like a security researcher looking for potential entry points. For a company like "mycompany.com," it automatically generates a full range of permutations and manipulations, including those with character additions. This includes variations like dictionary additions or domain suffixing to create fraudulent sites, such as mycompany-support.com or mycompany-login.com. The platform then assesses these domains for various risks:

• Web Application Hijack Susceptibility: ThreatNG analyzes web applications to identify potential entry points for attackers, which could include a fake login page created via domain stuffing, like mycompany-login.com.

• BEC & Phishing Susceptibility: This susceptibility score is derived in part from Domain Intelligence, which includes the Domain Name Permutations capability. ThreatNG can identify look-alike domains that could be used for phishing attacks, helping to protect against business email compromise.

• Brand Damage Susceptibility: The platform uses domain intelligence to find permutations that could lead to brand damage, such as a fraudulent support portal at mycompany-help.com.

Investigation Modules and Intelligence Repositories

ThreatNG’s Domain Intelligence module is central to this process. Within it, the DNS Intelligence capability includes Domain Name Permutations, which detects and groups these manipulations. It uses pre-built and user-defined keywords to create specific permutations, such as those with the words "login," "support," or "pay". ThreatNG can identify available and taken permutations and provides the associated IP address and mail record for those that are taken.

The intelligence repositories, known as DarCache, provide context for these findings. For instance, DarCache Rupture can reveal if the fraudulent domain is tied to compromised credentials from past data breaches. Similarly, DarCache Dark Web can show if the domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk, ensuring that newly created domains with character additions are detected as they appear.

The platform's comprehensive reports, which include Executive, Technical, and Prioritized views, detail the fraudulent domains found. Reports provide risk levels, reasoning for the findings, and recommendations for mitigation, enabling organizations to make informed decisions. For a domain stuffing threat, a report would detail the fraudulent domain (e.g., mycompany-support.com), the associated risk of phishing or fraud, and recommend a takedown request.

Complementary Solutions

ThreatNG's proactive discovery and actionable intelligence complement other security solutions. It can feed its findings to a Security Orchestration, Automation, and Response (SOAR) platform. For instance, when ThreatNG identifies a new, taken domain created via domain stuffing, it can trigger a SOAR playbook. This playbook could then automatically notify the brand protection team and initiate a takedown request, all before the domain can be used in a widespread phishing campaign. The platform's ability to provide an IP address and mail record for a fraudulent domain is also invaluable for Incident Response teams, allowing them to quickly identify the source of a threat and accelerate their investigation.