Domain Suffixing

Domain suffixing is a cybersecurity tactic where an attacker adds a word or phrase to the end of a legitimate domain name to create a fraudulent, look-alike domain. This is a common form of typosquatting used to deceive users and exploit their trust in a brand. The added word, or "suffix," often mimics a trusted service or a call to action, such as "login," "secure," "support," or "help."

The primary goal is to trick a user into thinking they are on a legitimate page for a specific function of a company. For instance, an attacker might register mycompany-login.com or mycompany-support.com. A user who receives a phishing email with a link to this URL may not notice the extra words and mistakenly believe they are visiting the official company site.

This technique is effective because it creates URLs that appear plausible to the user, making them more likely to input sensitive information like login credentials, financial details, or personal data. These fraudulent domains are then used for phishing, distributing malware, or other malicious activities aimed at financial fraud or identity theft.

ThreatNG helps an organization with domain suffixing by providing a comprehensive, unauthenticated discovery and assessment of its external digital footprint. It identifies and analyzes these fraudulent domains from an attacker’s perspective, offering actionable intelligence to mitigate the risk.

External Discovery and Assessment

ThreatNG performs purely external discovery, without using any connectors, allowing it to act like a security researcher looking for potential entry points. For a company, it automatically generates a full range of permutations and manipulations, including those with dictionary additions, to create fraudulent sites such as mycompany-support.com or mycompany-login.com. The platform then assesses these domains for various risks:

• Web Application Hijack Susceptibility: ThreatNG analyzes web applications to identify potential entry points for attackers, which could include a fake login page created via domain suffixing, like mycompany-login.com.

• BEC & Phishing Susceptibility: This susceptibility score is derived in part from Domain Intelligence. The Domain Name Permutations capability is critical for identifying look-alike domains that could be used for phishing attacks, helping to protect against business email compromise.

• Brand Damage Susceptibility: The platform uses digital risk intelligence and domain intelligence to find permutations that could lead to brand damage, such as a fraudulent support portal at mycompany-help.com.

Investigation Modules and Intelligence Repositories

ThreatNG's Domain Intelligence module is central to this process. Within it, the DNS Intelligence capability includes Domain Name Permutations, which detects and groups these manipulations. It uses pre-built and user-defined keywords to create specific permutations, such as those with the words "login," "support," or "pay". ThreatNG identifies both available and taken permutations, providing the associated IP address and mail record for those that are taken.

The intelligence repositories, known as DarCache, provide crucial context for these findings. For instance, DarCache Rupture can reveal if the fraudulent domain is tied to compromised credentials from past data breaches. Similarly, DarCache Dark Web can show if the domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk, ensuring that newly created domains with dictionary additions are detected as soon as they appear.

The platform's comprehensive reports, which include Executive, Technical, and Prioritized views, detail the fraudulent domains found. Reports provide risk levels, reasoning for the findings, and recommendations for mitigation, enabling organizations to make informed decisions. For a domain suffixing threat, a report would detail the fraudulent domain (e.g., mycompany-support.com), the associated risk of phishing or fraud, and recommend a takedown request.

Complementary Solutions

ThreatNG's proactive discovery and actionable intelligence make it a strong complement to other security solutions. It can feed its findings to a Security Orchestration, Automation, and Response (SOAR) platform. For instance, when ThreatNG identifies a new, taken domain created via domain suffixing, it can trigger a SOAR playbook to automatically notify the brand protection team and initiate a takedown request, all before the domain can be used in a widespread phishing campaign. The platform's ability to provide an IP address and mail record for a fraudulent domain is also invaluable for Incident Response teams, allowing them to quickly identify the source of a threat and accelerate their investigation.