TLD Impersonation

In the context of cybersecurity, TLD impersonation, also known as a TLD swap, is a form of domain manipulation where an attacker registers a domain name that is identical to a legitimate one, but with a different Top-Level Domain (TLD). This tactic is a type of typosquatting that relies on the user's familiarity with the brand name and their tendency to overlook the TLD, which is the final part of a web address.

The attacker's goal is to create a fraudulent domain that appears trustworthy. For example, if a legitimate company's website is mycompany.com, an attacker could register mycompany.net, mycompany.info, or mycompany.co. Since the main part of the domain, "mycompany," is the same, many users may not notice the change from .com to .net or another TLD.

These deceptive domains are used for various malicious purposes, including:

• Phishing: To create fake login pages that steal user credentials.

• Malware Distribution: To trick users into downloading malicious software.

• Brand Impersonation: To damage a brand's reputation by spreading misinformation or hosting fraudulent content.

The effectiveness of a TLD impersonation lies in its simplicity and subtlety, as the minor change in the URL is often enough to deceive an unsuspecting user.

ThreatNG helps with TLD impersonation by proactively discovering and assessing domains that use this manipulation, providing detailed intelligence to mitigate risk before an attack can cause damage.

External Discovery and Assessment

ThreatNG performs purely external and unauthenticated discovery. It looks at an organization's digital presence from an attacker's perspective, without needing internal access. ThreatNG automatically generates and looks for variations of a legitimate domain that use different TLDs, such as mycompany.net or mycompany.co. This is explicitly covered by the TLD-Swap / TLD Impersonations category within its Domain Name Permutations capability.

The platform uses this discovery to assess an organization's susceptibility to risks directly related to these TLD impersonated domains:

• Web Application Hijack Susceptibility: ThreatNG's score is based on its analysis of external web application parts. A fraudulent TLD impersonated domain could be used to create a fake login page, which would be identified as a potential entry point for attackers.

• BEC & Phishing Susceptibility: This score is derived from Domain Intelligence, which includes the Domain Name Permutations capability. This helps identify TLD impersonated domains that could be used in phishing attacks.

• Brand Damage Susceptibility: By identifying TLD impersonated domains, ThreatNG can determine potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation.

Investigation Modules and Intelligence Repositories

The Domain Intelligence module is the primary tool for detecting threats related to TLD impersonation. Within this module, the DNS Intelligence capability specifically detects and groups these manipulations. ThreatNG's platform identifies both available and taken TLD impersonation permutations, providing the associated IP address and mail record for those that are already registered and potentially in use by malicious actors. The platform enhances its threat detection by using both a pre-packaged set of Top-Level Domains (TLDs) and a customizable list of user-defined TLDs.

ThreatNG's intelligence repositories, known as DarCache, provide valuable context. For example, DarCache Rupture (Compromised Credentials) can reveal if a fraudulent TLD impersonated domain is tied to compromised user data. At the same time, DarCache Dark Web can show if a planned phishing campaign using such a domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk. This ensures that new TLD impersonated domains are detected as soon as they appear, enabling a swift and proactive response to mitigate the impersonation before it causes significant damage. The platform's reports, which can be Executive, Technical, or Prioritized, highlight any discovered TLD impersonated domains and their associated risks. The Prioritized reports use risk levels to help organizations focus on the most critical risks and make informed decisions about mitigation.

Complementary Solutions

ThreatNG's proactive intelligence makes it a strong complement to other security solutions. For example, if ThreatNG identifies a newly registered TLD impersonated domain like mycompany.co and its associated IP address, this information can be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site. Alternatively, if ThreatNG detects that a fraudulent domain has active mail records, this intelligence can be shared with an email security gateway. This allows the gateway to proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes before it even begins.