TLD-Swapping
TLD-swapping is a type of typosquatting where a malicious actor registers a domain name that is identical to a legitimate one but uses a different top-level domain (TLD) . For example, an attacker might register example.org to impersonate example.com. The goal is to deceive users who may assume the domain name is correct and overlook the change in the TLD. This is a form of domain name permutation and is a common tactic in phishing and brand impersonation attacks.
How TLD-Swapping is a Threat
Phishing Attacks: Attackers can set up a fake website at the swapped TLD to mimic the legitimate site. This site is then used to trick users into entering their login credentials, credit card numbers, or other sensitive information.
Malware Distribution: The fake domain can be used to host malicious files, which are downloaded to the user's computer through a drive-by download or a deceptive prompt.
Brand Damage: A malicious actor might use the swapped TLD to spread misinformation or host inappropriate content, which can damage the brand's reputation and lead to customer distrust.
Email Spoofing: The attacker can use the swapped TLD to send spoofed emails that appear to be from the legitimate organization, increasing the chances of a successful phishing attack.
ThreatNG helps with TLD-swapping by performing an external, unauthenticated discovery and assessment to identify domain name permutations that have been registered with a different top-level domain. The platform's continuous monitoring and intelligence capabilities enable it to proactively detect these deceptive domains and provide actionable intelligence to protect against brand impersonation and phishing attacks.
ThreatNG's Capabilities for TLD-Swapping
ThreatNG uses several of its core functions to address TLD-swapping.
External Discovery and Assessment
ThreatNG performs purely external and unauthenticated discovery to find potential threats from an attacker's perspective. Its external attack surface and digital risk intelligence are used to assess an organization's susceptibility to various risks, including those related to TLD-swapping.
BEC & Phishing Susceptibility: This score is partially derived from Domain Intelligence capabilities, which include the identification of Domain Name Permutations and Web3 domains that are either available or taken. The detection of domains that have a TLD-swap directly contributes to this score, as these domains are a primary tool for phishing and Business Email Compromise (BEC) attacks. For example, ThreatNG would detect a domain like example.org as a permutation of the legitimate example.com.
Brand Damage Susceptibility: ThreatNG assesses this risk by using Domain Intelligence, which includes Domain Name Permutations. By identifying TLD-swapped domains, the platform can determine potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation. An example would be the discovery of a domain like companyname.biz that impersonates a legitimate companyname.com.
Data Leak Susceptibility: This assessment also considers Domain Intelligence, including Domain Name Permutations, to determine if fraudulent domains are being used to steal credentials and facilitate data leaks.
The Domain Intelligence investigation module is the primary tool for TLD-swapping detection. Within this module, the
DNS Intelligence capability is specifically designed to detect and group various manipulations of a domain.
Domain Name Permutations: This feature explicitly lists TLD-swaps as one of the manipulations it detects. ThreatNG looks for the presence of domain permutations across a variety of top-level domains, including generic TLDs (.com, .org, .net), country-code TLDs (.us, .uk, .de), and new TLDs (.tech, .shop, .app). For each permutation, ThreatNG provides the associated mail records and IP addresses, which are crucial for understanding the potential malicious use of the domain.
Targeted Keyword Analysis: ThreatNG analyzes the discovered domain name permutations for the presence of "Authentication" terms, such as login, verify, and admin, as well as "Derogatory" terms like sucks and boycott. This helps to identify specific threats, such as a TLD-swapped domain being used to host a fake login page (e.g., brand.net/login).
Reporting and Continuous Monitoring
ThreatNG provides a variety of reports, including Prioritized Reports (High, Medium, Low, and Informational) and Security Ratings (A through F). These reports would highlight any discovered TLD-swapped domains and their associated risks, allowing an organization to prioritize remediation efforts. The platform's continuous monitoring capability ensures that it is constantly tracking an organization's external attack surface and will detect new TLD-swapped domains as they appear.
ThreatNG's intelligence repositories, branded as DarCache, provide valuable information that can support the TLD-swapping detection process. The DarCache Dark Web repository tracks mentions of an organization on the dark web, which can be an early indicator of a planned phishing or impersonation campaign that may use TLD-swapped domains.
Complementary Solutions
ThreatNG's TLD-swapping detection can be enhanced by working with other security solutions.
ThreatNG and a DNS Firewall: ThreatNG could identify a TLD-swapped domain, such as example.biz, and its associated IP address. This information could then be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site.
ThreatNG and an Email Security Gateway: If ThreatNG detects that a TLD-swapped domain has active mail records, this intelligence can be shared with an email security gateway. The gateway could then proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes.
ThreatNG and a Website Takedown Service: Once ThreatNG identifies a TLD-swapped domain impersonating a brand, the information about the malicious domain and its hosting provider could be shared with a website takedown service. This would enable the service to act quickly and have the fake site removed, minimizing the window of opportunity for attackers.
