Typosquatting
Typosquatting, also known as URL hijacking, is a cybersecurity attack where a malicious actor registers a domain name that is a common misspelling of a legitimate, popular website. The goal is to trick users who make a typographical error when typing a URL into their browser. These fake domains are often used to host malicious content, distribute malware, or launch phishing attacks.
Types of Typosquatting
Typosquatting takes advantage of various human errors and domain name similarities. Common techniques include:
Omission: The attacker registers a domain with a missing letter. For example, gooogle.com instead of google.com.
Insertion: A domain with an extra letter is registered. For instance, facebok.com instead of facebook.com.
Transposition: Two adjacent letters are swapped (e.g., amzaon.com instead of amazon.com).
Substitution: A key adjacent to the correct one on a keyboard is used (e.g., goolge.com).
Homoglyphs: Using characters that look visually similar, such as using the number '1' instead of a lowercase 'l' (e.g., micros0ft.com).
Domain Suffix Abuse: The attacker registers a domain with a different top-level domain (TLD) than the legitimate one, such as .org or .net, to impersonate a .com site.
How Typosquatting is a Threat
Once a user lands on a typosquatted domain, several malicious actions can occur:
Phishing: The fake website is often a clone of the legitimate one, designed to steal a user's login credentials or other sensitive information.
Malware Distribution: The site might automatically download and install malware onto the user's computer through a drive-by download.
Brand Damage: The fake site could host inappropriate or misleading content, which can harm the brand's reputation and lead to customer distrust.
Advertising Revenue: In less malicious cases, the attacker may fill the site with ads to generate revenue from the mistaken traffic.
ThreatNG helps with typosquatting by performing an external, unauthenticated discovery and assessment to identify domain name permutations that are created by typographical errors. The platform's continuous monitoring and intelligence capabilities enable it to proactively detect these deceptive domains and provide actionable intelligence to protect against brand impersonation and phishing attacks.
ThreatNG's Capabilities for Typosquatting
ThreatNG uses several of its core functions to address typosquatting.
External Discovery and Assessment
ThreatNG performs an external, unauthenticated discovery to find potential threats from an attacker's perspective. This is achieved through its Domain Intelligence module, which is a key component of its external attack surface and digital risk intelligence. The platform uses these findings to assess an organization's susceptibility to various risks.
BEC & Phishing Susceptibility: This score is partially derived from Domain Intelligence capabilities, which include the identification of Domain Name Permutations and Web3 domains that are available and taken. The detection of typosquatted domains directly contributes to this score, as these domains are a primary tool for phishing and Business Email Compromise (BEC) attacks.
Brand Damage Susceptibility: ThreatNG assesses this risk by using Domain Intelligence, which includes Domain Name Permutations. By identifying typosquatted domains, the platform can determine potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation.
Data Leak Susceptibility: This assessment also considers Domain Intelligence, including Domain Name Permutations, to determine if fraudulent domains are being used to steal credentials and facilitate data leaks.
The Domain Intelligence investigation module is the primary tool for typosquatting detection. Within this module, the DNS Intelligence capability is specifically designed to detect and group various manipulations of a domain.
Domain Name Permutations: This feature explicitly detects several types of typosquatting, including insertions, omissions, repetition, replacement, and transpositions. For each permutation, ThreatNG provides the associated mail records and IP addresses, which is crucial for understanding the potential malicious use of the domain. For example, for the legitimate domain
example.com, ThreatNG could detect typosquatted domains like exmaple.com (transposition), examp1e.com (replacement), or exaample.com (repetition).Targeted Keyword Analysis: ThreatNG analyzes the discovered domain name permutations for the presence of "Authentication" terms, such as login, verify, and admin, as well as "Derogatory" terms like sucks and boycott. This helps to identify specific threats, such as a typosquatted domain being used to host a fake login page (e.g., microsft-login.com).
Reporting and Continuous Monitoring
ThreatNG provides a variety of reports, including Prioritized Reports (High, Medium, Low, and Informational) and Security Ratings (A through F). These reports would highlight any discovered typosquatted domains and their associated risks, allowing an organization to prioritize remediation efforts. The platform's continuous monitoring capability ensures that it is constantly tracking an organization's external attack surface and will detect new typosquatted domains as they appear.
ThreatNG's intelligence repositories, branded as DarCache, provide valuable information that can support the typosquatting detection process. The DarCache Dark Web repository tracks mentions of an organization on the dark web, which can be an early indicator of a planned phishing or impersonation campaign that may use typosquatted domains.
Complementary Solutions
ThreatNG's typosquatting detection can be enhanced by working with other security solutions.
ThreatNG and a DNS Firewall: ThreatNG could identify a typosquatted domain, such as amzaon.com, and its associated IP address. This information could then be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site.
ThreatNG and an Email Security Gateway: If ThreatNG detects that a typosquatted domain has active mail records, this intelligence can be shared with an email security gateway. The gateway could then proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes.
ThreatNG and a Website Takedown Service: Once ThreatNG identifies a typosquatted domain impersonating a brand, the information about the malicious domain and its hosting provider could be shared with a website takedown service. This would enable the service to act quickly and have the fake site removed, minimizing the window of opportunity for attackers.
