Visual Deception

Visual deception, in the context of domains and cybersecurity, refers to the use of characters that look visually similar to a legitimate domain to trick users. This tactic, also known as a homoglyph attack, leverages the human eye's inability to spot subtle differences between characters from different writing systems. For example, an attacker could replace the Latin 'a' with the Cyrillic 'а' to create a fraudulent domain like exаmple.com, which to the human eye looks identical to example.com.

The attacker's goal is to create a domain that appears authentic, often to execute a phishing attack. The fraudulent domain is typically used in phishing emails or malicious advertisements to redirect users to a fake website that mimics a legitimate one. Once on the bogus site, users may unknowingly enter sensitive information like passwords or credit card numbers, believing they are on a trusted site. This method is particularly effective because it bypasses basic user awareness, as even a careful user may not notice the visual substitution.

ThreatNG helps with visual deception by proactively discovering and assessing domains that use homoglyphs, providing detailed intelligence to mitigate risk before an attack can cause damage.

External Discovery and Assessment

ThreatNG performs purely external and unauthenticated discovery to find potential threats from an attacker's perspective. For a company like "mycompany.com", ThreatNG automatically generates and looks for variations that use characters that look visually similar to a legitimate domain, such as using a Cyrillic 'ο' to create mycοmpany.com. This is explicitly covered by the Homoglyphs / Visual Deception category within its Domain Name Permutations capability.

The platform uses this discovery to assess an organization's susceptibility to risks directly related to visual deception, including:

• BEC & Phishing Susceptibility: This score is derived from Domain Intelligence capabilities like Domain Name Permutations, which detect these deceptive domains and help protect against phishing attacks.

• Brand Damage Susceptibility: By identifying homoglyph domains, ThreatNG can determine potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation.

Investigation Modules and Intelligence Repositories

The Domain Intelligence module is the primary tool for detecting homoglyph attacks. The DNS Intelligence capability within this module is specifically designed to detect and group these manipulations. ThreatNG's platform can find both available and taken domain permutations and provides the associated IP address and mail record for those that are already registered.

ThreatNG's intelligence repositories, branded as DarCache, provide valuable context. For instance, DarCache Rupture (Compromised Credentials) can reveal if a fraudulent domain is tied to compromised user data. At the same time, DarCache Dark Web can show if a planned phishing campaign using a homoglyph domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk. This ensures that new homoglyph domains are detected as soon as they appear, enabling a swift and proactive response to mitigate the impersonation before it causes significant damage. The platform's reports, which can be Executive, Technical, or Prioritized, highlight any discovered visual deception domains and their associated risks. The Prioritized reports, in particular, use risk levels to help organizations focus on the most critical risks and make informed decisions about mitigation.

Complementary Solutions

ThreatNG's proactive intelligence makes it a strong complement to other security solutions. For example, suppose ThreatNG identifies a newly registered homoglyph domain and its associated IP address. In that case, this information can be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site. Alternatively, if ThreatNG detects that a homoglyph domain has active mail records, this intelligence can be shared with an email security gateway. This allows the gateway to proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes before it even begins.