Tackling malicious domains and typosquatting

Malicious domains
(Image credit: Shutterstock/Sashkin)

Malicious domains are domains that look genuine but are disguised by attackers to steal sensitive personal information and data from unsuspecting victims. This type of crime usually employs ‘typosquatting’ techniques, which rely on user oversight. 

Domains look almost identical to the real thing but use minor, altered spellings in the URL to avoid detection of their fraudulent nature. 

Once stolen, data can then be sold online for several malicious activities but is particularly useful for future phishing attempts and other fraudulent activity. 

TechRadar Pro had a chat with David Sygula, Senior Cybersecurity Analyst, CyberAngel to discuss why it’s time for a more coordinated response from domain registrars, ISP’s, security vendors, and businesses to help take these domains down quickly and effectively. 

What does a malicious domain look like and how are victims tricked? 

The appearance of a malicious domain all depends on the skills of the threat actor, but it can vary from a very bad replica to such a perfect copy it is hard to tell the difference. Common traps include cybersquatting, when someone registers, uses or sells a domain name in bad faith with the intent to profit from someone else’s trademark. These lookalike domains are designed to trick the human eye, for example replacing one letter that may go unnoticed, so ‘bank-connection’ could become ‘bank-connect1on’. Threat actors may also remove or add characters to a similar effect, ‘bank-conect’, or replace two letters that resemble one another, ‘bank-connedion’.  

Victims are often tricked because they do not pay attention to the domain name that is in front of them, whether it is a website they visit or an email they receive. At best we catch a glimpse of the domain, process a few letters that compose it, and we take that as truth. Given the number of emails the average worker receives, or websites visited in one day, it is easy to see why these oversights occur.  

It is no longer enough to simply look at the link being clicked on. Recent progress in web browsers means that new characters can now be used in domain names, thanks to the inclusion of Punycode character encoding. As a result, a lowercase ‘a’ is indistinguishable from the Cyrillic character for ‘a’. Individuals must check the URLs in their browser’s navigation bar to better understand whether websites are suspect. 

In addition to domain lookalikes, we also see malicious subdomains on the rise. Threat actors start by registering "myportal.", then create subdomains and end up with convincing phishing websites. Criminals are even able to write the brand name fully. This technique is very effective because it tends to bypass the usual security solutions. 

What trends are you seeing around how malicious domains are being used? Why are they on this rise?

Impersonating a business has never been easier. Any ill-intentioned individual can set up a copy of a website, or register a domain in order to trick customers, in a matter of minutes. According to the World Intellectual Property Organization (WIPO), the COVID-19 pandemic has fuelled an increase in cybercrime, including cybersquatting cases. 

There are a number of different types of criminal cybersquatting techniques that we observe being used on a regular basis, namely typosquatting, identity theft, name jacking and reverse cybersquatting. All of these techniques look to exploit users overlooking minor details, whether it be taking advantage of misspellings within typosquatting, or parading behind the name of a known individual through name jacking.  

We used to see malicious domains for the almost exclusive use of phishing, but over the years we have seen a diverse range of scams. Today, malicious domains are extensively used in email fraud. A common example is when an employee receives an email from their boss but does not recognise the inverted letters in the domain name revealing it to be false. We also have cases where cybercriminals register a lookalike version of a company's website, attract people, and write content that will harm the company's reputation. 

What is the impact, how does this affect people?  

Fraudulent domains hurt a business by deceiving customers, diminishing trust and reputation, and cutting into earnings. However, many trademark owners are unaware of the deceptive domains that exist for their products and services. Most of the time, the final goal for threat actors is either to steal money – directly or through the theft of credentials – or to make a company lose money because it harms reputation or draws away customers.  

But it can also be used to steal company information, for example in cases when a cybercriminal acts as a middleman between a company and their supplier. Both parties are unaware, but they could be contacting a cybercriminal, who simply forwards the email word for word, but each party does not realise it – they think they are corresponding with each other directly. The users, side victims or targets, are directly impacted by this sort of scam.  

What can be done to minimise the issue of malicious domains registrations?

One solution can be to proactively buy lookalike domains, so organisations reserve them before cybercriminals do. However, this is a never-ending task – there are companies who have registered thousands of domains, yet each day new ones are spoofed. Companies need to have a cybersecurity solution that prevents fraudulent domain names, by automatically detecting their creation before it is maliciously used – especially when it comes to subdomains. Machine learning can be used to identify sensitive data leaks, including hijacked domains.  

Malicious computers can place themselves between an individual and a server, intercepting their communications, especially when using public Wi-Fi. To prevent this from occurring, individuals should use a secure connection to ensure that the server they are communicating with is the server they actually wish to send data to. HTTPS is a secure communication protocol that checks that you are communicating with the right server by using asymmetric encryption keys. 

As with most areas of cybersecurity, humans are the weakest link. The human element must therefore not be overlooked, as that is exactly what these scams target. Businesses must invest in training programmes to ensure that all individuals understand the risks and how to spot these malicious spoofs. It is not enough to solely rely on implemented security solutions, as threat actors are growing in confidence and sophistication each day.