19/10/2017 Why Brand Monitoring is a Security Issue - Typosquatting

(https://www.anomali.com/blog/why-
(https://ui.threatstream.com/login?
brand-

(https://www.anomali.com/) __hstc=41179005.067237a38d30e1a584229776722d0b
monitoring-
is-
a-
security-
issue-
typosquatting#)

RESEARCH (HTTPS://WWW.ANOMALI.COM/BLOG/CATEGORY/RESEARCH)

Why Brand
Monitoring is a
Security Issue -
Typosquatting
April 19, 2017 | Payton Bush

  

Corporate brands are generally thought of as intangible

objects that carry the company’s image and reputation.
However, your brand is very tangible in the eyes of attackers
and can absolutely be targeted and damaged with cyber
threats. To prevent such damage, companies can engage in
“brand monitoring”. More speci cally, this means searching
for typosquatting and compromised credentials. While
different in intent and practice, both tactics rely on human
behaviors to achieve their goals. Such attacks are dif cult to
detect because the damage can occur outside of a company’s
domain, and dif cult to prevent because they involve a
change in habit rather than corporate policy. In the rst part
of this series we’ll explore what typosquatting is, why it
matters, and what courses of action a company can take to
effectively protect their brand.

Typosquatting
Typosquatting (also known as URL hijacking) refers to when
malicious 3rd parties will register domains that are similar to
legitimate corporate domains. The motives for registering a
similar domain are numerous, but all are guaranteed to have
a nefarious intent. With a deceptive domain typosquatters
have the potential to:

file:///C:/Users/Luis/Desktop/Why%20Brand%20Monitoring%20is%20a%20Security%20Issue%20-%20Typosquatting.html 1/4
19/10/2017 Why Brand Monitoring is a Security Issue - Typosquatting

Orchestrate phishing schemes to collect customer

credentials
Install malware onto visitor devices
Coerce the targeted company into buying the domain
Redirect traf c to competing or malicious sites
Embarrass the company by displaying inappropriate
messaging

The exact variation of the domain will depend on the

adversary’s intent. There are two general options- register a
domain that looks visually similar or register a domain that
looks credible. True to the “typo” part of typosquatting,
visually similar domains consist of slight misspellings of
either the root domain or country-code top level domain.
Potentially credible domains will instead add keywords that
viewers won’t nd suspicious. For example, malicious
domains “anomalibank.com” and “domain.com” might look
like:

Such domains might seem obviously fake when examined

with scrutiny, but even these examples could be surprisingly
effective. Malicious actors know that the most effective
attacks are those based on human predispositions, some of
which are to be trusting of visual cues and inattentive in
routine situations. If a webpage and its domain look similar
enough to what an individual is accustomed to then it is
unlikely to raise any red ags.

To investigate the widespread use of malicious domains, the

Anomali Labs Team released a report of the Financial Times
Stock Exchange 100 (FTSE 100 Index)
(https://anomali.cdn.rackfoundry.net/ les/FTSE_100_REPORT.pdf).
The Anomali Labs Team examined the FTSE 100 companies
over a period of three months and found 81 of the 100
companies had potentially malicious domain registrations
against them. A total of 527 malicious domains were
detected.

file:///C:/Users/Luis/Desktop/Why%20Brand%20Monitoring%20is%20a%20Security%20Issue%20-%20Typosquatting.html 2/4
19/10/2017 Why Brand Monitoring is a Security Issue - Typosquatting

(https://www.anomali.com/resources/infographics/typosquatting-
more-than-just-a-typo)
Typosquatting: More Than Just a Typo
(https://www.anomali.com/resources/infographics/typosquatting-
more-than-just-a-typo)
Get an in depth view of typosquatting techniques and
statistics with this infographic.

VIEW NOW
(https://www.anomali.com/resources/infographics/typosquatting-
more-than-just-a-typo)

What to do About
Typosquatting
So what can companies do in response to such a frequent
and effective attack? As always, educating employees on the
possibility of false domains is critical. Companies can also
take large-scale measures to ensure that their brand is
protected.

For one, organizations can purchase any domains similar to,

or af liated with, their own. Think of any large company and
it’s likely that they currently own
“theircompanyname”sucks.com. This is a time-consuming
endeavor, but ultimately worthwhile as it prevents malicious
actors from forcing them into buying the domain or using it
to garner negative publicity.

Unfortunately, many companies are often unable to

anticipate which domains might be used against them, and
the creativity of malicious actors to dream up confusing or
damaging domains seems unlimited. Or they are simply too
slow to the draw and those domains have already been
registered. In this case organizations can work with any
number of 3rd party services to issue take down notices.
Companies like Verizon, Lufthansa, and Lego are known to
aggressively chase down typosquatters, with Lego having
spent upwards of $500,000 to get malicious domains taken
down.

Companies can also block any known malicious domains in

their proxies or email security products, which protects
employees from phishing scams. In this case the malicious
domain might not be their own – it could relate to any and all
known phishing sites. If such a domain is found,
organizations may wish to triage the registrant information
to see if there are other associated domains targeting the
company.

file:///C:/Users/Luis/Desktop/Why%20Brand%20Monitoring%20is%20a%20Security%20Issue%20-%20Typosquatting.html 3/4
19/10/2017 Why Brand Monitoring is a Security Issue - Typosquatting

One of the more effective tools for researching and

monitoring malicious typosquatting is a Threat Intelligence
Platform (TIP)
(https://www.anomali.com/platform/threatstream). The
ThreatStream platform from Anomali provides users the
ability to de ne base domains – the platform will monitor
existing and newly registered domains and ag any
similarities. The tool also provides the ability to de ne more
complex pattern detection via Regular Expression matching.
A machine learning algorithm is used to make the search for
new domain registrations more sophisticated, and those
found are added to individual customer threat bulletins. The
Anomali Labs team also provides a feed of domains
registered by disposable domains that customers can access.

Once a malicious domain is identi ed, users can then

attempt to identify the country of origin, other domains
they’ve created, and all IPs associated with the domain. This
allows companies to not only investigate suspicious domains,
but also to predict a potential attack vector. For example,
with the right tools you can discover that a typosquatted
domain belongs to an actor who has registered other
malicious domains, uses a speci c set of IP addresses, and is
known to utilize a particular type of attack (phishing,
malware, etc). With this information you can then apply
appropriate rewall, SIEM, endpoint, IDS/IPS, etc. rules to
block and/or monitor for suspicious activity.

Taking Brand Monitoring a step further, organizations should

also scan the Dark Web
(https://www.anomali.com/blog/shedding-some-light-on-
the-dark-web) for mentions of corporate domains. Anomali
automates this type of scanning and keyword matching and
will also scan the Dark Web for internal project names (yes,
like the ones you’d hear in movies), mentions of executive
names or emails, and company’s public IP ranges.

Conclusion
Malicious actors do damage to a company’s reputation and
steal data by typosquatting. This tactic relies on predictable
human behaviors, and is best mitigated through education,
research, and tighter regulations. A Threat Intelligence
Platform (https://www.anomali.com/platform/threatstream)
can simplify the process, and ultimately protect employees,
customers, and brands.

Similar reports to the FTSE 100 were conducted for the

DAX 100 (https://anomali.cdn.rackfoundry.net/ les/anomali-
labs-reports/DAX-100.pdf) and OMX 30
(https://anomali.cdn.rackfoundry.net/ les/anomali-labs-
reports/OMX-30.pdf).

file:///C:/Users/Luis/Desktop/Why%20Brand%20Monitoring%20is%20a%20Security%20Issue%20-%20Typosquatting.html 4/4