What is it?

Domain Monitoring is the process of scanning public domain data sources, in order to identify similar looking domains. The image above shows examples of domains that look similar to guardyourdomain.com but are not exact matches. Assuming a domain is available, anyone can register the domain barring some restrictions we’ll mention below related to fTLDs. For the most part, and with a little bit of creativity, anyone can register a look-alike domain targeting any institution with ease. Some individuals go as far as to track expiring domains in order to scoop up the newly expired domains as soon as they become available. Okay, great… but why would anyone want to do this?

Domain-squatting

Domain, typo, or cyber-squatting are terms used to describe the process whereby individuals intentionally register domains similar to a legitimate domain or brand. Individuals engage in domain-squatting for multiple reasons:

  • To legitimately redirect a user if they misspelled a domain name
    • gogle.com -> google.com
    • gaurdyourdomain.com -> guardyourdomain.com
  • To block another entity from being able to register the domain
  • To profit from reselling the domain
  • To conduct phishing attacks from a similar looking domain
    • mail-outlook-office.com is NOT outlook.office.com
    • acmebank.com vs acme-bank.com
  • To abuse a brand and trick the brand’s customers
    • popularbrand.com vs popularbrand-shop.com

Are these attack scenarios realistic?

It’s one thing to talk about problems and the need for Domain Monitoring, but as we all know, the proof is in the pudding. We publish anonymized statistics on our main webpage with counts of domains monitored and threats identified. When DomainGuard first started, we would individually call and report on each threat we identified for threats we found unrelated to our clients. The volume of unintentional (unintentional because we were monitoring keywords for a different company) malicious websites identified became so large that we have a twitter feed to post these for the public.

Who is targeted the most?

Banks and Retail. By having the word bank in your domain name, you make yourself a juicy target for domain squatters. Individuals are regularly squatting on domains similar to yours, using any or a combination of the reasons we listed above. Any household bank name we’re all familiar with is playing whackamole with domain squatting attacks and many of these banks have internal teams dedicated to domain monitoring.

Retail therapy or credit card fraud anxiety?

On the retail side, we regularly see fake stores created with the goal of coaxing un-suspecting users into entering their credit card information on the fake website. For one client, when performing our initial client on-boarding, we identified at least a dozen active websites using the company’s branding and showing a store with their same products, at a discounted price. Some of the websites we identify with DomainGuard have been active and commiting fraud for months.

A side-note on fTLDs

A number of banks have made the decision to utilize a .bank fTLD which has a heftier registration fee of around $1,000 and also requires passing additional verification checks. While this is great from deterring threat actors from purchasing a .bank domain, nothing is preventing the threat actor from registering any of the following variations:

  • acme.bank vs acmebank.com
  • acme.bank vs acmebank.org
  • acme.bank vs acmebnk.com

The general population may also be unfamiliar with seeing a .bank TLD when they are primarily used to seeing .com. User adoption concerns should be considered.

Great, but we already use an email solution to protect us from phishing.

DomainGuard was built with integration in mind. Our domain threat results integrate with other security tools. We are the first vendor to identify the majority of the phishing sites we find, and by integrating the domains and IP based IoCs we identify, we can offer our clients better protection.

An email monitoring solution on it’s own is limited to the emails your users receive. Many of the brand related attacks we identify target the customer and not the employee of the organization. DomainGuard has regularly identified phishing websites while they were in the process of being developed, allowing our clients to block the site before the threat actor could even try to send an email. For specific examples of how DomainGuard identifies phishing sites as they are being developed, see our Phight Phishing page.

Solution

DomainGuard uses a combination of automated and manual analysis to regularly monitor our client’s domains, and takedown malicious sites the moment they’re identified. We rely heavily on statistical models and machine learning for our detection paired with manual analysis of by our certified analysts. Our approach results in zero false-positives and our clients are only alerted when a threat is identified.

DomainGuard’s rapid takedown process is so effective, the malicious threats are usually taken down by the time our clients receive our alert notification.