Large corporations like Apple and Microsoft know that their brand is abused in all sorts of ways to prey on their customers. Domain typosquats, 1:1 lookalike phishing web pages, phishing emails and more, lure innocent users into giving up credentials and money. 

We're sure you have thought about this before, and a first concern is usually your customers. Are they being lured into some scam using your name? This happens practically every day to large companies like PayPal and FedEx. But aside from phishing your customers, have you taken into consideration that these malicious domains are also phishing your employees?

 

A real company, some real lookalike domain abuse

Recently, a large industrial company asked our Security Research Team to analyze their network activity. The company suspected that state sponsored cyber attackers are trying to penetrate their network. Our analysts found communication attempts from inside their own network, as well as customer IPs, to a domain pretending to be theirs (the same domain string as their website but with a different TLD).To illustrate this using Microsoft purely as an example - it would be like seeing machines from inside the Microsoft HQ network communicating with Microsoft[.]co instead of Microsoft[.]com*. 

Visualization of suspicious traffic discovered by our team, using example data.

Interestingly, in the case of our research project, the network was not only communicating with the company's lookalike domain, but also with other known malicious domains hosted on the same IP. This leads us to believe that the IP is owned by cyber attackers trying to target the company in mention.

 

How to prevent targeted, brand-based network breaches

At ThreatSTOP, users have the option of creating their own custom user defined blocklists (UDLs). These lists get instantly propagated to their ThreatSTOP IP or DNS firewall product. That's in addition to ThreatSTOP blocklists made up of 800+ threat intelligence sources, to defend their customers from both the industry's most urgent concerns, and from threats unique to their own enterprise. We're investigating adding a new protection feature from typosquatted domains, and we'd like to know what you think (feel free to let us know by commenting below).

ThreatSTOP supports highly customizable DNS (RPZ) responses, and using RPZ, we can rewrite any FQDN to any other FQDN. Using our Typosquat Protection Feature, ThreatSTOP customers will be able to create custom UDLs with all possible typosquatted permutations of their most commonly used domains, including their own business domain. Users can collect all suspicious domains based on their original, legitimate input domains using the dnstwist phishing domain scanner, and also identify which of those domains have actually been registered. Once a customer UDL is created, ThreatSTOP will map all traffic attempting to reach the domain permutations over to the one legitimate domain, saving potential victims from typosquats serving phishing and malware on.

 

If you're ThreatSTOP customer and want to create your own typosquat UDL with the help of our team, click here:

Create Custom UDL

 

Want to see how ThreatSTOP can stop attacks on your network?

Get a Demo

 

* Large corporations usually purchase many possible spinoffs and typosquats of their legitimate domains to minimize risk of targeted attacks and phishing. But aside from the most popular industry leaders, most businesses do not have the resources, or awareness, to buy all the domains. There are, after all, now over a thousand top level domains and combining that with potential typosquats results in thousands of possibilities so it is next to impossible to buy all of them so cyber attackers will check which domains have not been claimed and purchase them.