The Lurking Threat of Typo-Squatting Domains: An Urgent Call for Detection and Monitoring
In the realm of Digital Risk Protection (DRP), a persistent and often underestimated threat lies in the simple mistyping of a domain name, a phenomenon known as “typo-squatting”. This practice involves the registration of domain names closely resembling those of popular websites or brands, with the intent to deceive users who inadvertently mistype the URL for example instead of typing “google.co.uk” the user types “gogle.co.uk” or “goole.co.uk”. This mis-type could be due to the speed the user is typing at or they are focusing on something else while trying to access this site. However, this could lead to serious consequences as an attacker could have already registered these domains and be hosting malicious content on there. They could be looking to carry out drive-by-downloads, credential harvesting or social engineering.
Typo-squatting is not a new tactic, but its importance has grown as cybercriminals continue to evolve and refine their strategies. It is a key component of many phishing campaigns, where attackers aim to steal sensitive information by mimicking legitimate websites. Unfortunately, its effectiveness is driven by a simple reality: humans make mistakes, and a single typo can lead to a significant security breach.
Cybercriminals are opportunistic and often exploit these mistyped domains for malicious activities, such as the distribution of malware, phishing, or even espionage. The danger is not only for individual users who might fall prey to scams, but also for organisations that may see their data compromised if an employee accidentally accesses or sends information to a typo-squatted domain.
What is Typo-Squatting?
Typo-squatting, also known as URL hijacking or domain mimicking, is a type of cybersquatting where malicious actors register domains that are similar to popular websites but contain common typographical errors. Internet users who inadvertently type these misspelled URLs are led to malicious sites that might appear legitimate but are actually designed to steal sensitive data or infect the user’s device with malware.
The Rising Threat of Typo-Squatting
The sophistication and prevalence of typo-squatting has increased significantly over the years, making it a potent threat in the digital landscape. Cybercriminals are leveraging Artificial Intelligence (AI) and Machine Learning (ML) to identify high-value typo-squatting targets and create more convincing fake websites.
The growing reliance on digital platforms for banking, shopping, communication, and other essential services has expanded the potential victim base for these attacks. The COVID-19 pandemic has further intensified this risk, with an upsurge in online activity leading to an increase in typo-squatting attacks targeting remote workers and online shoppers.
The Insider Threat and Data Leakage
Typo-squatting presents a significant risk not only from external threats but also enables insider threats, making it essential to consider both aspects. Employees, either through deception or error, could unintentionally access typo-squatted domains and input sensitive data, providing cybercriminals with valuable information. This could lead to considerable data leakage and result in financial loss and reputational damage. In more sophisticated typo-squatting attacks, specific employees within an organisation might be targeted to gain access to critical internal systems. This could lead to severe breaches, such as service disruptions, theft of intellectual property, or espionage. In worst-case scenarios, an employee might even collude with external threat actors, deliberately using typo-squatted domains as part of a larger data exfiltration scheme. Therefore, if an organisation’s data is sent to or accessed from a typo-squat, it could indicate a larger insider threat issue.
It’s important to note that a user might not access a typo-squat domain via a web browser but they might accidentally mis-type the domain within an email address. If a user is sending sensitive data to another colleague, third-party or a supplier but mis-types the domain then an attacker might now have access to this data. Although this is accidental and the user might not have meant to send the data to the typo-squat domain an investigation should be carried out for potential data leakage. A step to prevent this from happening is to put a block in place for all typo-squat variations on your domain and third-party domains to help prevent users sending data to mis-typed domains.
The Need for Proactive Monitoring
Given the scale and severity of the typo-squatting threat, organisations must proactively monitor and detect potential typo-squatted domains. This process involves implementing a system that continuously scrutinises domain registrations to identify any new domains closely resembling the organisation’s own or those of its partners. This can be by a third-party solution or an open-source tool like the ones I will be talking about further in this article. This early detection of typo-squatted domains can help mitigate potential risks. Machine learning-based tools can be particularly effective in analysing large volumes of domain data and identifying potential threats with high accuracy. Once a potential typo-squatting domain is detected, security teams can take steps to neutralise the threat, such as initiating legal action to take down the offending domain, issuing public warnings about the malicious site, or implementing technical measures to block these domains at the network perimeter, reducing the chances of accidental access. Alongside these external measures, internal controls are equally crucial. Data Loss Prevention (DLP) solutions can help detect and block the transmission of sensitive information outside the network, while User and Entity Behaviour Analytics (UEBA) can spot unusual user activity, potentially flagging interactions with typo-squatted domains.
Analysis
Although there are paid-solutions for Typo-Squat detection such as Digital Shadows and Recorded Future I will mainly be focusing on the free open-source platforms such as CIRCL Typo-Squat, DNSTwist and other tools.
As part of ongoing improvements, I’ve been focused on typo-squatting domains to help aid potential phishing attacks/brand impersonation. CIRCL have released a new Typo-Squatting detection tool (https://typosquatting-finder.circl.lu/) which also handily features an API and MISP feed. This activity stemmed from domains being missed from both paid and free solutions.
An API (Application Programming Interface) is a set of rules and protocols that allows different software applications to communicate and interact with each other. It defines the methods, data formats, and authentication mechanisms that enable seamless integration and exchange of information between software systems. MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform that enables the sharing, collaboration, and analysis of security-related data, including indicators of compromise (IOCs), threat intelligence, and cybersecurity incidents, among trusted organisations and communities.
At the time of writing this article a comparison was carried out between two open-source tools DNSTwist and CIRCL with the domain “google.co.uk”. The comparison showed that DNSTwist detected 337 permutations of the domain, out of the 337 domains 91 were found to be registered domains. CIRCL detected a total of 10476 domain permutations, with 781 of the domains being registered. Regarding the permutations identified this shows an increase of 3008.6% and an increase of 758.2% with the domains registered. The performance of these tools ultimately stems from the breadth of algorithms used, therefore I have compared and contrasted a number of popular open-source options and documented the results below. With the backing of Circl.lu, typo-squatting finder appears the most adept at providing a dataset for respective course of actions (CoAs). I have raised the feature gaps you see below with CIRCL for resolution to further assist in detect the acquisition of domain infrastructure (T1583.001).
The below table provides an overview of various typo-squatting techniques and the tools that can detect each technique. An ‘X’ shows that the tool is capable of carrying out the algorithm and a ‘P’ shows that the tools can only partly carry out the algorithm. A ‘-’ shows that the tool is unable to carry out that algorithm.
MITRE ATT&CK
Typo-Squat Domains have links to the following MITRE ATT&CK Techniques:
· Acquire Infrastructure: Domains — T1583.001
· Phishing: Spearphishing Link — T1566.002
· Phishing for Information — T1598
· Phishing for Information: Spearphishing Link — T1598.003
· Steal Web Session Cookie — T1539
· Stage Capabilities: Link Target — T1608.005
· Compromise Infrastructure: Domains — T1584.001
· Stage Capabilities: Drive-by Target — T1608.004
· Compromise Infrastructure: Web Services — T1584.006
Previous Incidents
Here are a few instances where typo-squatting domains have been involved in cyber-attacks:
· Goggle: in the mid-2000s, a typo-squatted version of Google known as “Goggle” was the subject of a web safety promotion by McAfee. The site was notorious for installing significant amounts of malware through drive-by downloads when accessed. Eventually, the URL redirected to Google, and later checks revealed it redirected users to adware pages. A 2020 attempt to access the site via a private DNS resolver hosted by AdGuard resulted in the page being identified as malware and blocked for the user’s security. By mid-2022, it had been turned into a political blog.
· Yuube: This is another example of corporate typo-squatting that targeted YouTube users. The URL was programmed to redirect to a malicious website or page asking users to add a “security check extension,” which was malware.
· Arifrance: The official Air France website was typo squatted by “arifrance.com,” which redirected users to a website selling discount travel. This typo squat now redirects to a warning from AirFrance about malware.
· NPM Packages: a widespread software supply chain attack involving malicious Javascript packages offered via the npm package manager. The threat actors behind the IconBurst campaign used typo-squatting to mislead developers looking for very popular packages. In this case, the attackers offer up packages via public repositories with names that are very similar to legitimate packages like umbrellajs and packages published by ionic.io.
Example Workflow
Monitoring and Discovery: This is the first step in the workflow where the Security Operations Centre (SOC) team continuously monitors for potential typo-squatting domains that could be impersonating the organisation’s brand or domain.
Initial Analysis: If a potential typo-squatting domain is discovered, an initial analysis is conducted to understand the nature of the domain, how closely it resembles the organisation’s legitimate domain, and the content it hosts.
Risk Assessment: After the initial analysis, a risk assessment is carried out to determine the severity of the threat. This includes assessing the potential impact on the organisation, its brand, and its customers.
Evidence Gathering: If the domain is assessed to be a high risk, the team proceeds to gather more detailed evidence. This can include capturing screenshots, collecting WHOIS data, and documenting any malicious activity associated with the domain.
Prevention: Next, the team implements preventive measures. These could include technical countermeasures like blocking the domain at the network level, or operational countermeasures like informing employees and customers to avoid the domain.
Reporting: The potentially malicious domain is reported to the relevant authorities. This could include the domain registrar, hosting provider, or law enforcement agencies.
Legal Action: Depending on the severity of the threat and the applicable laws, the organisation might consider initiating legal action against the domain owner.
Customer Communication: The organisation informs its customers about the threat and advises them on how to stay safe. This could involve sending out alerts or updating the security advice on the organisation’s website.
Review and Lessons Learned: Finally, the SOC team reviews the incident, identifying what went well, what could be improved, and what lessons can be learned for the future. The insights gained from this review are then used to improve the ongoing monitoring and discovery process.
The above flowchart represents a continuous cycle where the lessons learned from dealing with one incident are used to improve the monitoring and response to future incidents.
Conclusion
In today’s evolving cyber threat landscape, the increasing sophistication of threats such as typo-squatting underscores the importance of robust cyber threat intelligence and presents a significant risk that organisations cannot afford to ignore. By taking a proactive approach and investing in advanced monitoring tools, both externally and internally, organisations can protect their critical data, maintain their reputation, and ensure the trust of their customers and partners. Moreover, promoting cybersecurity awareness among staff and educating employees about the dangers of typo-squatting can significantly reduce their risk and ensure they don’t fall victim to this subtle yet dangerous form of cyberattack. Remember, every typo, every click, and every piece of information entered counts in the digital era, and it’s our collective responsibility to ensure they don’t count against us. Understanding the threats, we face and taking action to mitigate them is crucial in this digital age.
