// 8
Security
Combatting look-alike domains By Jing Xie
C
yberattackers use many methods to lure people into divulging their private information while online. One of the most effective ways is by creating lookalike domains that share some of the same characters in their URLs as legitimate domains. Malicious look-alike domains use many techniques to fool users, including: ❯❯ The addition of other characters to the spoofed URL (e.g. “gooogle.com” for “google.com”); ❯❯ The use of characters (homoglyphs), which are different from the legitimate domain but, at a glance, look identical to the spoofed URL (e.g. “retai1er.com” for “retailer. com”); ❯❯ The use of homophones, which have the same sounds but have different spellings and meanings (e.g. new and knew); and ❯❯ The use of internationalized domain names (IDNs) that use international character sets (Unicode) translated into American Standard Code for Information Interchange (ASCII) characters. They cannot be differentiated from legitimate, trusted URLs when translated (e.g. “apple.com” for “apple.com”, the former has a Cyrillic “a” and the latter has a Latin “a”). Threat actors can make their lookalike domains appear even more authentic in two key ways. First, they create web sites that mimic their legitimate counterparts, even down to the last pixel. The second is through the use of transport layer security (TLS) certificates, which act as machine identities to reassure customers (as well as search engines) that the web sites are safe to use. The scale of look-alike threats To better understand the scope of this problem, Venafi analyzed the look-alike domains of the top 20 retailers in five key markets—the U.S., U.K., France, Germany and Australia—in June 2018. After ❱ DMN.ca
discovering an alarmingly high number of look-alike domains associated with these retailers, we found that a high percentage of these domains have been validated with legitimate TLS certificates. While look-alike domains are not all necessarily malicious, many of them have been used with malice. Unfortunately, the legitimacy of a certificate does not indicate that the domain is for a non-malicious purpose.
Malicious lookalike domains use a variety of techniques to fool users. The prevalence of look-alike domains with ambiguous legitimacy, and the lack of effective means in telling their legitimacy with certainty, can create extra challenges for direct and digital marketers. Especially as entire campaigns typically revolve around clickable hyperlinks. To trick consumers into visiting malicious look-alike domains, cyberattackers often create phishing e-mails that resemble official marketing campaigns. This means marketing teams of all sizes must devise strategies to monitor, track and analyze the number of look-alike domains, particularly those that are certified through legitimate channels. This will help protect their customers from being tricked into using phishing sites that mimic their own campaigns. To begin, digital and direct marketing teams need to work with their companies’ IT staff to institute customer (and customerfacing employee) awareness initiatives on the risks posed by these look-alike domains. Not only would such initiatives help prevent customers from becoming victims
of suspicious domains, but they also illustrate an organization’s concern for the well-being of its customers. This is a great way to encourage safe practices, persuade more people to participate in future campaigns and, ultimately, increase revenues. Depending on the scenario, you can then follow these recommendations to minimize the risks posed by suspicious lookalike domains that have a high chance of being malicious: ❯❯ Search and report suspicious domains using Google Safe Browsing. Google Safe Browsing is an industry anti-phishing service that identifies and blacklists dangerous web sites. You can report a domain at https://safebrowsing.google. com/safebrowsing/report_ general/; ❯❯ Report suspicious domains to the Anti-Phishing Working Group (APWG). The APWG is an international volunteer organization that focuses on limiting cybercrime perpetrated through phishing. You can report a suspicious domain at https://www.antiphishing.org/ report-phishing/, or send an e-mail to reportphishing@apwg.org; ❯❯ Add Certificate Authority Authorization (CAA) to the domain name system (DNS) records of domains and subdomains. CAA is a methodology that lets organizations choose which certificate authorities (CAs) they use for certificate issuance. It is an extension of the domain’s DNS record, supporting property tags that let participating CAs know that the domain name owners obtain their certificates from specific sources. For example, if an organization names a specific CA like Comodo, the CAA lets other CAs know that any attempt to obtain certificates for that domain is invalid and should not be issued. Because CAA is a relatively new framework, its utility is limited and only works with
❯❯
CAA-compliant CAs. While threat actors can easily get fraudulent certificates from non-compliant CAs and spoof domains, adoption of the CAA framework is growing, and your organization will see the benefit of adding it to your DNS records over time; and Leverage software packages to search for suspicious domains. If you already use copyright infringement software to stop unauthorized use of your logo or brand, check to see if it also provides antiphishing functionalities. Many of these software packages seek out and compile suspicious domains that, because they are mimicking your web site, fall under copyright infringement and may be shut down through legal action based on laws like the U.S. Digital Millennium Copyright Act.
Finally, consider investing in a more comprehensive security suite. Most of the recommendations above address what to do once you’ve discovered a look-alike domain that abuses your brand for phishing. But how do you find these sites as they pop out? As mentioned earlier, copyright infringement software can help with this. However, organizations benefit when they approach the search from a security perspective, not just a copyright standpoint. Direct marketing can exist entirely online. Every time someone clicks a link in your campaign, that’s a win for your organization’s bottom line. By watching out for malicious lookalike domains, you are making sure that your online presence is guarded, and your reputation is protected. For more information on lookalike domains and what you can do to protect yourself, please visit https://www.venafi.com/resource/ Venafi-Research-Brief-The-RiskLookalike-Domains-Pose-toOnline-Retailers. Jing Xie is senior threat intelligence analyst,
Venafi (www.venafi.com). July 2019