How to Detect Look-alike Domain Registrations

Malicious domains are attributed to a wide variety of cyber attacks capable of undermining a brand’s credibility. A spoofed domain is easy and quick to create, and can act as the catalyst for malicious email campaigns and phishing sites. In order to detect and action domain threats targeting your organization, security teams need to implement mature and progressive processes for collection and curation.
There are a massive number of suspicious domains across the threat landscape and bad actors are increasingly enhancing look-alike domains to promote their trustworthiness. Among the methods used to evade detection include the growing use of SSL certificates for phishing sites. In Q2, almost
80% of sites were recorded abusing this security feature. 
In order to effectively protect against the high volume and growing sophistication of suspicious domains, security teams need to source and develop domain intelligence to identify potential threats and compile sufficient evidence for takedown. 
Collecting Domain Intelligence
Ongoing visibility into newly registered and existing domain registrations is necessary in order to proactively identify unauthorized domains. There are multiple different sources security teams may use that aid in detection:
  • TLD zone files list every active, registered domain for that specific TLD created on a daily basis.
  • Secure Socket Layer (SSL) certificate transparency logs present domains, subdomains, and so on for the millions of new SSL certificates issued daily. 
  • DNS traffic contains domain names being queried and can be monitored for new domains.
  • DNS queries can be performed using look-alike variations of legitimate domains to see if variations currently exist.
Intelligence collected from these sources produces massive amounts of domain data and enables security teams to identify a wide variety of domain threats. Using these resources also increases the speed of domain threat detection. In order for collection to be effective, security teams should continuously monitor for indicators of domain impersonation.
Curating Domain Intelligence
In order to differentiate from the false positives and identify real domain threats, collected intelligence should be analyzed through a combination of automation and human experts. Domain strings often unintentionally contain related terms and analysts need to examine keywords as well as variations to determine a potential threat versus a false positive. There are three steps to effectively analyzing domain intelligence:
  1. Review domain feeds and score each item based on severity
  2. Review each result
  3. Categorize the domain
Key indicators that reveal whether a domain is a threat:
The Domain String
Analysts need to look at whether there are letters or symbols that would confuse an end user as well as how closely it matches keywords. After it is examined, the domain string should be scored based on its likelihood of being a legitimate threat. 
The Content
Analysts should also examine the content on related pages. Factors that determine whether or not a domain is suspicious include the presence of data as well as whether it appears to be related to a legitimate brand. Often it is not clear if the content is associated with the domain, and must be reviewed further by the appropriate business functions. 
If either the domain string or content establishes the domain as suspicious, security teams should actively review all data related to the domain for any element that suggests malicious activity. In addition, security teams need to verify whether or not the domain contains a Mail Exchanger (MX) Record. This specifies which mail servers accept email for the domain and can be used for Business Email Compromise (BEC) attacks, email phishing and spam campaigns. 
There are a wide range of methods malicious domains can be used to damage an organization, and as threat actors enhance evasion techniques, it becomes critical that security teams are able to rapidly identify and gather evidence on threats. Adopting comprehensive collection and curation measures is key to efficiently moving forward with mitigation of domain threats. 
Additional Resources:

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Stacy Shelley. Read the original post at: