Your website is an extension of your business, and your domain name represents that online presence by providing your visitors with an easy way to connect with your business whenever they want.
Domain impersonation attacks have been around for a long time, but have seen a resurgence as of late as discussed in Forta’s 2023 Domain Impersonation Report. According to Forta, earlier this year the average brand was targeted by 39.4 look-alike domains per month. That jumped 120% from May to June of 2023 with the average brand being targeted by 73.75 look-alike domains.
What are Domain Impersonation Threats?
Domain impersonation attacks can take many forms. Let’s take a look at a couple of the ways that threat actors use domain impersonation attacks.
E-mail Spoofing
Threat actors may register a look-alike domain name and use it to send malicious e-mail to employees, vendors, and even clients of your organization. A look-alike domain may not be easily identified as fraudulent by an individual who receives an e-mail that appears to be from a familiar sender.
Domain impersonation is a common technique used in business e-mail compromise and social engineering attacks.
Website Spoofing
A look-alike domain name may also be used be threat actors to create a website branding in order to trick an individual into providing information or downloading a possible malicious file purporting to be from your organization.
A common example of website spoofing is often seen in phishing attacks where a threat actors creates an exact replica of a website for a banking or cloud provider.
Domain Impersonation Techniques
When a threat actor uses domain impersonation in order to impersonate a legitimate brand they have several techniques at their disposal that help them produce very realistic impersonation domains. Here are techniques that are used to do this.
Homoglyph – A homoglyph is a set of characters or shapes that appear identical, but have distinctly difference meanings. A very simple example of a homoglyph is the digit 0, and the capital letter O. Using other encoding sets, such as Unicode and Punycode, a homoglyph can come in many forms.
Hyphenation – Threat actors may be able to purchase a similar domain to your organization by simply adding a hyphen or two to the name. (i.e. rogue-security.ca)
Insertion – By inserting an additional character, a domain name may be completely different, but difficult to identify. (i.e. roguesecuritys.ca)
Replacement – Replacement involves replacing a character in the domain name with something different to produce a different domain name. (i.e. roguesecurily.ca)
Repetition – By using repetition of characters, a threat actor is simply repeating similar characters in the legitimate domain name to create a domain name that looks similar. (i.e. roguesecuriity.ca)
Omission – Omission is a technique whereby the threat actor removes a character from the legitimate domain now allowing them to create an entirely different domain (i.e. rogusecurity.ca)
Vowel Swapping – Vowel swapping is a technique whereby a threat actor will swap vowels in the domain name, and even though the domain is different, a quick scan by the naked eye will recognize that all of the characters are correct, but may not be in the right order. (i.e. rogeusecurity.ca)
Domain Impersonation Security
Now that we have a good understanding of what domain impersonation attacks are, and what they can look like. Let’s talk about how to protect your brand from these types of attacks.
- Inventory every domain registered by your organization. This can be a useful list to place in your various security tools to help identify good domains from bad domains.
- Use security DNS specifications including SPF, DKIM, and DMARC to enhance e-mail security.
- Ensure that domain impersonation training is a part of your security awareness program. Help your employees recognize what domain impersonation attacks look like.
- Using tools like DNSTwist or openSquat, you can identify and monitor look-alike domains.
Let’s take a closer look at DNSTwist and how they can be used to identify and monitor look-alike domain names.
DNSTwist
dnstwist is an open source tool developed in Python that allows you to find possible lookalike domains using various techniques to identify permutations of your domain name. DNSTwist allows you to generate a list of domains that might be used by threat actors to perform phishing attacks and other malicious activities using your brand.
Setting Up DNSTwist
Prerequisites
DNSTwist is a Python3 script, so the first thing we need to do is install Python3. I prefer to create virtual environments for each of my Python tools.
$ sudo apt install python3.10 python3.10-dev python3.10-venv python3-pip
I will be installing to ~/Tools/. Let’s create the virtual environment.
$ mkdir ~/Tools/DNSTwist
$ cd ~/Tools/DNSTwist
$ python3.10 -m venv venv
Installing DNSTwist
Conveniently, DNSTwist is available to be installed from PIP. Let’s activate our Python virtual environment first.
$ source ~/Tools/DNSTwist/venv/bin/activate</blockquote>
You’ll know that this succeeds if your command line is updated with the (venv) prefix.
Install DNSTwist with PIP.
(venv) $ pip install dnstwist[full]
You can also install the bare minimum requirements as well as customize your installation by changing the options specified in brackets.
Bare minimum installation:
(venv) $ pip install dnstwist
Using DNSTwist
DNSTwist contains various functionality for finding domain impersonations. Use the --help
option to view the entire list of options available.
(venv) $ dnstwist --help
usage: dnstwist [OPTION]... DOMAIN
Here is an example of running DNSTwist to identify domain names similar to roguesecurity.ca
, and that are registered. The --mxcheck
option will return MX records associated with any domains identified, and the --banners
option returns HTTP and SMTP service banners.
(venv) $ dnstwist --registered --mxcheck --banners roguesecurity.ca
Review the returned list, and if anything looks suspicious you can take action.
Conclusion
Domain Impersonation threats are a real risk to organizations small and large. A Domain Impersonation attack involves registering a domain name in order to impersonate an organization or brand. Some techniques used to create impersonated domains include homoglyph, insertion, omission and hyphenation. Protecting your organization from these types of threats is a matter of understanding your attack surface (the domains that you own), and the threat landscape (using a tool like DNSTwist). Training employees in identifying domain impersonation attacks should be a key piece of your security awareness program.