Tackling malicious domains and typosquatting

Malicious domains
(Image credit: Shutterstock/Sashkin)

Malicious domains are domains that look genuine but are disguised by attackers to steal sensitive personal information and data from unsuspecting victims. This type of crime usually employs ‘typosquatting’ techniques, which rely on user oversight. 

Domains look almost identical to the real thing but use minor, altered spellings in the URL to avoid detection of their fraudulent nature. 

Once stolen, data can then be sold online for several malicious activities but is particularly useful for future phishing attempts and other fraudulent activity. 

TechRadar Pro had a chat with David Sygula, Senior Cybersecurity Analyst, CyberAngel to discuss why it’s time for a more coordinated response from domain registrars, ISP’s, security vendors, and businesses to help take these domains down quickly and effectively. 

What does a malicious domain look like and how are victims tricked? 

The appearance of a malicious domain all depends on the skills of the threat actor, but it can vary from a very bad replica to such a perfect copy it is hard to tell the difference. Common traps include cybersquatting, when someone registers, uses or sells a domain name in bad faith with the intent to profit from someone else’s trademark. These lookalike domains are designed to trick the human eye, for example replacing one letter that may go unnoticed, so ‘bank-connection’ could become ‘bank-connect1on’. Threat actors may also remove or add characters to a similar effect, ‘bank-conect’, or replace two letters that resemble one another, ‘bank-connedion’.  

Victims are often tricked because they do not pay attention to the domain name that is in front of them, whether it is a website they visit or an email they receive. At best we catch a glimpse of the domain, process a few letters that compose it, and we take that as truth. Given the number of emails the average worker receives, or websites visited in one day, it is easy to see why these oversights occur.  

It is no longer enough to simply look at the link being clicked on. Recent progress in web browsers means that new characters can now be used in domain names, thanks to the inclusion of Punycode character encoding. As a result, a lowercase ‘a’ is indistinguishable from the Cyrillic character for ‘a’. Individuals must check the URLs in their browser’s navigation bar to better understand whether websites are suspect. 

In addition to domain lookalikes, we also see malicious subdomains on the rise. Threat actors start by registering "myportal.", then create subdomains and end up with convincing phishing websites. Criminals are even able to write the brand name fully. This technique is very effective because it tends to bypass the usual security solutions. 

What trends are you seeing around how malicious domains are being used? Why are they on this rise?

Impersonating a business has never been easier. Any ill-intentioned individual can set up a copy of a website, or register a domain in order to trick customers, in a matter of minutes. According to the World Intellectual Property Organization (WIPO), the COVID-19 pandemic has fuelled an increase in cybercrime, including cybersquatting cases. 

There are a number of different types of criminal cybersquatting techniques that we observe being used on a regular basis, namely typosquatting, identity theft, name jacking and reverse cybersquatting. All of these techniques look to exploit users overlooking minor details, whether it be taking advantage of misspellings within typosquatting, or parading behind the name of a known individual through name jacking.  

We used to see malicious domains for the almost exclusive use of phishing, but over the years we have seen a diverse range of scams. Today, malicious domains are extensively used in email fraud. A common example is when an employee receives an email from their boss but does not recognise the inverted letters in the domain name revealing it to be false. We also have cases where cybercriminals register a lookalike version of a company's website, attract people, and write content that will harm the company's reputation. 

What is the impact, how does this affect people?  

Fraudulent domains hurt a business by deceiving customers, diminishing trust and reputation, and cutting into earnings. However, many trademark owners are unaware of the deceptive domains that exist for their products and services. Most of the time, the final goal for threat actors is either to steal money – directly or through the theft of credentials – or to make a company lose money because it harms reputation or draws away customers.  

But it can also be used to steal company information, for example in cases when a cybercriminal acts as a middleman between a company and their supplier. Both parties are unaware, but they could be contacting a cybercriminal, who simply forwards the email word for word, but each party does not realise it – they think they are corresponding with each other directly. The users, side victims or targets, are directly impacted by this sort of scam.  

What can be done to minimise the issue of malicious domains registrations?

One solution can be to proactively buy lookalike domains, so organisations reserve them before cybercriminals do. However, this is a never-ending task – there are companies who have registered thousands of domains, yet each day new ones are spoofed. Companies need to have a cybersecurity solution that prevents fraudulent domain names, by automatically detecting their creation before it is maliciously used – especially when it comes to subdomains. Machine learning can be used to identify sensitive data leaks, including hijacked domains.  

Malicious computers can place themselves between an individual and a server, intercepting their communications, especially when using public Wi-Fi. To prevent this from occurring, individuals should use a secure connection to ensure that the server they are communicating with is the server they actually wish to send data to. HTTPS is a secure communication protocol that checks that you are communicating with the right server by using asymmetric encryption keys. 

As with most areas of cybersecurity, humans are the weakest link. The human element must therefore not be overlooked, as that is exactly what these scams target. Businesses must invest in training programmes to ensure that all individuals understand the risks and how to spot these malicious spoofs. It is not enough to solely rely on implemented security solutions, as threat actors are growing in confidence and sophistication each day.   

Read more
Criminals are abusing top-level government domains across multiple countries
A padlock resting on a keyboard.
Understanding and avoiding malvertizing attacks
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
Google Pixel Scam Detection warning
Common internet scams and how to avoid them
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over