Domain-squatting: How to Keep to a Look Out for Fraudsters
Have you ever mistyped a URL into your browser and been redirected to a very suspicious looking site? If so, congratulations, you know what simple domain-squatting (also known as cybersquatting) looks like.
This practice can range in severity and impact quite wildly, from merely holding a domain name ransom to complete impersonation and fraud. Simply put, domain-squatting is the practice of registering a new domain with the bad faith intentions of causing harm to another domain. Ever wonder why “google.net” redirects to “google.com”? It’s to prevent these kinds of attacks against their site’s users.
The most simple and common examples of domain squatting are to simply use another generic top-level domain (gTLD), such as replacing “.com” with “.co” or “.net”. This can make spotting the fake domain quite difficult for users who get to your site by clicking on links, as they often trust most gTLDs or if your domain does not use “.com”. Now that over 1,300 gTLDs are able to be used, this attack can be quite simple. As the attacks get more crafty, the use of character substitutions or string additions comes in. Instead of “google.com” it may be “g00gl3.com” to hope that the reader doesn’t noticed the slightly different characters. (Which by the way leads to a humorous site seen below.) Some hackers get even trickier by putting rather benign strings in the URL, most of which are hard to predict, to get around protections. Instead of “yourbank.com” it may be “payments-yourbank.com”, which to many people may appear legitimate.
A domain squatting example:
Luckily this site is easy enough to spot as a fake, but not all of them will be. Keep an eye out for fake sites by carefully reading the URL.
Now that you know what domain squatting is, it is important to learn how to detect it. If you have the budget, there are many companies that provide tools or services, but if you don’t or want to keep costs low, there are plenty of open-source options. A great tool is OpenSquat, a free python tool that can be used to check for a large variety of potential fraudulent domains, phishing sites, or other issues. This blog has an easy to use guide on how to get started with OpenSquat. There is also a tool that specifically checks for similar domains on Office365 infrastructure, as these do not appear on DNS requests.
If you have discovered a domain that is malicious and you want to remove it, there are a few thing you can do. Contacting the registrar of the site (found in the DNS information) is an easy first step, as they are obliged to have abuse response teams to respond to issues of these types. If this site has a web presence, contacting the hosting company can also lead to a quick resolution. The report should be as detailed as possible, including your registration date being before the fraudulent site. If the response is slow, giving them a phone call can expedite this process. ICANN also has directions on how to submit a Uniform Domain-Name Dispute-Resolution.
Beyond this, some preventative measures can include buying all similar domain names, though this can be costly. Some registrars provide domain ownership protection, making it easier to get fraudulent sites taken down. Having a trademark can also help, as well as ensuring you actually have the domain record if a third-party registers the domain for you. Glassportal can add insight to your external environment if you get the Open-Source Intelligence add-on, contact us to discuss this feature and its release schedule: demo@glassportal.io
