Spear-phishing email attacks pose a significant challenge to most organizations. A successful attempt can cost a company an average of US$1.6 million per incident. That’s in addition to the loss of customer trust, which can be harder to quantify. These aspects should certainly motivate everyone to be vigilant, though it seems that spear-phishing scams continue to do the trick.

How so? We recently covered a targeted attack against transaction brokering website escrow[.]com, based on a KrebsonSecurity investigation, which began with a spear-phishing email. This post continues our earlier effort, this time with the help of Typosquatting Data Feed and Brand Monitor.

How Domain Monitoring Can Help Prevent Spear Phishing

Every cyber-threat-resilient organization needs to protect its online assets, primarily its Internet domain name(s), from all kinds of attacks. And we know that spear-phishing emails typically use copycat domains of reputable organizations, specifically third-party suppliers and stakeholders, to bait targets into giving out their account credentials.

As such, an effective means to avoid becoming a spear-phishing victim is to monitor for typosquat domains. Let us illustrate how by using the two tools mentioned earlier.

Brand Monitor at Work

For a given search term, Brand Monitor builds a list of similar terms that could be exact matches or variations of users’ brand name included in their domain. Its Typos feature is especially handy to widen the scope of terms to monitor, especially given the fact that typosquatters often just change one character in their copycat domain names intended to fool victims.

For instance, our first search for “godaddy” revealed 200 typos:

Certainly, several terms on the list have no implied relation to the web hosting service provider. Others, however, may have ties to phishing campaigns. For example, we ran one of the resulting domains auth2-godaddy-mailaccount[.]ml on Threat Intelligence Platform (TIP) and found that it appears as a malware host on VirusTotal.

In parallel, a Brand Monitor query for “escrow” reveals a bit less than 200 typos. But to be more relevant to the above-cited escrow[.]com incident, we decided to narrow down our search by finding name similarity metrics for both search strings and ended up with the following list:

• escrow[.]pub
• go-daddy[.]email
• godaady[.]xyz
• godadddy[.]site
• godadduy[.]app
• godaddy[.]gay
• godandy[.]net
• godladdy[.]com
• goldaddy[.]ltd
• goodaddy[.]org
• goodaddy[.]org
• gudaddy[.]net
• iodaddy[.]com

Upon review of these on TIP, we found that Godladdy[.]com is a malware host (flagged on Virus Total). Also, there were several red flags in the WHOIS records of these domains, such as a recent registration from an offshore location, redacted ownership details, and/or being marked for Domain Name System (DNS) record misconfigurations. As such, one may expect these domains to figure in cyber-attacks and should pay attention to them.

Typosquatting Data Feed at Work

Another way for companies to stay alert to typosquat domains is to subscribe to Typosquatting Data Feed, which provides daily lists of lookalike domain names registered in bulk.

Checking the bulk registrations of highly similar domains for “godaddy” before the attack happened, we saw three domains anonymously registered on 14 March 2020 in Arizona:

• godaddyregistry[.]org
• godaddyregistry[.]com
• godaddyregistry[.]biz

On 15 March 2020, two more domains appeared on the feed. The first seemed to belong to the same person who registered similar domains a day before. Godaddyregistry[.]us, meanwhile, was registered by an individual named Charlie Bec from California:

• godaddyregistry[.]net
• godaddyregistry[.]us

While none of the domains turned out to be malicious, their WHOIS record details varied a lot from GoDaddy’s for its legitimate domain godaddy[.]com.

We followed the same steps for “escrow” and found five suspicious domains registered on 9 March 2020:

• escrowserviceoftn[.]org
• escrowservicesoftn[.]online
• escrowservicesoftn[.]org
• escrowserviceoftn[.]online
• escrowserviceoftn[.]com

Their WHOIS records revealed that they were registered in Canada by an anonymous individual. Likely, they don’t belong to the owner of escrow[.]com though, because the transaction brokering firm’s domain is U.S.-based. Like the GoDaddy lookalike domains, these also had several issues.

Organizations shouldn’t only look at the obvious if they want to stay safe from harm. They need to cover all their bases, including keeping a lookout for unknown sources of threats. Doing so is possible in the context of typosquatting and copycat domain names with solutions like Typosquatting Data Feed and Brand Monitor.