On Instagram’s Help Center, there are sections solely dedicated to Intellectual Property. The social media giant also provided avenues for reporting account impersonation and trademark violations. And with the rise in username squatting, these initiatives are not only welcome but necessary. Instagram’s 1 billion active users are, however, not the only ones affected by squatting. Our Typosquatting Data Feed detected more than 300 Instagram-inspired domain names registered in the past six months.

For a company that accords importance to its users’ trademark and intellectual property rights, what can Instagram or its parent company, Facebook, do to protect its business against the perils of typosquatting?

Although we are not privy to their specific typosquatting protection strategies, we did gain some insights by using tools such as Reverse WHOIS Search and Reverse IP/DNS API. Using the details we obtained, we can confirm that the domain names included in our typosquatting database are most likely mimicking Instagram’s domain.

A Glimpse into Instagram’s Typosquatting Protection Blueprint

We retrieved 455 Instagram-themed domain names that Instagram may have registered to prevent typosquatting. First, we looked into the WHOIS details of instagram[.]com using WHOIS Search.

We then used Instagram’s WHOIS records on Reverse WHOIS Search to obtain a list of domain names that use the same WHOIS data. To make the query more realistic and accurate, we did an advanced search using the following record details:

• Registrant Contact Email: domain@fb[.]com
• Registrant Contact Telephone: 16505434800
• Registrant Contact Organization: Instagram LLC
• Registrant Contact Street Address: 1601 Willow Rd

Reverse WHOIS Search returned 455 domains that satisfy the advanced search criteria. Randomly selecting some of the domains to build WHOIS reports revealed that Facebook indeed owns them. Most of them used these name servers:

• D[.]NS[.]FACEBOOK[.]COM
• C[.]NS[.]FACEBOOK[.]COM
• B[.]NS[.]FACEBOOK[.]COM
• A[.]NS[.]FACEBOOK[.]COM

For the record, though, Instagram uses the following name servers, so any domain claiming ties to the social media platform should most likely either use the Facebook name servers or the following:

• ns-1349.awsdns-40[.]org
• ns-2016.awsdns-60[.]co[.]uk
• ns-384[.]awsdns-48[.]com
• ns-868[.]awsdns-44[.]net

As we’ve seen, Facebook’s typosquatting protection team is not sitting idle. Just this April, they were seen registering hundreds of COVID-19-related domains.

Enhancing Protection Using Typosquatting Data Feed

With the volume of Instagram-themed domain registrations that Typosquatting Data Feed has been detecting, there’s a high probability that several could fly under Instagram’s radar, making real-time typosquatting domain detection essential.

Take, for example, the following indicators of compromise (IoCs) that IBM X-Force Exchange reported on 4 May. These lookalike domains are believed to be involved in a malicious campaign targeting the media sector.

• copyright-lnstagram[.]ml
• instagram-verifybadge-support[.]ml
• lnstagram-copyright-help-a3623vas336-va6f63a6ogsa824[.]ml

If you look closely at the last domain, you’ll see that the first letter is not the upper case “i,” but the lower case “L.” A DNS lookup and a WHOIS lookup would also reveal that the domain has the following details:

• IP address: 66[.]85[.]73[.]157
• Hostnames: ns1[.]somee[.]com and ns2[.]somee[.]com

Using Reverse IP/DNS Lookup, we found that several Instagram-related domains also resolve to the same IP address. Some domains were recently registered, while others have been up since last year. Users of the Typosquatting Data Feed would have been immediately alerted to these registrations. Because of their association with the IoC, these domains require investigation even if they are not part of IBM’s report.

Like other major companies, one of Instagram’s brand protection and cybersecurity strategies is to prevent typosquatting. Typosquatting protection entails registering domain names that could be used by threat actors before they do so.

Subscribing to a typosquatting data feed would allow companies to see domain registrations as they come to detect bogus domains promptly. Passive DNS tools, meanwhile, would help them learn more about threat actors.