An enterprise’s domain portfolio continues to change as it offers new products and services or withdraw old ones. Mergers, acquisitions, and buyouts would also affect its domain portfolio. Constant monitoring of one’s domain portfolio and its related infrastructure is crucial in today’s cybersecurity landscape. Overall domain protection not only saves a company’s network from specific threats but also helps protect its clients and website visitors from attacks.

A part of domain protection that can be overlooked is checking for potential typosquatting domains. These are domains that look similar to an organization’s domain or brand name that threat actors can use to imitate the company.

Typosquatting domains may be used to make phishing emails appear more credible and authentic. For instance, a parent who sometimes purchase Lego toys would be more likely to believe in the credibility of an email address like example@legoslegos[.]ru than one not containing the brand name “Lego.” As part of possible phishing endeavors, typosquatting domains also let threat actors create websites that look identical or similar to an organization’s official website.

Below is a side-by-side screenshot of the official Lego website (on the left) and legoslegos[.]ru (on the right):

Among the most telling signs of a typosquatting domain is that it doesn’t share the same WHOIS registration record as the brand’s official domain. Most large enterprises do not hide their WHOIS record details, as in Lego’s case, whose registrant organization (LEGO Juris A/S), email address, and other information are publicly available through WHOIS Lookup.

The WHOIS record of the domain legoslegos[.]ru, on the other hand, is unavailable or hidden so there is a high possibility that it is not owned or managed by The Lego Company.

An Example of Typosquatting Domain Protection Analysis

We randomly selected five enterprises (see the table below) to illustrate crucial checks included in the domain analysis and protection process. These organizations’ stocks are publicly traded on the New York Stock Exchange (NYSE) and other markets.

We then used a domain and subdomain discovery tool to see the number of domains that contain text strings related to the five organizations. The table below shows the results that contain the company names.

We also ran the look-alike domains returned on Bulk WHOIS Lookup to see how many of them have WHOIS records that differ from those of the official domains. These are potential typosquatting domains, and monitoring them could help make domain protection programs more comprehensive.

As shown in the chart, three out of the five companies face the situation where 90% or more of their identified domain footprints are potential typosquatting domains. The other two still have a high percentage of typosquatting domains, at more than 75%.

Diving into the specifics of those domains, we found that an average of 15% of the five companies’ typosquatting domains are less than a year old as of this writing. However, a significant percentage are more than 4 years old, with an average of 10% falling between five and 10 years of age and 28% registered more than 10 years ago. Such findings tell us that while it is important to monitor newly registered domains (NRDs) for signs of typosquatting, some older domains could also warrant close observation.

What’s more, the most commonly used top-level domains (TLDs) for these domain names include .com and .net. We also saw country-code TLDs (ccTLDs), such as .nz and .es, along with new generic TLDs (ngTLDs) like .tk and .xyz. Domain protection may entail monitoring all TLDs, rather than focusing on newer and most commonly abused ones.

Domain protection is a crucial cybersecurity practice that aims to protect the domain owner and his or her users or clients. It is a never-ending and constantly evolving process, which includes checking for typosquatting domains, among others.

Are you a security researcher, product developer, or security officer working on ways to improve your domain protection strategies? Contact us for more information on the potential typosquatting domains and vulnerabilities mentioned in this post.