Domain Protection: Top 3 Domain-Based Attack Tactics and How to Address Them

Domains are often the first source of engagement making domain protection a necessity

Globally, businesses rely on owned websites and domains to grow brand awareness and promote and sell products and services. With e-commerce and online shopping at an all-time high, securing owned domains and removing malicious or spoofed domains is imperative for protecting modern consumers. Domain impersonations are an incredibly prevalent cyber-threat tactic,  including the use of ‘look-a-like’ urls that trick legitimate customers by mimicking brands and through common misspellings, typosquatting and homoglyphs. With domain-based attacks on the rise across industries, investing in domain protection should be a top priority for organizations of all sizes.

The opportunity for attackers

Domains offer threat actors a wide, and potentially lucrative surface for attacks. Attackers often buy ‘look-alike’ domains with the goal of impersonating a targeted organization online. This may involve swapping in similar characters (homoglyphs) or appending keywords such as “help,” “support,” or other plausible concatenations to the end of the URL. Similarly, attackers will append long strings of randomized characters to a legitimate-looking domain, so that a user clicking on this domain will only see the first, credible-looking part of the domain. 

Attackers use several different tactics to perform domain-based attacks to target organizations and trick unsuspecting victims. From mirroring legitimate sites to relying on slight variations that trick an untrained eye, it’s important to understand the top tactics bad actors use so you can defend your brand and protect customers. 

Tactic 1: Copycatting 

One of the most common tactics used by bad actors is to create a site that directly mirrors your legitimate webpage. This is often done by picking a top-level domain, or TLD, that the legitimate domain isn’t using, or by appending multiple TLDs to a domain name. When attackers use these methods in their attacks, users are more likely to be tricked into believing they are interacting with the legitimate organization. This lessens the difficulty of conducting successful phishing or malicious attacks. A site that appears to be legitimate will undoubtedly be more successful than an attack using a generic, throwaway domain.

Malicious domains will often utilize information and visuals that customers would expect to see on a legitimate site, such as your logo and brand name. This instills a sense of familiarity and trust that could convince unsuspecting victims to divulge personal or financial information or purchase counterfeit goods from these sites. 

Tactic 2: Piggybacking 

Often, attackers utilize spoofed or look-alike domains in an attempt to appear credible by piggybacking off the name recognition of well-known brands. They may be parked or serving live content. Commonly, parked domains are used to generate ad revenue, however, these domains could very easily be used to rapidly serve malicious content. They are also often used to serve other content that can be harmful to a brand’s image, like counterfeit goods.

Tactic 3: Typosquatting and Homoglyphs

Attackers are always looking for ways to trick unsuspecting internet users where they are unlikely to look or notice they are being spoofed. Two common methods include typosquatting and homoglyphs. 

Typosquatting involves the use of common URL misspellings that either a user is likely to make on their own accord or that they may not notice are there. If an organization has not registered domains that are close to their legitimate domain name, attackers will often purchase them to take advantage of typos. Attackers may also infringe upon trademarks by using legitimate graphics or other intellectual property to make malicious websites appear legitimate.

An example of this technique is adding a letter to the organization’s name, such as the ‘i’ in the figure below:

Homoglyph attacks are another variant of domain spoofing. In these attacks, the basic principles of domain spoofing remain the same, but an attacker may substitute a look-a-like character of an alphabet other than the Latin alphabet. For example, the Cyrillic “а” for the Latin “a.” Although these letters are visually identical, their Unicode values differ, so that they will be processed differently by the browser. Given that there are over 100,000 existing Unicode characters, attackers have an enormous opportunity for these attacks. Impersonators also abuse homoglyph attacks to fool traditional string matching and anti-abuse algorithms. 

Homoglyph example
Legitimate domain

Why domain protection is necessary

Domains, and the websites they host, are critical to an organization’s online image and brand. They are often the first source of engagement between a consumer, partner, prospective employee and your organization. Cyberattackers recognize this and seek to capitalize on that engagement. Malicious, impersonating websites harm this image, which may influence customers to direct their business elsewhere. These domains are often used to solicit information from customers, typically financial, causing monetary loss to the customer and potential revenue loss to the retailer. 

Many organizations monitor domains related to their brand in order to ensure that their brand is represented in the way it is intended. For larger organizations composed of many subsidiary brands, this can be even more challenging. Because the attack surface is so large, and attacks against domains are so common, it is easy for organizations to feel inundated with alerts. Because of this, it is crucial that organizations precisely monitor for domains that may be impersonating or pirating their brand, products, trademarks or other intellectual property. 

Only by actively monitoring domains infringing on an organization’s brand can legitimate threats be prioritized and potential loss be mitigated.

ZeroFOX Domain Protection

ZeroFOX Domain Protection protects your web presence and removes fraudulent sites looking to capitalize on that presence. Your website is often the first place people go to learn about your business. Protecting that presence is critical to growing business and maintaining a strong reputation. ZeroFOX’s domain offering monitors and alerts you to potential attacks on your owned sites. It also identifies spoofed sites.  Once a malicious site is identified, ZeroFOX works on your behalf to have the site removed. ZeroFOX provides a complete managed remediation and takedown service that far exceeds the capabilities and effectiveness of traditional security solutions. Our team of expert takedown specialists work directly with the domain registrar or host to have the site removed, alleviating your team from the often complex domain takedown process. 

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.