How to protect your brand from cybersquatting

For many organizations, fake websites become a major concern when one of their brands, logos or business websites is copied or abused. In many cases the law cannot help as the attacker cannot be identified. The problem of fake websites is well-known and attackers are abusing it on a daily basis. Setting up such a fake website also requires registering an internet domain name and typically a similar looking name of the target organization is chosen. This act is called cybersquatting or domain squatting. 

These fake websites look trustworthy and are usually designed to illegally earn money directly or indirectly. They steal sensitive information like passwords or other credentials that can be traded for money on the dark web. Another popular approach is to trick people in executing false money transactions or revealing their credit card data. 

Problems caused by fake websites  

For many organizations, fake websites become a major concern when one of their brands, logos or business websites is copied and abused in order to gain trust from the employees, customers or other people lured in who end up on this website. The attacker can have several end-goals, including breaking into the organization using stolen passwords or obtaining sensitive customer information. 

For example, a legitimate website might be www.company.com and an attacker could register www.company.org (different extension, TLD swap) if that domain name was still available. Most users won’t notice the difference. There are many other look-a-like domain names to choose from (like www.company-info.com, www.com-pany.com), so it is practically impossible for an organization to register all of them in order to prevent cybersquatting.

Although the organization is not to blame, the consequences of a successful attack can cause significant damages. The internet is littered with cases and news articles about such attacks and their consequences. 

How the law tries to protect organizations from cybersquatting 

According to the United States federal law known as the Anticybersquatting Consumer Protection Act, cybersquatting – also known as domain squatting – is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else. The cybersquatter can for instance offer to sell the domain to the person or company who owns a trademark contained within the domain name at an inflated price. 

Since 1999, the World Intellectual Property Organization (WIPO), one of the 15 specialized agencies of the United Nations (UN) has provided an arbitration system wherein a trademark holder can attempt to claim a squatted site. The amount of claims have been rising ever since. 

Anyone can register a domain name anonymously in 5 minutes for a price as low as 10-20 euros. It is a “first come first served” world that can be easily abused by malicious players. Hackers will register such look-a-like domain names to actively stage an attack, and not just to resell it at a higher price later. 

So in many cases the law cannot help the victim as the attacker cannot be identified. In this case the law will also not help in settling any damages. That is why several organizations have taken steps to proactively monitor the registration of potential cybersquatting domains in combination with detecting fake websites to avoid or minimize any damages early on. 

How to quickly detect fake websites 

As already stated, registering all possible look-a-like internet domain names (or so called “cybersquatting candidates”) is not a straightforward strategy. There will always be other look-a-like domains available, and it will require quite some time and money to register and follow up. Automating the detection and monitoring can offer a solution. Here’s how it can work. 

A. Enumerate candidate cybersquatting (look-a-like) domain names 

Based on a list of the organization’s known primary domain names, look-a-like names can be generated. Several enumeration techniques can be applied like adding and removing delimiters like dots and dashes, changing the extension with another extension (top level domain swaps) or changing characters. These techniques generate a big list of domain names. An EASM platoform would for instance generate +2.000 cybersquatting candidates from company.com using various techniques. 

B. Verify if candidate cybersquatting websites are online 

The next step is to continuously or frequently verify if these domain names are registered AND if they are actually hosting a website. If online, by automatically taking a screenshot of the website it can be analyzed and investigated further to create an initial list of potential cybersquatting candidates. Nonetheless, new candidates will pop up regularly and continuously for an analyst to investigate. While such an approach has proven to work, its downside is that it will also generate many false-positives which might lead to alert fatigue. 

C. Further qualify cybersquatting websites for brand abuse indicators using AI 

The next step is to continuously or frequently verify if these domain names are registered AND if they are actually hosting a website. If online, by automatically taking a screenshot of the website it can be analyzed and investigated further to create an initial list of potential cybersquatting candidates. Nonetheless, new candidates will pop up regularly and continuously for an analyst to investigate. While such an approach has proven to work, its downside is that it will also generate many false-positives which might lead to alert fatigue. 

Using EASM to protect your brand from cybersquatting 

EASM offers an early warning detection system to catch bad actors registering bogus domains very similar to your legitimate ones. EASM platforms do that in a very unique and intelligent way by looking at the organization attack surface from different angles.  

From a vertical perspective to bring visibility on what is underneath the attack surface (think about an iceberg here) but also on a horizontal level whereby the attack surface grows with new internet seed domains and expands overtime leaving operational teams and stakeholders playing catch-up on what the organization and its 3rd parties are developing and managing day in, day out. 

In a cybersquatting campaign, a bad actor will target one or more well-known websites or brands and register domains very similar to the legitimate domain. There are many cybersquatting techniques possible, often including: doubling characters (“googgle.com”), adjacent keys (“googlw.com”), letter swapping (“googel.com”) and .TLD registration (“google.om”). 

TLD report with Venn Diagram
Do you have a capability to inform you when your brands and domains are being registered by somebody else?

When such odd activity is being discovered it almost always points to suspicious activity that requires further verification. All too often, bad actors are registering those domains in the preparation for launching a malicious campaign. This could introduce the further attack planning process and the delivery of malicious content to lure users in visiting the cybersquatting domain. 

When a new registration happens for your brand, you need to know, allowing you to keep a finger on the pulse, understand the situation and manage the potential risk. An EASM platform detects new domains, giving you an early warning to detect cybersquatting and take proactive measures if necessary. 

Add EASM to your organization 

Outpost24’s external attack surface management (EASM) solution, Sweepatic, fully automates cybersquatting detection and prioritized alerting based on the organizations primary domains names. We can automatically generate and verify several thousand potential cybersquatting domain names on any given primary domain. Our cybersquatting module is part of a much bigger proprietary discovery engine that detects all internet facing assets an organization has across providers, geolocations and IP ranges. 

On top of our powerful discovery engine we automatically inspect and report on security issues like vulnerabilities, misconfigurations in email/DNS/Web, weak encryption, expired and weak SSL certificates, exposed databases and file shares, exposed administrative access and much more. Our customers leverage our Platform’s discovery capability to continuously find IT assets they were unaware of. Additionally, they use our Platform to follow up a prioritized list of security issues discovered. 

Interested to know if cybersquatting is impacting your organization? Book a free attack surface analysis today.

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.