By Jessica Ellis | October 20, 2020
There are many ways look-alike domains can be used by threat actors. While business email compromise (BEC) and phishing sites are often top-of-mind for defenders, there are dozens of other uses for look-alike domains. This variation, as well as diverse registrar requirements for removal, can make mitigating look-alike domains a complex, burdensome, and often ineffective process.
In this post, we examine steps to mitigate the internal and external risk posed by look-alike domains.
In order to mitigate a malicious domain, security teams need a comprehensive strategy that includes protecting users within the network perimeter as well as externally. Measures for securing your network include using indicators to prevent access to the threat. Threats outside the perimeter must be removed completely.
Integrate Look-Alike Domains into Enterprise Security Controls
Look-alike domains can be used to infiltrate organizations with damaging spear phishing or BEC campaigns. BEC attacks continue to be one of the costliest forms of phishing, with threat actor demands attributed to BEC wire transfers almost doubling this year
Example of a BEC Attack
Many network and endpoint security controls can ingest malicious domain intelligence for enhanced threat detection and prevention. By integrating look-alike domains into these tools, security teams can block delivery of the threat or at least keep internal users from interacting with it. Automated integration of look-alike domain intelligence is a best practice.
While this provides an efficient layer of protection for corporate users on the network, it does not address the risk posed by look-alike domains to users outside the corporate network or to the organization’s brand.
Take Down Look-alike Domains
The only way to fully eliminate the risk posed by a look-alike domain is for it to be removed by the registrar. Accomplishing this is not always straightforward.
Depending on how the look-alike domain is used, it’s registrar may not consider it to be malicious. Registrars have various evidentiary requirements to prove a domain is being used for nefarious purposes and should be removed. Without sufficient evidence, registrars are not obligated to remove an offending domain.
Example of a look-alike domain
It is essential to have a process in place to investigate look-alike domains and capture evidence
sufficient to warrant the threat being removed. Domain registries generally have broad anti-abuse authority and with sufficient evidence will remove domains being abused for:
- Hosting phishing sites
- Hosting malware
- Botnet command and control
- Distributing child exploitation materials
- Delivering spam
Not all domain abuse is overtly obvious and removal will require additional evidence. Fraud, for example, can be viewed as intellectual property or a trademark dispute, and most registrars will not issue removal without a court order or law enforcement request. Because of the ambiguity surrounding less defined threats, security teams need to prioritize the rapid gathering of incriminating evidence and ensure it is aligned with registrar requirements.
The fastest way to mitigate a domain threat is to eliminate any doubt that the domain in question is promoting fraudulent activity. This is why ample evidence that clearly demonstrates abuse is key. As long as registries are able to see that the domain is unequivocally fraudulent, most will take action to remove it. In addition, the reputation of your organization and experience with the removal of domain threats will increase the odds of a successful takedown request.