Look-alike domains remain some of the most consistent elements of cyber attacks targeting organizations. At a high-level, there are two ways to mitigate the threat of a look-alike domain: remove the threat completely by taking it offline, or block attacks on your users by implementing IT security controls. If we dissect the construction of a look-alike domain, we see where each step in its creation represents a point where actions can be taken to mitigate the threat.
In general, the further upstream the mitigation tactic, the broader the impact will be and the more risk it will reduce. For example, if you suspend the domain, all aspects of how it is used are gone. On the other end, blocking the domain downstream at endpoints will only address interaction with an individual. In this piece, we explore the mitigation approaches security teams can follow at the various stages of a look-alike domain's existence.
Mitigation approaches from PhishLabs Look-alike Domain Webinar
Suspend at the Registry
The first step in creating a look-alike domain is to register one. This can be done anonymously, at no charge. In order to suspend a domain that you believe to be malicious, security teams must communicate to the registry or registrar that you have identified abuse, then provide adequate evidence to justify its removal. Almost every legitimate registry or registrar has a place where you can report abuse such as an email address or web form. Different providers require different sets of evidence in order to pursue removal, and it is important to provide as much information around the abuse as possible.
Block DNS Queries
If the actor has registered their look-alike domain and created a DNS record, security teams may reach out to the provider that is managing the servers and request the DNS record be removed.
In the case of IT security controls, you can implement technologies to filter DNS requests by users. One common way to do this is Response Policy Zones (RPZ). RPZ will allow you to block DNS resolution to known malicious sites, meaning you will be able to keep users within your organization from accessing those sites.
Remove Web Content at the Host
Depending on the intent of the threat actor, once they have created a DNS record, they may set up an Address (A) record to point to a website, a Mail Exchanger (MX) record for email delivery, or both. If an actor has created a malicious website, security teams can file an abuse report to the hosting provider and ask them to either remove the content or take the site down. Depending on the host, their response may be prompt, take weeks, or, often in the case of bulletproof hosting providers, never happen.
In addition to reaching out to the host, security teams should also report malicious sites to Microsoft and Google. This will allow them to add the URL to blacklisting services like the Google Safe Browsing program and Microsoft SmartScreen to alert users of unsafe websites and block them in web browsers.
Block the Domain
Domains used for malicious email campaigns can be blocked by network and endpoint security controls by ingesting domain intelligence. Integrating look-alike domains into these tools will enable security teams to block delivery of the threat and prevent internal users from interacting with it. Automated integration of look-alike domain intelligence is a best practice.
There are some challenges for takedowns via service providers as there is no global standard for abuse. Different providers require varying degrees of evidence and follow their own set of processes. If taking any of the above approaches does not work, there are other options available to security teams:
Digital Millennium Copyright Act (DMCA)
The DMCA is U.S. legislation that criminalizes the creation and distribution of copyrighted works. If you own the copyright on what you request to have taken down, the service provider has three days to take action. This law only applies to the U.S., however many providers across the globe will implement this process.
Universal Domain Resolution Process (UDRP)
UDRP is an option developed by the Internet Corporation for Assigned Names and Numbers (ICANN) to address disputes between two different companies that are arguing over the same domain name. Arbitration may be lengthy, as well as expensive.
A look-alike domain remains one of the most versatile attacker tools. Depending on the intent of the actor, attack techniques that originate from a look-alike domain may include:
- Business Email Compromise
- Website Traffic Diversion
- Counterfeit Activity
- Credential Phishing Sites
- Malware Delivery
- Website with Monetized Links
- Unauthorized Brand Association
Because look-alike domains are legitimately registered and on authorized servers, it is up to security teams to either block the threat from their network, or collect the evidence a registrar or service provider needs to prove the domain is a conduit for malicious activity. PhishLabs' Domain Monitoring solutions help organizations identify what types of abuse qualify for takedown as well as the evidence needed for removal.
Additional Resources:
