Cybersquatting. PHOTO: Cybercrime Magazine.

Top-Level Domain Squatting: Victims And How To Combat The Threat

Copycatting the domain names of established brands for malicious purposes is on the rise

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Sep. 27, 2019

We’ve all heard about cybersquatting — the act of registering names, especially well-known company or brand names, as Internet domains, in hopes of reselling them for a considerable profit. On its own, it doesn’t seem that harmful to a brand as merely purchasing the domain to protect its reputation is easy to do, albeit at a high cost when considering how expensive highly-seeked names can get.

Problems arise, however, when these domains end up used for cyberattacks and impersonation. That happens when cybercriminals pretend to be part of your organization and start extorting cash from your customers or anyone who happens to visit the spoofed sites.

Let’s take domains that prey on very popular email service giants like Gmail and Yahoo as an example. Because we’re all accustomed to seeing these domains in senders’ email addresses, we may be paying a lot less attention than we should on misspellings of their top-level domains (TLDs).

The worst part is that we could already be interacting with cybercriminals on a regular basis using domains like gmai.com or gmail.net (not affiliated in any way with Google’s Gmail service) or ymail.net (also not related to Yahoo Mail) because we didn’t take a closer look at a sender’s entire domain name.

In this post, we’ll call this threat “top-level domain squatting”— the act of copycatting the domain name of an established brand for malicious purposes.

TLD Squatting’s Ill Effects

TLD squatting presents risks to the spoofed domain’s owner, unwary users of the fake email services, and the recipients of emails from the fake domains.

Painting the Big Picture

Say, for instance, that a phisher pretends to be a Google employee and uses a gmail.net address to trick Gmail users into changing their passwords in line with a supposed security update. If the attacker manages to sound legitimate and users don’t spot the incorrect TLD, then tons could be fooled into clicking the link to the supposed Gmail account update page. All that’s left to harvest victims’ credentials would be for them to input these into the fake update pages.

Victim #1: Email Recipients

In such a scenario, users who log in to financial accounts using the same passwords can easily end up losing money. Moreover, because the thieves use authentic login credentials, institutions such as banks won’t disallow transactions made.

It gets worse when their real Gmail accounts end up as part of attacks. Users could then become unwitting accomplices to cybercrime. In this sense, attackers avoiding capture could use their identities as disguises, thus avoiding implication.

In many cases, their financial credentials (credit cards, bank accounts, etc.) may end up as part of dumps sold in underground markets or the Deep Web. Unscrupulous users can then use these to purchase illicit goods (prescription drugs, contraband goods, etc.) without fear of getting caught.

Victim #2: Domain Owners

In such cases, domain owners run the risk of brand or reputation damage. Though they aren’t responsible for the crimes committed, their names did play a part in getting victims to click links to malicious pages.

It’s an unfortunate fact that their immense popularity led cybercriminals to use their brands in the first place. The trust (however misplaced) that users put in their reputation could have caused them to take that extra step to verify the legitimacy of an email sporting a domain that’s remarkably similar to theirs.

Victim #3: Fake Email Service Users

For a domain to be believable, it needs to be accessible online. Non-tech-savvy users looking to sign up for their first email account can thus end up registering on a fake provider’s site instead of its legitimate counterpart. This situation can be relatively rare but could happen.

In such a case, service registrants’ usernames and passwords automatically land on cybercriminals’ laps. Victims then stand to suffer the same consequences as the recipients of phishing emails.

Given the unwanted risks that TLD squatting pose, how can users and domain owners stay protected?

Combatting the Dangers of TLD Squatting

On the users’ part, adhering to the following best practices may prove useful:

  • Carefully scrutinize the sender’s email address. Make sure the domain is legitimate and not a spoofed version of a real provider’s domain. Watch out for typos and misspellings. Substituting capital letters (such as I for igloo) for lowercase ones (such as l for lion), incomplete names such as gmai for gmail, using special characters such as í for i, and similar tactics are part of phishers’ arsenals. Check out the TLD as well. Both Gmail and Yahoo only use .com. Mark all suspicious emails as spam or junk so you can avoid becoming a phishing victim.
  • Avoid clicking links embedded in emails and downloading attachments at all times. If anything strikes you as suspicious about an email’s sender or content, delete it. Messages riddled with typos and grammatical errors should automatically be deemed suspicious.
  • Any email that offers free goods or services, huge discounts, or any other unbelievable offer is always likely malicious. Don’t even think twice about deleting them.
  • Banks and legitimate companies (including your email service provider) would never ask you to give out personal details (bank account numbers, credit card details, etc.) via email. Delete all such messages immediately.
  • Use antimalware. If you don’t trust your judgment, let a solution decide for you.

For domain owners, the task can be more challenging but not impossible to do. They can rely on readily available tools that allow them to monitor likely threat sources and check the reputation of domains.

To show how brand monitoring can help, we compiled a list of potential TLD squatting domains that may end up as part of phishing campaigns. For gmail.com, we obtained a list of very similar-looking domains that include gmail.net, gmailu.ru, gmaiil.com, gmai.com, ggmail.com, and many more. For ymail.com, we found ymail.net, ymails.pw, uymail.com, eymail.com, beymail.com, and others.

To come up with a comprehensive list of TLD squatters, be sure to use a monitoring app that automatically generates misspelled versions of a domain name of interest. This feature does away with the need to come up with potential domain squatters manually.

After obtaining the said lists, we used a domain reputation scoring application to objectively gauge which of the potentially malicious domains were most unsafe to access. The app checked each domain for Secure Sockets Layer (SSL) and mail and name server misconfigurations and ties to malware, among other telltale signs of malicious activity. We found that ymail.net, gmai.com, and gmail.net had the worst malware check safety scores. These three domains are very likely known malware sources and thus should be blocked on systems and servers alike.

Used hand-in-hand, brand monitoring and domain reputation scoring can help domain owners keep their reputation intact by continually tracking the movement of potential TLD squatters and then taking the necessary legal action to shut malicious domains down. By building a strong case against malicious domains to get the authorities to cease their operations lawfully, domain owners can remove threat sources, allowing them to help keep users safe from attacks while keeping their brands and reputation intact.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.


Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.



Send this to a friend