[Mark Datysgeld] Threats to domain names: typosquatting, doppelganger domains and IDN phishing

Website domains serve as the primary method of connecting users to content on the Internet. It's hard to imagine an inclusive network where you had to type in IP addresses like 198.51.100.0 instead of words to access information. Because of this importance, the estimated monetary value of large domains exceeds billions or millions of dollars. Such visibility also makes them targets of malicious actors looking for ways to benefit from the popularity of established websites, using the power of a company name or cause to achieve malicious goals. We will briefly discuss in this article three practices that are not so widely commented on, but that can threaten any domain of the network: typosquatting , doppelganger domains, and IDN phishing.

We must first think about the motives behind creating a domain that pretends to be legitimate. To further illustrate, we will divide the type of action for which they are used into two categories: active and passive. In the case of the active action, the purpose is that once the user arrives at the fake domain, an attempt is made to install malicious software on their machine or to steal their credentials or personal data by displaying a replica of the legitimate page. This is the easiest use to imagine, but it is certainly not the only one.

Passive action is quite comprehensive. For example, traffic may be redirected to a competing website that provides similar services, drawing audience from the legitimate website. It is also possible to use the fake domain to generate advertising revenue and display fake promotions, or simply to pick up emails sent to the domain, which may contain sensitive information or be used to initiate malicious communication. Finally, the domain can be held hostage, forcing the legitimate company to pay to gain control over it and be able to shut it down.

But how are these actions performed? This is the crux of our article. One method is typosquatting, where the malicious actor registers domains that appear legitimate, with the only difference being one or two letters used differently, either by positioning outside the correct order (instead of microsoft.com, registering micorsoft.com), making use of misspellings, or using variants such as plurals. One method that is sometimes combined with this technique is to use a different TLD, registering a .net domain instead of .org, for example.

One of the most famous cases of typosquatting is the Goggle domain, which is definitely not controlled by Google, but which generates a headache for the search giant as it has been used since 2006 for a variety of illegitimate purposes, such as malware installation and scams involving sending SMS messages. In 2011, Google was unable to justify the illegitimacy of the domain in a dispute resolution forum, and the domain is still active. Another case of interest is Twiter, which uses only one "t" in its name and which acts similar to "Goggle".

Doppelganger domains are a bit more complex but dangerously efficient. In this case, one takes advantage of the domain and subdomain division used by many websites (such as mail.provider.com ) and simply registers an equal domain but without the separator point (such as mailprovider.com). The danger of this attack is that even if the user pays attention and checks that the words are correct, they will not find any apparent errors unless they have the technical knowledge to understand what a subdomain is.

Godai Group researchers, who documented this technique in a 2011 paper, pointed out that of the Fortune 500 companies listed as the world's largest, 151 were vulnerable; a very expressive number. The research also pointed out that there are several active domains compromised in this way, such as IBM with respect to the “caibm.com” and “seibm.com” domains , which the researchers suggest are used to capture misdirected emails.

IDN phising is a modality that appears as a result of ICANN's approval in 2003 of domain names with non-Latin characters, called Internationalized Domain Names (IDNs). One additional factor was added in 2010, when the first non-Latin ccTLDs began to be enabled, making it possible for domains as a whole to be spelled with characters from another alphabet. The problem with this, in principle, is that several letters of other alphabets resemble those of the Latin alphabet, allowing for substitutions that help to register false domains.

The Armenian, Cyrillic, and Greek alphabets feature letters that can easily be used to make substitutions and confuse users. To give an example, we will use the "linkedin.com" domain, written here in the traditional way. Now in repetition, however, the domain is written using one letter of the Cyrillic alphabet: linkedіn.com. Did you notice the difference? It should not normally be possible to distinguish between the Latin "i" and the Cyrillic "і", but both are different letters and also count as different domains at the time of registration. Advanced users can check the source code of this article to confirm the phenomenon. There are certain measures being implemented to prevent situations like this, but they do not apply in all cases and may leave gaps open.

How to protect yourself from this kind of situation? For high visibility or even medium visibility domains, it is a valuable idea to ensure that you purchase some domains that correspond to common errors that would occur when typing your URL. It may also not be a bad idea to secure other TLDs, even if you have a preference for using a one specific as the primary. There is no need or possibility to look at every potential domain variation, but the cost of securing some key domains is justifiable in order to avoid future problems. For doppelgangers, if possible the domain subdomain combinations that the website makes use of should be registered, as soon as the subdomain begins to be used.