Spear Phishing and Typosquatting. 

One very common type of cyberattack is called spear phishing. In this technique, the attacker sends a phishing email to users in the target organization in an attempt to deceive them into divulging sensitive information such as login credentials or other Personally Identifiable Information.  

One of the ways that the attacker makes the phishing website look like an internal website is to use a typosquatting domain. These domains look like the target organization’s domain name by using a variety of techniques such as misspellings, different character encodings, and adding a hyphen to the target domain. Attackers will also impersonate popular websites such as cloud providers and office suites using typosquatting domains. 

UltraDDR, or UltraDNS Detection and Response, is a Protective DNS service that detects and blocks DNS queries to malicious domains, including typosquatting domains, using 4 detection engines for a defense in depth: 

• Lists Engine 
• Categories Engine 
• Decision Engine 
• Ruleset Engine 

Block Typosquatting with the Lists Engine. 

The Lists Engine uses lists of Fully-Qualified Domain Names (FQDN), domains, registrars, IP addresses, and CIDR blocks that you can provide and manage. Among these, the FQDN and domains tabs are particularly important for blocking typosquatting domains. 

To use the List Engine, you’ll need a compilation of potential typosquatting domains. You can generate a list of these domains at DNS Twist.  DNS Twist is a web front-end to a command-line tool inside of Kali Linux that is used to generate potential domains for a red-team/ethical hacking engagement. There is an advantage to using the same tools that a potential hacker would use to attack you. 

Once you’re at DNS Twist, add your domain name into the text box and hit the “scan” button.  

This generates a list of typosquatting domains which are then tested to see if they are registered and active. 

Underneath the “Scan” button where it says “Scanned NNNN permutations” is now a link to download the list of potential domains as a text file with one domain per line.  

Some domains that look like vercara.com: 

account-vercara.com 

accountvercara.com 

auth-vercara.com 

authvercara.com 

confirm-vercara.com 

confirmvercara.com 

connect-vercara.com 

connectvercara.com 

enroll-vercara.com 

enrollvercara.com 

http-vercara.com 

https-vercara.com 

httpsvercara.com 

You can edit this file by hand to add or remove domains, and you can also merge lists from different tools.

Inside the UltraDDR Lists Engine, you then create a new list under the Domains sub-tab. For simplicity, call it “Typosquatting Domains”. You can import the entire file into that list. Click “Apply”, view the Import Preview, click “Proceed”, and you have protected your organization. 

The Categories Engine and known Typosquatting. 

The Categories Engine uses Vercara-curated lists of domains that are either malicious or that break an organization’s Acceptable Use Policy. One category is “phishing”, which is designed to block phishing sites impersonating all domains, based on observed phishing attacks. To get protection against typosquatting domains, all you have to do is to enable the phishing category. Vercara recommends that this category is enabled by default for all customers. 

Spear Phishing and the Decision Engine. 

The Decision Engine uses Artificial Intelligence and an Adversarial Infrastructure Data Lake to identify domains that have similar characteristics to domains used previously in attacks such as phishing. This provides an incredibly accurate solution to detect and block previously unseen domains based on their commonality with observed attacks, replacing the need for a dedicated Cyber Threat Intelligence (CTI) team. 

The best part about the Decision Engine is that it’s on by default inside UltraDDR. Once an organization sends their DNS queries to UltraDDR, they are protected. 

Typosquatting and the Ruleset Engine. 

The Ruleset Engine allows administrators the ability to block DNS queries based on a wide variety of data elements inside the query, response, domain, and IP address. 

Block New Domains 

The Decision Engine blocks all domains that are less than 30 days old. This provides protection against completely new domains that are registered in preparation for a specific spear phishing attack campaign. However, administrators can extend this to 90 days or more using a rule. 

Other Rules 

You can set up additional rules to identify and block harmful domains, such as those used for typosquatting. However, please note that these rules are not exclusively designed for typosquatting and may detect other types of malicious activities as well. For more information, feel free to check out some of our recommended rules. 

The final word on Typosquatting protection. 

UltraDDR’s sophisticated detection engines offer comprehensive protection against the increasing threat of typosquatting and the attacks that it enables. In addition to the default settings, administrators can customize the protection parameters to suit their specific security needs, including the ability to generate and import their own typo domains list, enable the phishing category, and block domains that are less than 90 days old.  

But remember, your cybersecurity is only as robust as your rules. That’s why we encourage you to explore UltraDDR and Protective DNS. UltraDDR is designed not just to counter typosquatting but to detect a plethora of malicious activities. To learn more about UltraDDR and how it can help protect your organization, visit our product page.