Posted on February 20, 2020 by Greg Spicer
Every website domain has hundreds, if not thousands, of permutations. Most of these permutated domains are completely harmless, involving a simply typographical variation on the original domain name. However, every now and again a fraudster will create a domain based on one of these permutations with bad intentions, hoping to compromise the security of the original domain. It’s important to understand and take reasonable steps to mitigate this risk, so you can better protect your vital business domains.
A permutation is defined as a change of one or more characters in a domain name. For example, our website is braintrace.com, and a permutation of our domain would be briantrace.com. It might be difficult to see but the ‘i’ and ‘a’ are reversed. More examples of permutations would be domains consisting of homoglyph characters (braintracè.com), hyphenation (br-aintrace.com), adding additional characters (braintraces.com), and many more. Harmless as they may seem, these permutated domains sometimes end up serving as a trap for the unwary, as bad actors play off their close visual similarity, and use a permutated domain as a cat’s paw, in an attempt to infiltrate your network.
The Threat Explained
Here’s how we’ve seen this technique used. After registering a permutated domain, fraudsters will then build a website that mimics their target company’s website; their goal in doing so is to trick website visitors into thinking they have reached the target’s site, and consequently they might mistakenly upload or share confidential information. We have also seen bad actors use these lookalike domains to perform highly effective phishing campaigns, which can be either internally or externally bound. These phishing campaigns often prove effective because the incoming emails remain undetected by traditional anti-spoofing tools, since they are associated with an actual matching domain address.
Another internal threat we have seen is when these domains are used to trick employees into compromising login credentials. Your employee thinks he or she is signing into a familiar employee used website, or sub-domain, but actually enters his or her credentials to an imposter website, which has been made to look similar or identical.
Of course, the problematic use of permutated domains is not limited to fraudsters. We have also seen competitors buy their competitions’ permutated domains to redirect website traffic when people mistype the domain. This is a dirty tactic that can be equally harmful to your business and brand.
Braintrace is committed to safeguarding our clients from this potential source of vulnerability. When fraudsters or competitors deploy a permutated domain in an attempt to compromise one of our clients, we find it and stop it from happening. We call this our Domain Protection Service, which relies on a mix of technology and analytical investigating. Frankly, the only way to defend against this kind of threat is by knowing when a permutated website has been created or changed. Our technology gathers and monitors all permutations of a client’s domain and alerts us whenever there has been a change in an existing permutated domain or when a new permutated domain gets created. Once we receive an alert, one of our analysts will then investigate and see if the change is associated with any malicious or suspicious activity.
Please reach out if you would like to learn more about how Braintrace can help keep your network secure.
You can see pricing plans for our Domain Protection Service here: https://braintrace.com/domain-protection-services/
Greg Spicer is the Chief Revenue Officer for Brainspace and can be reached by email at firstname.lastname@example.org.