Guidance on Impersonated Registered Domain Names

Publish Date

Type

Article

Topics
  • Cybersecurity
  • Cybersecurity Resources

A registered domain name is the gateway to an organization’s presence on the Internet, shepherding visitors to their website where they expect to find all there is to know about the company. Additionally, domains serve as a platform for business communication. Domains contain a company’s unique identity: their branding, company profile, service offerings, contact information, and anything else exclusive to them. Consumers, investors, and employees alike depend on registered domains to provide a smooth and reliable interface. 

However, legitimate organizations are not the only parties utilizing the Domain Name System (DNS). Threat actors commonly register domain names with the intent to impersonate legitimate companies or individuals because it is a cost-effective way to scam unwitting consumers into relinquishing personal data and/or money. The brand and repute built by the business hangs in the balance. Thus, it is natural for an organization to feel vulnerable when a notification arrives with the details of a newly registered domain that is eerily analogous to theirs. But when is a look-alike domain a threat to an organization? And if a threat is identified, what can be done to mitigate the issue or prevent future incidents? 

What to Look for in a Threatening Domain 

When receiving a domain registration alert, it is important not to jump to conclusions. First, examine the registered domain and ask two critical questions: 

What Word(s) Triggered the Alert? 

Examine the registered domain. If the alert is the result of a word associated with the organization that is common across industries and/or is not proprietary (such as the words “wealth”, “street”, or “hill”), it should not immediately be categorized as a threat. Numerous other organizations use common words in their domains, meaning some similarities are coincidental rather than malicious. Further examination is needed.  

If the alert is the result of proprietary terms (i.e. terms fabricated/trademarked/copyrighted for an organization’s marketing), there is more cause for concern.  

Is the Domain Easily Confused with the Existing Organizations? 

If the answer is yes, it is more likely the domain’s intent is malicious. These domains often look identical, with only small disparities that our brains will overlook and correct. Be on the lookout for the following ploys:   

Legitimate Domain: acaglobal.com  

Ploy 

Example 

Top-Level Domain (TLD) Swap 

acaglobal.net 

Subdomain 

aca.global.com 

Typo Squatting 

acaglopal.com 

Hyphenation 

aca-global.com 

Repetition 

acaaglobal.com 

Replacement 

acag1obal.com 

Omission 

acagobal.com 

Transposition 

acagloabl.com 

Insertion 

acaxglobal.com 

Homoglyph 

acaɠlobal.com 

Vowel-Swap 

acaglobel.com 

Addition 

acagloball.com 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In addition, threat actors may swap keywords from a domain for synonyms or make logical word additions or subtractions to fool Internet users looking for a site. For example, for a fictitious financial institution named ABC Wealth Investment LLC with the domain ABCwealthinvestment.com, domain imitations may resemble the following: 

  • ABCcapitalinvestment.com 

  • ABCwealthcapital.com 

  • ABCwealthmanagement.com 

  • ABCwealth.com 

  • ABCwealthinvestmentcapital.com  

How to Mitigate a Substantiated Threat 

If the alarm bells are going off, the best options are to take control of or take down these domain registrations. The process can be challenging, but there are several options at one’s disposal: 

  1. Identify and contact the domain registrar. To identify a registrar, one can use the online registration data lookup tool ICANN|LOOKUP. Common registrars include (but are not limited to) Domain.com, GoDaddy, DreamHost, and Google Domains. Report the abuse directly on their websites. 

  2. Utilize third-party vendors who specialize in domain takedown services or other similar countermeasures. They can disrupt attempts to imitate the domain and compromise the business.  

  3. Work with legal counsel. They may be able to take legal action on an organization’s behalf, especially around the unauthorized use of copyrights and trademarks. Involving legal counsel may also help with engaging registrars and law enforcement, where appropriate. In addition, litigation could help identify the threat actor, which allows legal counsel to help issue a cease-and-desist letter. 

ACA Guidance 

Domain Look-Alike Prevention 

Although it is impossible to fully prevent malicious domain name registration, an organization can instate measures to minimize the possibility. ACA Aponix® recommends: 

  1. Registering multiple domains. The more look-alike domains a company registers and controls, the less that can be potentially leveraged against it. It is not possible to own every possible iteration but owning the most obvious culprits can reduce the chances of successful deception by threat actors.  

  2. Using DNS monitoring services. Companies such as ACA Aponix offer DNS monitoring services that scan the Internet for newly registered domains that are 80-90% matches to their clients. They regularly send email alerts detailing any findings. When an alert is received, consider the questions above to determine if the domain appears threatening and if further action is needed, or, reach out to a trusted cybersecurity advisor. 

  3. Focusing on what is right vs. what is wrong. There are countless potential iterations of any domain, so alerting after every single flag will get noisy. Moreover, it is easier to teach and have confidence in one “right thing” rather than thousands of “wrong things.” Periodically remind investors, employees, and/or consumers of: 

  • Verified third parties 

  • Legitimate domain name(s)  

  • The appearance of the official website(s) 

  • How correspondences from the organization will look 

How we help

ACA Aponix offers the following solutions that can help your financial institution develop, implement, and maintain the required information security program: