Attacks over typosquated domains and the way of detection

Background: At the core of many successful attacks lies a simple idea: exploiting human perceptual weaknesses combined with psychological manipulation. One common method to achieve this is by using impersonated URLs or typosquatted domains. By creating a sense of familiarity and trust through these similar-looking domains, attackers exploit the victim’s past experiences and expectations, making the fraudulent site appear more legitimate.

Attack flow: When targeting individuals in government or business organizations, attackers often register domains that closely resemble legitimate ones. The difference between the legitimate domain and the newly registered one might be a minor variation in letters, a different top-level domain (TLD), or a slight alteration in meaning. For example, if the legitimate domain is police.am, the attacker might register a domain like armenianpolice.com.

The attacker then configures the domain’s MX (Mail Exchange) records to intercept email communications intended for the victim. With this setup, the attack infrastructure is ready, allowing the attacker to deliver malicious content to the victims. Additionally, these typosquatted domains can be used to establish a connection between malware on the victim’s infrastructure and a Command and Control (C2) server, helping the attacker evade detection and monitoring.

Detection: One recommendation is to develop an in-house script that generates various permutations of your domain names. The script should check for the existence of DNS and MX records for each generated domain. If both records are found, the script should take a screenshot of the page, as there is a possibility that it may be a phishing attempt or a replica of a legitimate site. Additionally, the script can automatically add these suspicious domains to your email protection gateway list to enhance security.

Conclusion: Detecting a typosquatted domain should be considered an early warning that attackers are targeting your digital assets. Taking immediate action to address and take down such domains is a crucial first step in preventing further planned attacks against you.