The problem is well-known and attackers are abusing it on a daily basis: fake websites. These fake websites look trustworthy and are usually designed to illegally earn money directly or indirectly. They steal sensitive information like passwords or other credentials that can be traded for money on the dark web. Another popular approach is to trick people in executing false money transactions or revealing their credit card data.
The problems fake websites are causing for organizations
For many organizations, fake websites become a major concern when one of their brands, logos or business websites is copied and abused in order to gain trust from the employees, customers or other people lured in who end up on this website. The attacker can have several end-goals, including breaking into the organization using stolen passwords or obtaining sensitive customer information.
Setting up such a fake website also requires registering an internet domain name and typically a similar looking name of the target organization is chosen. This act is called cybersquatting or domain squatting.
For example, a legitimate website might be www.company.com and an attacker could register www.company.org (different extension, TLD swap) if that domain name was still available. Most users won't notice the difference. There are many other look-a-like domain names to choose from (like www.company-info.com, www.com-pany.com), so it is practically impossible for an organization to register all of them in order to prevent cybersquatting.
Although the organization is not to blame, the consequences of a successful attack can cause significant damages. The internet is littered with cases and news articles about such attacks and their consequences.
How the law tries to protect organizations from cybersquatting
According to the United States federal law known as the Anticybersquatting Consumer Protection Act, cybersquatting - also known as domain squatting - is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else. The cybersquatter can for instance offer to sell the domain to the person or company who owns a trademark contained within the domain name at an inflated price.
Since 1999, the World Intellectual Property Organization (WIPO), one of the 15 specialized agencies of the United Nations (UN) has provided an arbitration system wherein a trademark holder can attempt to claim a squatted site. The amount of claims have been rising ever since.
Anyone can register a domain name anonymously in 5 minutes for a price as low as 10-20 euros. It is a "first come first served" world that can be easily abused by malicious players. Hackers will register such look-a-like domain names to actively stage an attack, and not just to resell it at a higher price later.
So in many cases the law cannot help the victim as the attacker cannot be identified. In this case the law will also not help in settling any damages. That is why several organizations have taken steps to proactively monitor the registration of potential cybersquatting domains in combination with detecting fake websites to avoid or minimize any damages early on.
How an organization can quickly detect fake websites that abuse its name & logos
As already stated, registering all possible look-a-like internet domain names (or so called "cybersquatting candidates") is not a straightforward strategy. There will always be other look-a-like domains available, and it will require quite some time and money to register and follow up. Automating the detection and monitoring can offer a solution here.
Here is how it can work.
A. Enumerate candidate cybersquatting (look-a-like) domain names
Based on a list of the organization's known primary domain names, look-a-like names can be generated. Several enumeration techniques can be applied like adding and removing delimiters like dots and dashes, changing the extension with another extension (top level domain swaps) or changing characters. These techniques generate a big list of domain names. The Sweepatic Platform would for instance generate +2.000 cybersquatting candidates from company.com using various techniques.
B. Verify if candidate cybersquatting websites are online
The next step is to continuously or frequently verify if these domain names are registered AND if they are actually hosting a website. If online, by automatically taking a screenshot of the website it can be analyzed and investigated further to create an initial list of potential cybersquatting candidates. Nonetheless, new candidates will pop up regularly and continuously for an analyst to investigate. While such an approach has proven to work, its downside is that it will also generate many false-positives which might lead to alert fatigue.
C. Further qualify cybersquatting websites for brand abuse indicators using AI
Additional checks should be added like verifying if the organizations name is used on the cybersquatting website. Additionally, Artificial Intelligence (AI) can help to dramatically reduce those false-positives and turn them into highly relevant alerts by searching for logos. An effective and simple approach is to list all your brand logos that are used online and have AI verify if a cybersquatting website is using a similar image. Only comparing an image file name or the raw image data or size, however, is not enough as this can easily be circumvented by recompressing the image in other formats or changing the file name.
There are plenty off-the-shelf AI engines available that can help in detecting logos and brand images. Some common ones are AWS Rekognition, Google Vision AI, MS Azure Vision AI and OpenCV.
Sweepatic fully automates the discovery and follow-up of cybersquatting candidates
Sweepatic fully automates cybersquatting detection and prioritized alerting based on the organizations primary domains names. We can automatically generate and verify several thousands potential cybersquatting domain names on any given primary domain. Our cybersquatting module is part of a much bigger proprietary discovery engine that detects all internet facing assets an organization has across providers, geolocations and IP ranges.
On top of our powerful discovery engine we automatically inspect and report on security issues like vulnerabilities, misconfigurations in email/DNS/Web, weak encryption, expired and weak SSL certificates, exposed databases and file shares, exposed administrative access and much more.
Our customers leverage our Platform's discovery capability to continuously find IT assets they were unaware of. Additionally they use our Platform to follow up a prioritized list of security issues discovered.
To schedule your personalized demo with one of our Sweepatic experts, click here. Feel free to subscribe to our newsletter to stay in the loop. We promise we won't spam you.