Home M3AAWG Blog Keeping the Bad Actors Out: Attack Vectors and Mitigation
March 22, 2022
Authors: Brand SIG

Bad actors are always looking for a way to take advantage of the trust that has been built in a brand. We discussed how detrimental this can be in the first blog in this series. In the second blog of the series, we looked at best practices for domain management.

Here we discuss some further steps you can take to protect your brand and defend your organization against domain abuse.

1. Squatters, look-A-like domains and other encroachments

If a scammer is unable to gain control of one of the target organization’s domain names, they may do the next best thing and attempt to register a variant that looks very similar.

Monitoring new domains for registration of "look-alike" names (or having a service do this for you) is a good additional step to understand domains that attempt to mimic your brand.

  • ICANN’s Centralized Zone Data Service (CZDS). (NB: While CZDS is a great starting place, it offers insight to domains from all the generic TDLs (Top Level Domains), however it doesn’t include the country code TLDs. Depending on the threat landscape the brand could be facing, these additional zones could provide just another level of insight to help protect the brand
  • SSL certificate registrations
  • Paid services that provide data on newly registered or newly observed domain names

Once you identify look-alike domains, you next need to determine whether they are benign or malicious. The danger lies with the malicious domains that are used to perpetrate activities like distribution of malware, command and control of botnets, phishing, business email compromise or the sending of spam.

A domain that is registered and used in bad faith (using a trademark registered and owned by a third party) is not considered truly malicious, IF it is not being used for malicious activities. These domains are referred to as “brand offensive” and even if not being used maliciously, these types of domains should be shut down to avoid damage to the brand

The big question is how should these domains be mitigated? What should be done with brand-offensive domains? Should they be monitored or should they be purchased and parked? Should administrative proceedings be initiated? How should domains be mitigated if they are found to be malicious? Malicious Domains - these are domains for which you have proof of malicious activity like phishing or credential theft.

Mitigation
Generally, there are two classifications to consider when it comes to domain mitigation:

Malicious Domains - these are domains for which you have proof of malicious activity like phishing or credential theft.

When requesting a domain take-down, you will need to provide detailed evidence of abuse. Common evidence examples include screenshots of offending content or a sample lure email (with headers) that was sent from the domain.

If you determine that the domain is malicious or an infringement on your brand, you can contact the registrar, which can be found via the WHOIS information for the domain. In some cases, if the hosting provider for the location is a separate entity, contacting them may mitigate hosted content faster. If the matter is strictly related to a trademark violation, it may be a matter for a UDRP proceeding or civil litigation. ICANN accredits registrars and can be contacted if the registrar is non-responsive. Most domain monitoring services will include takedowns as part of their service. For more information on ICANN and recent developments around WHOIS, please see https://www.m3aawg.org/sites/default/files/icann-jan6-final.pdf

Results of a “takedown” action by the domain’s registrar can differ, depending on the domain registrar, but should at a minimum result in denial of access to the domain by the malicious actor. Once a domain has been taken down, the domain should continue to be monitored for resumed activity. Alternatively, the targeted brand can choose to purchase the domain. Some registrars will transfer the domain to the brand if the brand is willing to take on the responsibility for it going forward. This can be valuable for alerting potential victims that they have fallen for an attack, or for gathering statistics.

Keep in mind that ICANN-accredited registrars will normally only consider that a domain is malicious if it was registered and is being used for phishing, malware distribution or botnet command and control. Compromised domains are a different issue altogether and suspending them is usually not the best course of action.

Brand-offensive domains - These are domains that infringe a company’s trademark, but are not engaged in malicious activity.

The same takedown process for malicious domains can be followed for brand abusive domains; however, this should be seen as a best effort basis as the content may not violate the terms of service of the registrar for the domain. Also, if the owner of the domain can be determined via examination of hosted content or the domain’s WHOIS data, then an informal appeal could be made to the owner directly.

If the above options are unsuccessful, a brand could consider filing a formal request to dispute the domain name via a Uniform Domain-Name Dispute-Resolution Policy (UDRP) request. These requests can be resource intensive, but if approved the brand would take control of the offending domain.

Monitoring vs. purchasing domains

For domains that are suspicious but there is not enough proof to warrant a takedown request, or takedown requests have been unsuccessful, a brand has several options. You can attempt to purchase the domain or monitor the domain for relevant changes in state to hosted content or other attributes such as a DNS record. While there are pros and cons to both, best practice suggests purchasing a limited amount of highly suspect or potentially useful domains, then monitoring the rest via a combination of technology and human review.

2. Spoofing (for email)
Spoofing is when an attacker sends an email to a customer or employee that appears legitimate, but is not from the legitimate domain (microsoftt.com for example). An attacker does not need to control a spoofed domain in order to be able to emit spoofed email from it.

Mitigation

  • Consider monitoring and detection of look-alike domains by leveraging different open source tool sets or third party vendors that perform monitoring on your behalf. Regularly monitoring for suspicious domain activity means you can shut down potential abuse as soon as a look-a-like domain goes live.
  • Once abuse is identified, a complaint can be submitted to the offending domains registrar. This process can be referenced in the Squatters, Look-A-like Domains and other encroachments section above

When it comes to protecting your domains from misuse in messaging, take full advantage of SPF, DKIM and DMARC as described in M3AAWG Trust in Email Begins with Authentication and M3AAWG Email Authentication Recommended Best Practices. You should protect all of your domains with these protocols, even if you don't normally send mail from them. You can also consider removing the MX records (the name of the mail servers and their IP addresses) for those domains from which you do not send email.

3. Account Take-Over (ATO)
All an attacker needs to gain control of an organization’s entire domain name portfolio (and to hamper authorized access to that portfolio) is a user account and password. Attackers need to only guess, phish, or apply social engineering techniques on a single point of contact to gain control of a domain registration account.

Email is the preferred and often the only method by which some registrars attempt to notify a registrant of account activity. If that email already belongs to the hacker then your organization might be completely in the dark.

Attackers can also block delivery of email notifications to targeted registrants by altering DNS configuration information so that email notifications will not be sent to any recipient in the domains that the attacker controls through a compromised account (e.g., registrant’s identified administrative or technical contact email addresses hosted in the domain).

Phishers use email addresses similar to domain name registrars or DNS providers in phishing scams to gain control over legitimate domain names. Often, the attacker's objective is to change the IP addresses of the name servers in order to control name resolution for the domain. An attacker who can gain control over the name servers can inflict different kinds of harm. They can gain access to email sent to the compromised organization’s domain; set up a real-time copy of an organization’s website; capture usernames and passwords; and use the brands domain as a source for spam or other criminal activities, causing harm to the organization’s reputation and direct financial loss for your clients and providers.

Stealthier attacks via domain registration account include using an account and its attached payment information to create wholly new domains, or “domain shadowing,” where subdomains of an existing domain are added that the attacker controls separately. In these attacks, the brand may not immediately notice an issue with the website or email. The miscreant leaves those untouched, and simply uses the brands money or existing domain to create new domains and subdomains that they point elsewhere using the DNS, which they control on their own. This can lead to reputation problems and targeted phishing against the brands own domain(s), since the bad actors can create convincing subdomains like “login.yourcompany.com,” or “email.yourcompany.com.”

These are very difficult to detect, since few registrars provide monitoring tools for new domains added to an account, or subdomains added to the brands domain name. If the tools exist to monitor, the brand should take advantage of them to help with monitoring. Scheduling a regular spot-check of the domain management account to review any recent changes can mitigate these sorts of attacks. Another technique to spot domain shadowing is to get a report of new hostnames on the brands domain from a passive DNS provider.

Mitigation

  • Monitor for anomalous behavior (e.g. unusual login activity)
  • Consider monitoring and detection of look-a-like domains by leveraging different open source tool sets or third-party vendors that perform monitoring on your behalf. Once identified abuse is taking place, a complaint can be submitted to the offending domains registrar. See the process outlined in the Squatters,look-a-like domains and other encroachments section above
  • Create and document your mitigation processes and share with relevant Security departments
  • Schedule regular spot-checks of your domain management account to review any recent changes and get a report of new hostnames on your domain from a passive DNS provider

4. Software vulnerability
Attackers scan domain account registration and administration portals for web application vulnerabilities (e.g. SQL injection). A successful exploit of vulnerable application code can result in the disclosure of account credentials for many domain accounts, among other sensitive data.

Mitigation

  • Ensure your software is up-to-date and patched with the latest updates to limit exploitation of vulnerabilities.
  • Introduce a responsible vulnerability disclosure program to understand vulnerabilities in the wild.

This three-part blog series on effective and secure domain management has introduced some of the most pressing issues around protecting a brand from domain abuse. It is important to keep these considerations top of mind and current in the organization.

Consider having a face-to-face meeting with the legal and technical individuals involved in the domain name process to ensure that all locally-unique considerations have been surfaced and adequately discussed. See our blog series Part 1: Don’t Let Your Company Become a Headline: Protecting Your Brand from Cyber Attacks and Part 2: Beyond Basic Domain Management: Securing Your Brand and the more detailed best practices document here for more recommendations to stay ahead of abusive practices.

The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.