New Service Hunts Malicious Domain Names

Information security firm High-Tech Bridge has launched a new free service to help web site owners and businesses understand and locate domain name threats that could be targeted at them and their customers. Called Domain Security Radar, the new service automatically lists existing domains that could potentially be used by cybercriminals and typosquatters for financial fraud, phishing and general scams using the organization’s good name as the lure.

Cybersquatting involves the use of a branded name of an unassociated domain. The classic example is Jeremiah Tieman’s registration of jenniferlopez.net and jenniferlopez.org to attract Jennifer Lopez fans to unconnected sites that generated advertising revenue for Tieman. Jennifer Lopez had earlier registered her name as a trademark, making this particular example of cybersquatting clearly illegal.

In 2009 the WIPO Arbitration and Mediation Center ordered Tieman to hand the domain names to The Jennifer Lopez Foundation. But the potential for cybersquatting has increased dramatically with the expanded number of TLDs  available to cybersquatters.

Ilia Kolochenko, founder and CEO of High-Tech Bridge, explains another problem with cybersquatting: “If you have ‘knownbrand.co.uk’, crooks will create ‘knownbrand.fr’ or ‘knownbrand.info’ trying to steal your traffic and users, and redirect them to competing brands or just to spammy websites. In the worse case,” he added, “malware will be hosted on these domains to compromise the visitors.”

Hosted malware is a particular problem for typosquatting. This involves the registration of domains that visually look or phonetically sound like the target’s legitimate domain. They are invariably malicious, similarly seeking to attract the customers of the legitimate site. Consider a hypothetical file-synchronization service known as DROPCARTON.COM. A typosquatter could register a separate domain known as DROPCART0N.COM. In certain fonts these two names would be almost indistinguishable.

Both methodologies could be used as phishing sites. However, since they rely on making the target believe it is a known and valid brand rather than having to disguise an obviously dubious domain name, they can be especially effective.

The problem for most companies is that all of these practices will negatively affect their own hard won brand reputations, but doing something about it is difficult and time-consuming. High-Tech Bridge’s Domain Security Radar allows people to automatically find existing sites that could potentially be used for cybercrime, typosquatting or targeted phishing purposes. It doesn’t mean the listed domains actually are malicious – only that they could be. A link to Google’s Safe Browsing can give some indication of whether malware has recently been hosted on the listed sites.

The anti-phishing element of Domain Security Radar is different to most other services. Bad domain lists from companies like Spamhaus and Surbl can list all known phishing sites. High-Tech Bridge’s service lists only those potential sites that could piggy-back off your own domain name to specifically target your own staff or customers. 

“The concept of our phishing radar is totally different to any other solution,” Kolochenko told SecurityWeek. “We show phishing websites only for your brand (or the URL you enter). For example, if you own ‘brand1.com’, we will show you only those phishing websites that imitate the ‘brand1.com’ identity, not tons of garbage about ‘brand55.com’ or ‘brand99.com’ – as you don’t care about them.”