Infoblox, a domain name system (DNS) security provider, has discovered an increase in cyberattacks using malicious lookalike domains, email addresses, and other types of registered identifiers.
In a recent report, Detailed analysis of similar attacks, The Infoblox Threat Intelligence Group (TIG), which the company will unveil at Infosecurity Europe, said that since the beginning of 2022 alone, more than 1,600 domains containing a combination of similar corporate and MFA features have been used to target found that it spans from large corporations to large banks. Software companies, internet service providers, government agencies, etc.
However high that number sounds, it’s nothing compared to the surge in top-level domain (TLD) registrations, which makes it harder for security researchers to spot the bad guys, said Infoblox’s Western Europe representative. Technical Director Gary Cox said. Information security.
“On average, 180,000 new domains are registered every day, which equates to roughly 2 per second. Of course, not all of them are similar, much less malicious. But with that much volume, identifying malicious look-alike domains becomes a task: “You’re trying to find a needle in a haystack. No wonder we had to go through over 70 billion DNS records,” Cox said.
needle in haystack
Nonetheless, Cox added that the surge in registered lookalikes was largely related to crime, not due to increased TLD usage.
“It’s hard to get a TLD right now [.]com.but if i want to go [.]xyz, [.]above [.]tk is controlled by Tokelau, a small island in the South Pacific and a territory of New Zealand, and is widely used for nefarious purposes, but it’s very easy and cheap,” he said.
Cybersecurity researchers have found that attackers can exploit common typos by registering domains that closely resemble popular websites (e.g., replace ‘google.com’ with ‘google.com’) to trick users. We have long analyzed typosquatting attacks, but look-alike domains now take another form, such as: Use visually similar characters from different character sets (such as Cyrillic) as isographs (or homoglyphs) to create domain names that look identical to canonical domain names (e.g. “a” to ” a”). .
The records show that combosquatting domains are 100 times more prevalent than typosquatting domains, and that 60% of malicious combosquatting domains have been active for more than 1000 days.
A new similar technique called sound squatting is also emerging. This first appeared in his 2014 and takes advantage of the use of homophones to trick users who listen to domains rather than read them, such as when using Personal His Assistant.
everyone is a target
Lookalike domains are “often associated with broad, untargeted attacks on consumers through email spam, advertisements, social media, and SMS messages. [They] is synonymous with a phishing attack, security awareness training also includes learning how to inspect links for phishing attacks,” Infoblox reports.
And it’s no surprise. The Anti-Phishing Working Group (APWG), of which Infoblox is a founding member, identified similar tactics such as homographs, typosquats, combosquats, sound squats, and phishing recorded in his third quarter of 2022. reported to have reached a certain level.
However, they are not only a threat to individuals, they are also used to gain access to corporate networks. “There have been, and probably will be, larger targets, such as banking, pharmaceuticals, anything related to industrial systems, but the bottom line is that everyone is targeted,” Cox said. Told.
Infoblox’s Vice President of Product Marketing, Anthony James, will be presenting on DNS Detection and Response (DDR) at Infosecurity Europe on Wednesday, June 21st. Register here.
In the report, Infoblox provided many examples of victims of similar attacks, ranging from small businesses to multinational corporations in all sectors, including cryptocurrencies, humanitarian organizations, financial firms, well-known retail brands, and government agencies. and even Infoblox was extensively targeted, the report said.
Similar attacks are effective because the human brain short-circuits while reading. This is the same reason your brain can read words even if the letters are a little messed up.
Punycode, Email Security, DNS Security
Security measures are in place to protect users from similar attacks, including email filtering solutions, anti-phishing and anti-smishing tools, and Punycode, a web browser feature that can “convert” domains from Unicode characters to US standard code. For Information Interchange (ASCII), it is a smaller and more restricted character set.
However, these tools are not silver bullets and malicious look-alike domains circumvent these guardrails.
According to Mozilla, owner of the Firefox browser, the first responsibility should fall on the shoulders of the registry.
“It is the responsibility of the registry to ensure that customers do not deceive each other. Browsers can impose some technical restrictions, but we want a level playing field for non-Latin scripts on the web. , we are not in a position to do this job on behalf of the browser, only the registry is in a position to perform proper checks here, and on our part we do not treat non-Latin scripts as second-class citizens. ,” says Mozilla’s description of the Internationalized Domain Name (IDN) display algorithm.
“Browser providers and personal assistant vendors cannot be held responsible for failing to detect malicious lookalike domains,” Cox agreed.
That’s where DNS security comes in, he added. “I’m a strong believer in defense in depth, but you also need to analyze things before they’re defined as malware and given a fancy name. How it’s set up, the infrastructure it’s hosted on, the history makes anything suspicious. “Once you know who registered it, or what TLD it’s registered with, you can start investigating. All these attributes alone are not conclusive.” helps us begin to build our views on the level of suspicion.”
Findings for the Infoblox report on similar attacks were drawn from DNS event detections from January 2022 to March 2023.
Register for Information Security Europe | 20-22 June 2023
