In the last five years, we’ve all become far too familiar with it – hackers spoofing a company’s domain and therefore tarnishing the brand, bad actors attempting to infect our computers with malware, and criminals sending millions of spam messages.
As if this isn’t enough, now there is a whole group of people working to outsmart companies AND their customers by using cousin domains to fool customers into believing that the cyber criminals are these companies!
What is a Cousin Domain?
Cousin domain: a registered domain name that is deceptively similar to a target name, which can be a domain name or the name of a known entity. The target name is familiar to many end-users, and therefore imparts a degree of trust. The deceptive similarity can trick the user by embedding the essential parts of the target name in a new string (e.g. ‘companysecurity.example’ to attack ‘company.example’), or it can use some variant of the target name, such as replacing 'i' with '1'. This latter form is sometimes known as a "homograph attack".)
For computer security people, the problems associated with cousin domains – also referred to as ‘look alike’ domains – are a difficult issue. There are several approaches to prevent these hackers and, while none are perfect, several provide tremendous value.
A Closer Look at Cousin Domains
To illustrate one possible approach, let’s look at whitehouse.gov and it’s similar domains. (Please note: whitehouse.gov was selected only as an illustration; they are not an Agari customer.)
- Whitehouse.gov is an official website for the U.S. President
- Whitehouse.net hosts a faux-hacked version of the .gov homepage
- Whitehouse.com is owned by “fabulous.com” – appears to be for sale
- Whitehouse.org is owned by “Satire On-line” – no website
An email from any one of these domains might be valid. However, it is likely that both the .org and the .com domains are (or have been) intended to be deceptively similar to the .gov domain, and the .net domain is actively similar for (apparently) satirical reasons. Certainly, to the average user, getting an email from [email protected] would appear to be valid – and potentially disarming.
Most security professionals can quickly tell the difference between a real and a forged email message from President Obama, but how can it be done programmatically?
How Cybercriminals use Cousin Domains
Let’s say, for the sake of this discussion, that we have a message from the .com domain. The admins of this forged domain have set up proper SPF records and are DKIM signing their message. In fact, they are doing everything they can to look legitimate. And let’s say that you run the whitehouse.gov brand security team. The bad guy starts by sending an email to your customers, requesting they sign a petition that requires a social security number and a home address (so they can ensure only one signature from each person is recorded). If your customers click, they will be phished.
This is where cousin domain checking comes into play. Real mail from the Whitehouse has certain characteristics. Cyber criminals often “borrow” these characteristics – logos, graphics, style sheets, specific colors, known mail sources, etc. – to make the forged mail look valid, without hosting the content themselves. So, in a message from whitehouse.com, we can see links that reference whitehouse.gov. Red Flag! Usually, because these false domains get shut down fairly quickly, we’ll find that the bad actors’ .com domains were recently created or changed. Another Red Flag! There are all kinds of similar characteristics of forged mail that can be identified, but there are some other challenges.
The Benefit of Full DMARC Automation
Assuming you can parse bad mail that isn’t from you and find those messages that are pretending to come from you, and that you know enough about your good mail to make the comparisons, the trick is to do this quickly enough to provide actionable intelligence that lets you shut down the bad domain before your customers start clicking on the (faux) President’s petition.
As it works out, when we put this in front of our team of data scientists and employed some big-data transformations, we found that imitators, like whitehouse.com, stand out against the noise of millions of other types of bad email and the data we glean can be made actionable.
Unless they want to end up in the headlines, companies must take the proper steps to prevent cyber criminals from spoofing consumers with cousin domains. Implementing DMARC standards as well as working with security companies who are well versed in industry trends and commonalities are two of the first steps companies can take.