Active Domain Monitoring

Monitoring new domain registrations is an essential aspect of cybersecurity as it can help in the early detection of potential phishing or malware attacks. This practice, however, comes with certain challenges, particularly when it involves non-US top-level domains (TLDs).

Many registrars for country-specific TLDs, for example .de for Germany or .uk for the United Kingdom, often operate independently and do not report new domain registrations to a central international database. Therefore, monitoring new domain registrations under these TLDs can be more complex compared to generic TLDs (.com, .net, .org) where the registration data is typically maintained by an accessible central body. Thats we we offer two ways of domain monitoring:

  • Active Domain Monitoring: We download all available databases on registrations on a daily basis and make them available via an alerting or search query in Kaduu. The limitation here is the lack of many new registrations of TLD’s that are not reported centrally.
  • Passive Domain Monitoring: We slip into the role of the attacker and create a fixed list of permutations of the original domain and monitor these permutations to see if they become reserved.

In this page we are covering the active domain monitoring.

What are we trying to detect with active domain monitoring?

Attackers will usually reserve a variation of the victims domain name to conduct attacks. This technique is called Typosquatting, also known as URL hijacking. Its a form of cybersquatting where an attacker registers domain names similar to a legitimate domain but with common typographical errors. The intent is to capture traffic from users who either mistype the URL of a legitimate site or fall for a phishing attack. Here are some examples.

Faecebook.com

Letter Swapping

Letter swapping is a common technique in typosquatting where two adjacent letters in a domain name are swapped to create a new domain. For example, a typosquatted version of “example.com” could be “exmaple.com”

Faacebook.com

Doubling Characters

Doubling characters in typosquatting involves registering domain names where one or more characters are repeated. For instance, “exammple.com” instead of “example.com”.

www-facebook.com

Homograph spoofing

The technique in typosquatting where a dot is replaced with a hyphen is typically known as “homograph spoofing.” For example, using “www-apple.com” instead of “www.apple.com“. It takes advantage of visual similarity to trick users into visiting the fake website.

www.faceb0ok.com

Homograph spoofing

The technique in typosquatting where similar-looking characters are replaced is known as “homoglyph attack” or “IDN homograph attack.” For instance, replacing “l” with “1” in “app1e.com” instead of “apple.com”. It exploits visual similarities between characters to mislead users.

How does active domain monitoring work in Kaduu?

In our active domain monitoring we generate thousands of typosquatted variations of a domain name and then querying DNS servers for these domains is a viable method for detecting such activities. This is typically done using algorithms that generate common typographical errors, including character omission, transposition, substitution, and addition, as well as wrong key errors.

This approach includes the following steps:

1. Domain Typo Generation: Generate a list of typosquatted domains based on your legitimate domains. There are several tools and services available that can automatically generate a comprehensive list of typo variants.

2. DNS Queries: The list of generated domains is then used to query DNS servers to see if any of these domains have associated Name Server (NS) records. An NS record in a DNS response would indicate that the domain has been registered and could potentially be used for malicious activities.

3. Monitoring and Alerting: The final step involves continuously monitoring these domains and setting up alerts if an NS record is discovered for one of these domains.

Once you entered a domain in Kaduu, it will create 7000-8000 Typosquatted variations of that domain name. Kaduu starts monitoring those domains by making a NS query (1) every day for each permutation. If a NS query exists, we also query the WHOIS data (2). Once the system finds typosquatted domains, you can proactively investigate them (3) or track changes (4).