Impersonation techniques are at the root of many cyberattacks. Phishing attacks and targeted spear-phishing against company executives are familiar forms of impersonation. Other types of impersonation include scam marketing and sales campaigns, and attempts to profit from unsuspecting users by fooling them in some way. All have the potential to damage an organization’s bottom line, brand reputation, and customer trust.
AOne of the most common impersonation techniques is domain name spoofing. Others include brand impersonation on social media and the distribution of fake mobile apps. It is trivial for malicious actors to register a domain name and set up a website that has a URL similar to the one used by a legitimate organization. A common spoofing technique involves registering a domain name with one or two characters different from a domain name that cybercriminals are planning to attack. Often the changes are made to make the resulting URLs look the same. For example, by replacing the letter l with the number 1, or the letter o with a zero.
Threat Command monitors multiple sources to identify suspicious domain name activity that could indicate potential spoofing or other cyberattack planning. Monitoring occurs on the clear, deep, and dark web, using web crawling and deep web analytics. Domain name registration sites and website hosting providers are also monitored to look for spoofed domain name activity. Social media discussions, web forums, text and code-sharing sites, and image-sharing sites (using image analysis) are monitored as well.
The information obtained from the comprehensive searching needs to be analyzed to identify suspicious activity. Not all close matches to domain names represent a cybersecurity risk. For example, someone may have a last name that is close to an organization’s brand name and may register a similar domain name for a personal site.
Threat Command analyzes the information gathered on domains and categorizes the threat level as High, Medium, or Low via the Threat Command dashboard. Our Services team uses this information, plus their extensive threat experience, to determine which domain name registrations or sites pose a threat.
Once a domain name registration or website that is spoofing your organization is identified, it must be taken down as soon as possible. The sooner this is done, the lower the likelihood of an attack.
Rapid7 has a dedicated team of takedown experts who know how to format and submit valid takedown requests to domain registrars and hosting sites. Takedown request formatting and submission to popular domain name registrars and web hosting sites are built into Threat Command for rapid response by customers and our internal takedown team.