When It Comes To Website Takedowns, Speed Is Everything (well nearly ;))

Lookalike domains – meaning domains where threat actors host content designed to impersonate your business or brand – can be gravely harmful. “Look-alikes prey on users’ inattention to verifying legitimate websites, and sometimes rely on human mistakes, such as entering a typo in a URL, to capture victims,” as Dark Reading notes.

The good news, however, is that lookalike domains can take some time to roll out fully. Often, attackers will register a lookalike domain, but not populate it immediately with content. If you can find lookalike domains before they’re fully active and then monitor them, you can nip them in the bud the moment they’re populated with content and become phishing websites.

But that’s a big if. Finding lookalike domains as soon as they crop up can be challenging because it requires constant monitoring for the creation of new domains, then detecting whether there is malicious intent behind them.

With the right approach, though, it’s possible to address both of these challenges by discovering lookalike domains, monitoring them and taking them down quickly when they are populated – indeed, it’s what we do at Cyberint, a Check Point company, all day long. Here are details on our unique approach, and why these capabilities are so important for businesses committed to protecting their brands.

Detecting lookalike domains

Figuring out whether a domain is part of a typosquatting or phishing campaign can be challenging for several reasons:

• Scale: The most obvious challenge is the scale at which threat actors create lookalike domains. Domains are easy and cheap to register, and hundreds of new ones appear each day. Given this volume, you can’t expect to monitor for lookalike domains based solely on manual analysis.
• Changing content: The contents of malicious websites may change frequently (think hours, not days sometimes). For example, a phishing website may impersonate one business one day and a different one the next. Or they may change based on geography. Or they might even have a geo-blocking ability. As a result, scans that check for domain impersonations may detect the lookalike domain, but miss content that impacts your business simply because it wasn’t active when the scan took place.
• Collecting proof: To submit a successful website takedown request, you need to be able to prove that a domain is impersonating your business. Sometimes, it’s obvious that it is just by looking at the site, but in other cases – such as ones where threat actors constantly change the contents of a site – cybersecurity teams need to collect careful evidence to show that the site is indeed malicious.

If a legal takedown is needed it is much more complicated. “Legal takedowns are especially important in scenarios where domains don’t actually host malicious content but simply redirect to other domains that do. In that case, there is no content for a cybersecurity team to take down, but a legal team can initiate a UDRP dispute to deal with the attack. Lookalike domains with no offensive content cannot be removed by cybersecurity companies.”

These challenges mean that you can’t simply check for lookalike domains periodically and assume you’re safe. Nor can you rely on automated scanning tools alone to uncover lookalike domains quickly enough to take them down before threat actors begin carrying out active attacks.

Our approach to website takedown

At Cyberint, where we’ve been finding and taking down malicious websites on behalf of clients for years, we employ a multi-pronged strategy that allows us to detect malicious sites as quickly as possible, then expedite the domain takedown process. That’s why we have a 98%+ success rate in phishing website takedowns.

Here are the core elements of our unique approach.

1. Combining automated and manual analysis

We use a mix of automated and manual processes to detect and assess lookalike domains. With automation, we can scan quickly and continuously for newly registered domains that could be part of typosquatting attacks. We can also detect other Web content (such as impersonated social media accounts) that abuses or misuses a company’s brand assets.

Once our scans have identified likely abuse, we perform the manual analysis necessary to collect evidence of illegal activity. This is critical because most registrars won’t respond quickly, if at all, to website takedown requests unless there is obvious and compelling evidence.

We also carefully document website content over time. This is critical because, as we mentioned, the content can change. In addition, strategies like geo-blocking can prevent reviewers in one part of the world from being able to view impersonated content. Thus, you need to have evidence to prove that a domain was impersonating a business, even if it’s not doing so at a particular moment.

Another critical piece of website analysis is the ability to affirm, based on context, that a lookalike domain is indeed controlled by third parties. Sometimes, it happens that someone within a large enterprise creates a site that uses the company’s brand or messaging without the knowledge of the central IT department. This activity isn’t usually malicious, and takedown requests based on it are not likely to succeed because the domain is not controlled by an unauthorized person. In some cases a takedown would be damaging if it is a genuine domain. In contrast, in a case where a party not linked to the company registers a new domain and then uses it to host content that emulates a brand, it’s more likely to be malicious. Being able to tell the difference early-on is crucial for ensuring you don’t waste time chasing domains that aren’t actually malicious. 

2. Understanding threat actor activity

Because Cyberint, now a Check Point Company is a comprehensive threat intelligence solution  in addition to a brand protection solution, we have extensive insight into threat actors behavior and goals. This is crucial when assessing impersonated domains because it allows us to determine, for example, which threat actor group is likely to be behind a newly registered domain, whether a group already has a network of phishing websites and whether the IP address assigned by a domain is linked to a known criminal group. Based on that information, we can make rapid assessments about how a newly registered domain is likely to be used.

The better you can anticipate threat actor activity, the faster you can home in on impersonated websites and complete the takedown process before the bad guys even get a chance to bring people to the phishing page (note: takedowns can only occur when the lookalike domain has been populated)

3. A consolidated approach

As a comprehensive brand protection and external risk management solution, Cyberint, now a Check Point Company delivers all of the capabilities businesses need to identify and take down phishing and impersonation quickly through a unified collection of tools. Protecting against this risk would be more challenging when using a set of disparate “point” solutions because you’d have to use one tool to scan for lookalike domains, another to assess them and another to report them.

But with Cyberint, you can proactively get ahead of risks and plan a reaction strategy. For instance, analysis of the Deep and Dark Webs might reveal phishing kits that target your business’s brand. At the same time, forensic canvas can investigate the IP address connected to a website to show that it’s linked to a group with many other phishing sites. With this you can often find more malicious sites and also preempt their next activity. It would be more challenging to generate these insights without a solution that correlates different types of brand protection information and threat intelligence for you.

Ensuring rapid takedown

Detecting malicious domains is only half the battle. You also need to ensure that registrars take those domains down quickly, before damage occurs.

Indeed, “when it comes to your online presence, seemingly minor oversights can bring about catastrophic damage to brands and business reputations,” Forbes notes. “Managing your brand’s reputation online can be complex and fast-moving.”

Cyberint, now a Check Point Company, helps clients meet this challenge by automatically assessing whether a domain is likely to be malicious. If it is, and if it populates with content, we allow clients to initiate a takedown request with just the push of a button.

But we don’t stop there. We also leverage our deep connections with registrars to ensure a speedy takedown. We have long-standing relationships with providers across the globe and an in-house takedown team composed of experts who speak the dozens of languages that the providers operate in. 

Because of these relationships and expertise, we boast an excellent domain takedown track record. We average 800+ domains taken down every month, with a success rate exceeding 98 percent. Our average MTTR is less than 24 hours – much better than the standard timeline of days or weeks.

By the way, we keep clients continuously updated during the often complex takedown process. Check Point provides a dashboard where you can monitor lookalike domains and their status from the moment of an initial takedown request through its completion.

Achieving Fast Website Takedowns

There’s little value in detecting lookalike domains quickly if you can’t take them down just as fast when they are populated with malicious content. 

That’s why Cyberint, now a Check Point company, does it all – rapid detection, evidence collection and takedown – through a unified solution.Speak to one of our experts to learn more about how we can protect your brand.