Cybersquatting: The Basics Part 1 – Strategies and Attack Types

DNS is no longer just a name resolution system to make our lives easier in the day-to-day use of applications. It now plays an important role in the various techniques used by attackers. We know about the “Protocol abuse” attacks, which consist of using the DNS protocol in a hijacked manner. In addition, attacks exist that target the DNS to alter or render the DNS service inoperative.

In this blog, we will look at other techniques on the DNS that malicious actors tend to use to threaten information system integrity.

Cybersquatting Uncovered

Large international companies, large groups, large brands, and even smaller ones all use domain names that are often the same as their trade name:

• Facebook.com
• Google.com
• Tesla.com
• Loreal.com
• Malakoffhumanis.com
• Credit-agricole.fr
• Etc.

This trend tends to make companies more visible on the Internet, promote their reputation but also reassure their customers and consumers.

The other side of the coin is the commercial value of a domain name that is very similar to your company or brand name (lorealparis.com or loreal.com). This name can become the target of malicious actors to launch attacks, deceive your users by referring them to false sites, and damage your reputation. Your domain names can also be targeted by “domainers”. These are not necessarily malicious actors, but they base their business on the purchase and resale of domain names.

For example:

• On OVH you reserve for your company: sstx.com
• The attacker (squatter) reserves: sstx.fr, sstx.ru, and sstx.cn

The term attacker should be qualified here. Indeed, the reservation can be made to buy and resell with the possibility of making a lot of profit. It can also be a mistake or lack of information about the existence of other extensions.

a. Strategies of the cybersquatter

Cybersquatting simply means reserving a domain as close as possible to your target’s name.
To achieve their goals, cybersquatters use several strategies:

• Buying domain names galore and betting on the fact that one day someone will buy them back. Of course, before buying a domain name, they use name-generation algorithms. These algorithms can use several databases or be based on the most used words in social networks (top 1000# of Twitter for example). This approach is certainly good, but it does present financial risks if no entity or person comes forward to buy a domain or domains. The domainer business has become less profitable today and more financially risky even though record sales (transactions) have taken place in the past:
  1. LasVegas.com – 90 million dollars
  2. CarInsurance.com – 49.7 million dollars
  3. VacationRentals.com – 35 million dollars
  4. PrivateJet.com – 30.18 million dollars
  5. Internet.com – 18 million dollars
  6. 360.com – 17 million dollars
  7. Insure.com – 16 million dollars
  8. Bankaholic.com – 15 million dollars
  9. Sex.com – 13 million dollars
• Another approach is to monitor the domains already registered and hope that the owner gives up, forgets, or does not renew in time. Expired domain names represent real opportunities to acquire a coveted domain name. In this strategy, the “cybersquatter” or “domainer” is subject to the vigilance of his potential victims. If they are as proactive as he is, he risks having a monitoring system that works very well but provides no attractive domain to reserve. Platforms exist which/ specialize in this area to provide their clients with useful information to enable them to quickly position themselves to buy expired domain names.
• There is the term “scammer”, which can be found in the field of cybersquatting. These are people who come to claim ownership of a domain name irregularly. Cybersquatters who adopt this technique can be very persuasive and even threatening at times. Their objective is to cast doubt on the legitimacy of your domain name.

b. A very dangerous variant: typosquatting

Typosquatting is a variant of cybersquatting. It consists of registering a modified or misspelled domain name with a registrar in order to redirect users to a fraudulent website. It is therefore a method used by malicious people to deceive users’ vigilance.

For example, it is possible to redirect users to a fake website of their favorite bank, or to a website containing malware to infect them or to steal personal and confidential information.

The examples below show the extent of the damage and the disconcerting ease of carrying out this type of attack.

Palo Alto UNIT42 publishes the following statistics on the most targeted areas over the year 2020.

These large groups are often subject to massive typosquatting campaigns to deceive their users.

c. The most well-known attack: Phishing

Phishing is a form of social engineering attack. It is a scam in which the attacker tries to pretend to be someone else (your financial manager, a strategic partner, your bank, your neighborhood association, etc.) to deceive your vigilance.

Among the techniques used, we often find the sending of an e-mail containing a link to a fraudulent site with the objective of :

• Compromising your position
• Stealing your bank account details
• Stealing your access identifiers (login/password) from your mailbox, your Facebook account, Instagram
• Etc.

This image shows a typical case of phishing. The link to be clicked does not lead to your Netflix account but instead to (https://dev-netflixi-panthonsite.io/1/rappel.html)

For a well-targeted attack, the domain name is of course best chosen

In a well-developed APT (Advanced Persistent Threat) attack, for example, phishing occurs fairly early in the kill chain.

In this scenario, the attacker seeks to steal credit card codes. However, the attack will only be successful if users make a mistake and click on the fraudulent link in the email or open the attachment.

In such cases, e-mails are written with care, without any spelling, grammatical or syntactical errors. The domain names are also well chosen to be able to deceive the vigilance of the most reckless. If everything goes smoothly, the attacker will have started with the DNS until he succeeds in his attack by stealing confidential data via the DNS without being detected.

So we’ve seen in this blog some of the strategies and attack types often used. Look out for the sequel coming soon, where we’ll explain the tools and techniques used to protect against cybersquatting.