CSI (Cyber Security Intelligence) is CYBEROO’s Threat Intelligence service, based on Open Source Intelligence. Its goal is to detect, collect and analyze sensitive information and data found in the Deep and Dark Web to protect enterprise systems.
To do this, CSI consists of several modules aimed at ensuring accurate, rapid and proactive service. One of these modules, the Domain Checker, aims to identify and neutralize malicious domains.
Domain Checker: monitoring malicious domains
A malicious domain is typically a URL that bears an apparent resemblance to a legitimate domain of a particular company or entity. Behind this URL, however, can be hidden pharming techniques, phishing, identity spoofing, and other types of scams to the detriment of the user.
Phishing, in particular, can cause significant damage, as cybercriminals often use malicious domains to mimic trusted login pages and steal valuable credentials from unsuspecting users. Using the domain to send emails on behalf of someone else to a designated victim is another serious threat posed by these domains. This attack, in particular, exploits the image of companies, to target third-party companies. Therefore, the “cloned” company is often not even aware of the attack that is typically occurring on its customers or suppliers.
CSI’s Domain Checker allows to monitor and collect information on all possible malicious domains registered online.
How to recognize a malicious domain? What techniques are used to create ones that resemble legitimate ones?
The techniques for creating malicious domains are many and all different, although they are based on the same concept: attempting to deceive the user in an “invisible” way. Let’s take the domain “InternationalBank.com” as a starting example.
- Homoglyph: the replacement of some characters with ones that resemble them, such as the letter O and zero (‘0’), or the uppercase “i” (I) and the lowercase “l” (L), which appear identical in a sans serif font (such as Calibri). “InternationaIBank.com,” having replaced the lowercase “L” (l) with the uppercase “I”.
- Hyphenation: the addition of the symbol “-” joining two words or two parts of a word, within the domain. I.E. “International-Bank.com”.
- Omission: the removal of an inconspicuous character within the URL. I.E. “InternatonalBank.com”, removing the letter “i”.
- Transposition: the alteration of character positions without changing the characters themselves. I.E. “IntrenationalBank.com”.
Threat Intelligence: the analysis steps to recognize a malicious domain
Analysis is carried out in terms of domain properties that may indicate the likelihood that it was registered with malicious intent. Let’s look at the main steps.
- Whois query, to identify domain characteristics
- Check DNS records
- Check the reputation of the IP address
- Do a behavioral analysis
- Check user feedback
- Analyze the site’s source code and external links
- Check SSL certificates
To combat the major cyber threats that can be hidden behind a domain, CYBEROO has developed an internal portal that allows our Security Operations Centers (SOCs) to be alerted as soon as a potential malicious domain is identified. Our SOC, operating h24, can manage the shutdown of these domains very quickly through our portal.
In addition, as a CERT (Computer Emergency Response Team), we have the ability to take direct action against these threats. This combination of proactive identification and quick response allows us to neutralize malicious domains before they can cause significant damage.
Cyberoo is proud to offer these advanced security capabilities to all customers. With the CSI solution, we are ensuring that businesses’ critical infrastructures remain safe from ever-evolving cyber threats. We promise to continue to innovate and protect your digital world, today and in the future.
