You are here

Defend Yourself Against Domain Squatting

July 9, 2018
Jason Straight, Senior Vice President, Cyber Risk Solutions and Kevin Noble, VP of Managed Detection Response Services
Domain Squatting

UnitedLex has been tracking the continuing threat arising from fraudulent emails targeting senior company executives that exploit the domain name registration system.  Law enforcement agencies have repeatedly warned businesses to take measures to defend themselves against this mode of attack.  Most often, the attacker is seeking to impersonate a senior executive, often a CEO or CFO) in order to induce a subordinate within the executives business to wire or otherwise transfer funds to the attacker or an accomplice.  UnitedLex has observed these attacks in businesses of all sizes and in a variety of industry sectors.  The amount of money sought varies but is most often between $50,000 and $150,000 per victim.  The Internet Crime Complaint Center (IC3) estimates that well over 2,000 companies have been victimized by this type of attack and that attackers have absconded with more than $200million.

In some cases, the attacker compromises the executive’s email account directly and uses it to send fraudulent messages.  In other cases UnitedLex has observed, the attacker will register a domain that is a small variation of the target’s legitimate domain.  In some cases, the only difference between a legitimate email and the forged is a single letter in the source domain address.   For example, an attacker targeting "ACME Corp.", whose legitimate email domain is "” might register "” and use that domain to send emails meant to impersonate Acme executives.  Often the attackers will conduct reconnaissance on the target company’s website, on LinkedIn or other publicly available sources to gather the intelligence needed to select the right corporate personnel to target in their scam.

Although less common, this attack vector can also be used to attempt to defraud vendors, customers and other third parties related to the victimized company.  In such a scenario, the attacker will again impersonate an executive at the target company and attempt to induce the third party to transfer funds to the attacker or to reveal sensitive information that may be used in a subsequent attack against the third party.

UnitedLex has developed a solution to address this threat and help companies reduce their exposure to this type of attack.  In short, UnitedLex has developed and made available a tool that will search publicly available domain registration information to identify instances where an attacker has registered a domain for the purpose of launching a targeted attack.  If the company identifies domains that it suspects have been registered with fraudulent intent, UnitedLex can guide the company through the process to have the domain suspended by the registrar or, in some cases, transferred to the target company.  At a minimum, the company can block emails coming from the fraudulent domain to reduce the risk of successful fraud.

Share your thoughts or comments below.