It won’t be a secret to say that phishing remains one of the most effective attack vectors.

For example, your colleague receives by email a malicious web link that looks like a link to your corporate portal and opens it. If your Vulnerability and Patch Management programs are not good enough (see “WannaCry about Vulnerability Management“) and the software on his desktop has some critical and exploitable vulnerabilities in web browser, PDF reader, Microsoft Office, etc., you will probably get compromised host in your network.

This is also a pain for your customers. If someone will be sending messages on behalf of your organization, this can easily lead to fraud and costs in public image. And it will be even harder to detect. You will know about it only if they tell you. And if the attack was not massive, the probability of this is not very high.

What can we do about this?

• We should definitely raise the awareness among co-workers and clients. They should know that such attacks may occur and carefully check the domain before any click. Especially if the letter seems suspicious.
• On the other hand, we can also act proactively. Find which domains are similar enough to company brand and can be potentially used for phishing or other types of fraud. Then work with owners or registrars of such domains directly.

However, tracking down potentially malicious domains is not an easy task. Where should we take the lists of  all registered domains? What does “similar enough” really mean? Fortunately, there are services that greatly facilitate this task.

And today I would like to write you about a new free service by High-Tech Bridge – Trademark Abuse Radar. BTW, I already wrote earlier about their cool free service and API for SSL/TLS server testing, you can also check this out 😉

Everything is simple. Just enter the domain name you are interested in and in a few minutes you will receive a full report. No authorization for analysis is required, because the report is built on external and open data.

I chose the Citibank (citibank.com) as one of the most famous banking brand in the world. Let’s see what Trademark Abuse Radar will find.

Cybersquatting – domains that can be similar to domains of some organization’s projects. Some of them are really could be domains registered by your organisation. 🙂 The rest are registered by third parties for selling or other purposes, including fraud.

A common situation for companies that have referral programs: dozens of “informational” sites with referral links or automatic redirection to main sites of organisation. There are also may be a coincidence without any evil intent. All this cases should be carefully analyzed and classified.

For each domain Trademark Abuse Radar provides “Check for Malware” link for checking site on malware using google engine:

https://www.google.com/transparencyreport/safebrowsing/diagnostic/#url=samplesite.com

Typosquatting (URL hijacking) domains are designed to make users visit wrong web-site as a result of their mistype in address field. The probability of such event is quite low, but for popular sites the number of errors and transitions will also significant.

You need to track this domains and understand why they were registered: it’s an accidental coincidence, dirty SEO of competitors or a fraud attempt.

Identifying the cases of phishing is the most difficult part. This means not only the domain of the site is similar to the domain of your organization, but the site itself looks fraudulent.

For example, for Citybank this strange site will be www.citibknet.com

You can click on the icon with the eye and see web-site screenshot.

I can not say whether this is a legal site or not, but it looks suspicious for me.

And Google thinks the same:

Attempts to open the site were blocked:

Perhaps they are blocking all users from Russia (see “Not for Russians“) and vpn users, and maybe it can be used in some tricky targeted attacks. If you work in City, please pay attention.

At the end beautiful picture with a map and other domains in the neighborhood, which were checked recently:

All results can be exported in pdf:

In conclusion, it’s a very interesting and useful service, which can help greatly in the fight against fraudsters. And it’s even better that you can use it for free!