Registering a new domain name takes just a few minutes, and the minimum requirement is only an email address. As such, cybersquatting, or the practice of purchasing domain names in an attempt to re-selling them at a higher price, becomes easier and easier.
All that threat actors have to do is register several domain names that somehow contain the name of a well-known brand or trademark. They could then consider selling these domains for a profit or use them in nefarious ways such as phishing campaigns and scams.
But with thousands of new registered domains every day, how can organizations prevent cybersquatting?
Domain intelligence in the form of a list of newly registered domains might be an option. This information gives organizations a holistic view of the recent domain registration and expiration events, including potentially malicious ones, in the WHOIS database.
Detecting Cybersquatting Domains as They Come with a List of Newly Registered Domains
As with other cybercrime, early detection is of utmost importance when it comes to cybersquatting. When you nip threats in the bud, you prevent cybersquatters from using domains maliciously. And so, a newly registered domains database is valuable, as it gives organizations an updated data feed of all domains as these appear in the Domain Name System (DNS).
The cybersecurity team of AmTrust Financial with the official domain name amtrustfinancial[.]com, for instance, might be concerned if it notices the following domain names appearing on the NRD database on 16 June 2020:
Getting the Bigger Picture with a WHOIS Data Download
The three domain names are likely mimicking the official and legitimate domain name amtrustfinancial[.]com, a small business insurance service provider, headquartered in New York. A WHOIS data download can let its security team get the bigger picture as such an information source contains complete historical WHOIS data.
More specifically, a WHOIS Database Download contains the following data points for millions of domain names and billions of WHOIS records:
- Registration date
- Expiration date
- Renewal date
- Registrar name
- Registrant name
- Registrant phone number
- Registrant address
- Registrant email address
- IP changes
- Ownership history
The database is highly customizable since you can filter data based on certain conditions. When you search for the three suspicious domains listed above, for instance, you will find that all of them have the following WHOIS details:
- Registrar name: Alibaba Cloud Computing (Beijing) Co., Ltd.
- Registrant name: Not available from the registry
- Registrant address: Anhui, China
On the other hand, the legitimate AmTrust Financial domain name has the following details:
- Registrar name: CSC Corporate Domains, Inc.
- Registrant name: AmTrust Financial Services, Inc.
- Registrant address: 800 Superior Ave, Cleveland, Ohio, U.S.
Aside from seeing who owns the potential cybersquatting domains, they can also generate statistics on the number of domains that use the word “financial” or “insurance.” With that information, they can get a glimpse of the market trends in terms of domain name usage.
Digging Deeper into the Cybersquatting Domains
Since the newly registered domains amtructfinancial[.]com, amtrustfinancialservices[.]com, and amtrustfinancle[.]com and the official AmTrust Financial domain name do not share the same WHOIS information, they are likely to be cybersquatting domains.
Why were they registered in the first place? A glimpse at the websites would give us some answers. All three domains look precisely like the screenshot below, so they could be used to gain advertising revenue.
While earning advertising revenue from a parked domain is not illegal, banking on behalf of another entity is not ethical. In this case, the person who registered the three cybersquatting domains might be relying on the name and reputation of AmTrust Financial.
Unfortunately, this possibly dangerous scenario is not exclusive to AmTrust. Thousands of companies and trademark owners can detect cybersquatting early with the help of a list of newly registered domains.