Introduction
What do the URLs InfobIox(.)com and lnfoblox(.)com have in common? These are both URLs that are intended to look like the domain Infoblox(.)com. This is an example of a Lookalike domain, or LADs which are used in a variety of cyber attacks. By replacing the i with a lowercase l we can circumvent a user’s intended action of going to the correct URL. Are the previously mentioned URLs always malicious? No, but in a world where cyber attacks are frequent and come from many vectors, security teams should always do their best to cover all of their bases.
Lookalike domains come in a wide variety of shapes and sizes. Like in the example earlier, they may attempt to confuse the user by replacing a letter or number with alternative text that looks similar. Or, they may change the top level domain to something different (Example: infoblox(.)badactor(.)org). Additionally lookalike domains may use an Internationalized Domain Name character set, or Punycode characters to confuse users. This can be both overwhelming and concerning. However, there is some hope. BloxOne Threat Defense offers the ability for security teams to monitor and protect against domains that could target their brand, or other sensitive domains. Thereby, increasing your security posture against attacks that may leverage LADs.
Prerequisites
- Access to a BloxOne Account via the Infoblox Cloud Services Portal (CSP)
- A CSP Tenant with a BloxOne Threat Defense Advanced license
Getting Started
Log into the Infoblox CSP at csp.infoblox.com. Once logged into your account, highlight Reports in the left navigation panel and click on Lookalike Domains in the list that is revealed.
On the Activity page you can find a list of indicators if you’ve already added domains to your watched domains list. To add a domain to your watch list, click the Watched Domains tab located near the top of the infoblox CSP.
On the Watched Domains tab you can add new domains to your watch list, import a csv list of domains, and edit or delete an existing watched domain. To add a domain click the Create button.
Input the name of the domain you’d like to watch in the Domain-of-interest text box, and if desired input a description. Then, click Save & Close to confirm the addition of the domain to the watched domains list. Please note that you can only add up to 10 domains to the watched domains list.
By navigating back to the Activity page you can view lookalike domains that look like your watched domains.
If desired, you can add one, or many, domains to a custom list that can be utilized with a security policy. To do this, click the checkbox on the domains you’d like to add to a custom list. Then, click the Add to custom list button.
Additionally, if a specific domain in the list interests you, you can easily navigate to that domain’s Dossier page by clicking the icon located to the left of the Lookalike domain. This action will bring you right to the Dossier page of that domain.
Summary
Thanks to BloxOne Threat Defense, security teams now have a way to watch for, and protect against potentially malicious lookalike domains. With this tool in a network security professionals kit, potentially damaging cyber attacks that leverage lookalike domains can be prevented, the integrity of the brand can remain intact, the security posture is strengthened and the network security professional is able to get ahead of yet another form of zero day threats.
