Doppelganger sites pose growing threat

Web sites function as passive data grabbers or launch pads for active attacks such as man-in-the-middle exploits, say observers, with one noting these threats rising in Asia-Pacific.

Doppelganger domains are making their presence felt in Asia-Pacific and as they proliferate, this in turn leads to "typosquatting", which poses data security threats to companies, security insiders said.

Jonathan Andresen, director of product marketing of Asia-Pacific at Blue Coat Systems, stated that a doppelganger domain name is spelt the same as the original site but missing a full stop or hyphen between the subdomain name, qualified domain and the extension. For instance, a Web site such as sgexample.com is the doppelganger of sg.example.com, he explained.

This leads to "typosquatting" where e-mails meant for the original Web site would be diverted to the doppelganger domain, he noted in his e-mail. After the cybercrooks have extracted users' information, these e-mails are then redirected back to the original destination to "cover their tracks".

These fake sites can also be used for Web-based attacks, Andresen pointed out.

Elaborating, he said the fraudulent site would masquerade as a real Web site to either conduct an "active or passive attack". Active ones include man-in-the-middle attacks while passive ones are those that use the site to harvest user information until they can no longer mirror the functionality provided by the real site.

These attacks will allow cybercriminals to steal users' personal information and corporate intellectual property (IP), Andresen warned. Active attacks, in particular, can be used as part of an advanced persistent threat on a corporation to steal or modify intellectual property and critical systems, he added.

Threats rising in Asia-Pacific
Additionally, such cyber threats and pilfering of data using doppelganger sites have been happening in Asia-Pacific and the frequency is expected to increase, noted Jason Pearce, director of sales engineering for Asia-Pacific at M86 Security.

Both industry watchers' comments come in the wake of a September report by IT security services vendor Godai Group, which found that about 30 percent of the top 500 companies in the U.S. are vulnerable to security threats from doppelganger domains. In six months, the researchers intercepted 120,000 wrongly sent messages and grabbed 20 gigabytes (GB) of data containing user names, passwords and details of corporate networks, it stated.

Sophos' Mark Stockley also chimed in with a blog post following the release of Godai's findings, saying that it's "striking" that the researchers managed to capture so much information by focusing on just one common mistake.

"A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organizations and typos," Stockley noted.

Pearce added that many of the Fortune 500 companies have a large presence in Asia-Pacific and localized domains to cater to their customers and staff, and this makes them attractive targets for cybercriminals.

Many of these Fortune 500 companies have domains have a large presence in Asia-Pacific and local domains to cater to the needs of their customers and staff based here, Pearce explained in an e-mail. This makes them attractive targets for cybercriminals, he said.

The M86 executive also pointed out that depending on the information captured using doppelganger Web sites, the data could be stored for future exploits. As such, information grabbing is more a reconnaissance exercise for further attacks, he said. Security tips to ward off doppelganger sites

1. Use a collaborative cloud service
This is the most successful defense tool that can correlate evidence of a Web page's malicious activity and automatically identify and block the network or host responsible, regardless of how the payload is encrypted, Andresen advised.

Organizations can also tap on the wider end-user community, to discover new Web threats and malicious sites to proactively prevent access to these sites, he added.

2. Purchase "doppelganger domains"
Companies are urged to beat the cybercriminals at their own game by buying over possible doppelganger domain names that resemble their own corporate Web sites, Andresen noted.

"Controlling doppelganger and typosquatting domains reduces the threat of information loss and possible harm to their customers, partners, and employees who are directed to malicious Web sites through common typographical and spelling mistakes," the Blue Coat executive said.

3. Monitor for typosquatting abuse
M86's Pearce added that organizations should continuously monitor newly registered domain names or cybersquatters from targeting their brands. Early detection will allow organizations to take action before significant damage is done, he explained.

4. Modify DNS and e-mail server configuration
Organizations can also modify their internal DNS (domain name system) to disallow access to doppelganger domains or set their e-mail servers to prevent any outbound e-mails from reaching doppelganger domains, Pearce pointed out.

5. Educate employees and customers
User education is key too, the M86 executive stressed. Once people are aware that these types of attacks exist and involve sophisticated social engineering techniques, they will be less susceptible to them, he said.

"If both audiences are made aware that these type of attacks exist and involve sophisticated social engineering techniques, they will be less susceptible to them," Pearce said.