Organizations allocate substantial resources to draw partners, customers and employees to product information, services and commerce on their websites. Customers quickly navigate to these websites within secure domains to find everything they need in one central location.
However, despite the best safeguards, an organization’s domain can suddenly become insecure. A stealthy type of cyber crime called brand typo squatting is attacking organizations, infiltrating them through the fraudulent manipulation of Domain Name System (DNS) naming conventions.
Unauthorized use of a trademark
Assuming the online identity of another entity to acquire that organization’s brand equity.
Malicious use of a brand, diminishing its perceived quality.
Registration of a “typo domain” that is lexically similar to a brand with the intention of launching one of the three attacks listed above.
Brand Sentry enables an organization to monitor in real-time its brands for unauthorized or uncharacteristic usage. This actionable intelligence empowers an organization to quickly identify illegal, infringing or threatening incidents against their brands in order to stop and prevent future breaches. The Brand Sentry solution monitors the global Internet and triggers an alert when an organization’s brands or lookalikes are first detected in the DNS.
Many of these newly-created and fully qualified domain names (FQDNs) are used in phishing attacks against users, customers, and partners. They are also used for brand counterfeiting, brand abuse, identity theft, and intellectual property abuse.
Brand Sentry begins with subscribers defining brands as text strings (and optionally specifying known good hosts or subdomains to be whitelisted). Next, subscribers specify one or more "match engine modules" -- each offering a different class of matching (literal, homoglyph, or phonetic) and a different type of matching (substring, regular expression, etc). Finally, the brands and match engine modules are loaded into the Match Engine.
Brand Sentry then monitors Farsight Security's Newly Observed Hostnames feed and compares each new FQDN against each brand (this FQDN is known as a candidate). If one or more of the match engine modules returns a match, the candidate is now considered anomalous and an alert is returned. When a match is found, an alert is returned with data surrounding the specific event, to an organization, in real-time. The organization uses this information to alert and take action against the threat.
Farsight observes millions of domains each day. Using the historical DNSDB database as a delta, Farsight detects that more than 100,000 of these are newly-configured domains daily.
Leveraging more than 2 TB of daily real-time Passive DNS data, Farsight discovers when these domains are first used. Other discovery methods, such as TLD Zone File Access and WHOIS, can’t identify newly-configured domains until 17 hours after registration.