Is Your Safe from an ‘Evil Twin?’

By Charles DeBarber, Cybersecurity Advisor

An organization’s domain offers adversaries avenues to attack and exploit, which besmirch the reputation of an organization irrevocably. One of the most common exploitation tactics uses “doppelgangers.” To help you protect the good name of your organization, we will discuss what doppelgangers are, the domain registration process, the use of malicious tactics, and mitigation of doppelgangers.

What is a doppelganger? A doppelganger is a malicious variation of your organization’s legitimate domain name. The word ‘doppelganger’ comes from German folk tales and is the name of an evil twin.1

In this example, let us assume there is a fictional organization called Amerilegion with an amerilegion.org for both their webpage and mail domain.

Legitimate Domain • amerilegion.org

Possible Doppelgangers

• ameri1egion.org • amerilegion.com • am3rilegion.org • amerilegian.org • amerilegion.or

The adversary will create domains that look close to the original or take advantage of ‘typosquatting’ by registering common misspelling and typo variations of the domain.

What is not a doppelganger? Closely named domains, or even domain names parodying another organization, are not doppelgangers in themselves. Only domains intended for malicious use are doppelgangers. Examples of domain use that are not doppelgangers:

• Domains that are closely named or squatting on /brand names

1 https://en.wikipedia.org/wiki/Doppelgänger

1

• Domains that exist to parody or be critical of an organization. People can register a domain close to Amerilegion’s or using their brand name to mock or criticize the organization. They can even use it to drive traffic to a rival organization. Who handles and adjudicates domain rights? Domain rights are managed, assigned, and sometimes revoked by one of the five regional internet address registries (RIR). These consist of ARIN (American Registry for Internet Numbers) for North America, LACNIC (Latin America and Caribbean Network Information Centre) for South American. RIPE NCC (Réseaux IP Européens) for Europe, APNIC (Asia Pacific Network Information Centre) for Asia/Australia/Oceania, and AFRINIC (African Network Information Centre) for Africa.

In North America, ARIN manages the Internet Corporation for Assigned Names and Numbers (ICANN), which manages domain names. To learn more about ICANN and lookup domains, consult ICANN’s WHOIS database.

What do adversaries use doppelganger domains for? Doppelganger domains have multiple malicious uses. These are primarily for , drive-by malware, or stealing logins/passwords. Demonstrated is a fictional example of each.

Example - Phishing

In this example, the adversary uses a doppelganger domain (ameri1egion.org) posing as Amerilegion’s CFO Mr. Scott McDonald to get the target, Ms. Molly Walker, to wire funds to an offshore account owned by the adversary.

2

By doing information reconnaissance, the adversary obtained a copy/paste of Mr. McDonald’s signature block with Amerilegion’s company logo to make it look even more realistic. Sophisticated phishing attempts often use a company letterhead to ‘hoodwink’ the target. Example – Drive-By Malware Step One: A user intends to go to the website amerilegion.org, but accidentally misspells the domain and instead goes to amerilegian.org. Step Two: The browser goes for milliseconds to doppelganger amerilegian.org and malware is injected using cross-site scripting (XSS) or another exploitation mechanism. It then immediately forwards to the legitimate site amerilegion.org. This action makes the target of the malware installation less likely to notice anything malicious happened.

Example – Stealing Logins/Passwords Amerilegion has a webmail portal for employees at subdomain webmail.amerilegion.org. The adversary, in this case, set up a doppelganger domain with a webmail subdomain named webmail.amerilegion.com, counting on some employees of Amerilegion typing the wrong domain extension (e.g., ‘.com’ instead of ‘.org’).

In this case, the adversary cloned the Amerilegion webmail page and is quietly collecting logins/passwords employees put on the cloned Amerilegian page. These are then harvested for a possible attack later when the adversary will use the logins and passwords on the company’s

3

accounting portal or the company’s Sharepoint accounts. The adversary will use some variation of these three strategies.2

How do I detect doppelgangers? Sadly, you will often detect doppelgangers when they reach out to you or another organization. There are so many variations of most domains (aka ‘enumerations’) that it is challenging to detect them all; however, there are some early warning signs and methods of detection:

1. There are free Linux tools, such as DNSTwist and URLCrazy, that will look at hundreds of enumerations of a domain and report which ones are registered. These can potentially identify malicious doppelgangers.

2. Commercial off the shelf (COTS) solutions include PhishEye, BitBucket, and SourceGraph. These services will alert you to new domain registrations containing your brand name and variations of it. Recommendations if alerted to a possible doppelganger:

• Assess the site using a free sandbox tool, such as urlscan.io, and see if they set up a cloned version of your page. Also, this action allows you to see if it is a legitimate organization with a close name. • Instruct the email team to put in a rule to drop any emails from that domain and submit them to a separate phishing email inbox. These emails suggest malicious intent and must be combated. • Blacklist all web traffic to suspected doppelganger domains.

I found a malicious doppelganger on my site. How do I get rid of it? It is essential to know your options for handling the doppelganger. The Uniform Domain-Name Dispute-Resolution Policy (UDRP) is a process established by the ICANN for the resolution of disputes regarding the registration of internet domain names.3

The UDRP process can seize the domain if all three of the following rules are met.

1. The domain name is identical or confusingly like a or service mark in which the complainant has rights.4 2. The registrant does not have any rights or legitimate interests in the domain name.5

2 Anecdotally, I can attest to seeing these strategies more commonly used against vendors of an organization versus the organization itself. 3 Domain Name Dispute Resolution Policies https://www.icann.org/resources/pages/dndr-2012-02-25-en 4 Harvard Cyber Law UDRP https://cyber.harvard.edu/udrp/opinion/ttext.html 5 Harvard Cyber Law https://cyber.harvard.edu/udrp/opinion/itext.html

4

3. The domain name has been registered, and the domain name is being used in ‘bad faith.’6

Evidence must be provided to prove ‘bad faith’ such as screenshots of cloned pages or malicious emails. This process can be expensive because to hire a UDRP provider to handle a complaint can be $1,500+, not counting further civil litigation if the UDRP denies the request. Sometimes focusing on hardening your network and working with your vendors/customers is a more economical tactic.

Prevention is better than the cure As a general cybersecurity strategy: prevention is preferable to the incident itself. So, how can you harden yourself against doppelgangers?

1. Determine and register the most common variations of your domain. • In our example, we can register the 10 most common misspellings of Amerilegion, all of the top-level domain variations of it (e.g., .net, .com, .edu), replace the letters e, o, and l with the numerals 3, 0, and 1, and register those variations. Set every one of those domains to forward the user onto the legitimate website. • Register some of your most common subdomains. Let us use Amerilegion’s webmail subdomain webmail.amerilegion.org as an example. An adversary might register webmailamerilegion.org without the ‘.’ counting on users to forget it occasionally. This tactic can forward them on to drive-by malware or a cloned page to harvest logins/passwords. It is recommended, at the very least, that administrators blacklist these variations on their network to prevent their users from accessing them.

2. Detection is always helpful. Set up monitoring of your trademark with a platform for monitoring domain registrations. However, these have varying costs.

3. Harden your network against variations. • Blacklist variations of your domain on your firewall • Quarantine emails from domains with a rule on your mail server to drop the email and BCC a copy to an account for collecting phishing emails • Have all emails from domains outside of your organization tagged with EXTERNAL in the subject. This step can impede the adversary’s ability to ‘blend in.’ • Discuss phishing in your cybersecurity and information assurance training with employees o Show a few examples of doppelgangers and insist they not trust such domains o Ensure they know who to report suspect emails and phone calls to

6 Harvard Cyber Law https://cyber.harvard.edu/udrp/opinion/btext.html

5

4. Organizations with Security Information & Event Management (SIEM) platforms can set alerts for GET requests on ports 80/443 to suspected doppelganger URLs. Keep a list of suspected doppelgangers/domain squats for managing infrastructures.

5. Some adversaries are patient and will purchase the doppelganger domain and wait. If you detect these suspected doppelgangers, use a free third-party tool that alerts you to a webpage changing. People often use these for shopping sites. This tool alerts you if the page changes, indicating they have the item in stock. The alert prompts you to look within the sandbox tool to see if they set up a clone page and that a campaign against you has begun. You can then work with your organization on your UDRP options and alert your vendors/customers to the issue if that is determined necessary.

Conclusion Having a domain and web portal gives organizations legitimacy and grants them control of how they interact with their customers, vendors, colleagues, and the public. Sadly, they can be used as a tool against their organization for exploitation and harassment. Protecting your domain from malicious ‘evil twins,’ therefore, protects your organization, employees, vendors, customers, and reputation.

6