Investigating Brand Infringement with HYAS Insight

HYAS Insight is a key tool for SOC and fraud teams for use cases like incident response and fraud investigation. Something that we have noticed is that some customers focused on threat intelligence use cases are also using HYAS Insight to counter brand infringement and typosquatting. I wanted to share what I found when I went around asking customers and HYAS folks about how they employed HYAS Insight to investigate typosquatting. 

For those of you not familiar with it, typosquatting involves using a permutation of a brand’s domain for illicit purposes. That could be any number of things:

• Trying to subsequently sell the typo domain back to the brand owner
• Monetizing the domain through advertising revenues from direct navigation misspellings of the intended domain
• Redirecting the typo-traffic to a competitor
• Redirecting typo-traffic back to the brand itself, but through an affiliate link that earns commissions from the brand owner's affiliate program.
• A phishing attack by mimicking the brand's site, while intercepting passwords which the visitor unsuspectingly provides

Examples of potential typosquatting domains

HYAS Insight provides enterprises with the capability to monitor and protect their brands. By quickly identifying illegal, infringing or threatening incidents against your brands, you can stop and prevent future infringement. Many of these newly-created and fully qualified domain names (FQDNs) are used in phishing attacks against users, customers, and partners. They can also be used for brand counterfeiting, brand abuse, identity theft, and intellectual property abuse.

Using HYAS Insight to counter typosquatting is a fairly straightforward process.

1. Identify all of the relevant brand names that you want to protect
2. Locate a tool to create permutations of that name.  Over 20 typosquatting tool options are available at https://github.com/topics/typosquatting
3. Use your tool to create a watchlist containing permutations of your brand name(s)
4. Enter your watchlist into the HYAS Insight Alert function that will automatically create an alert for each item on your list. The alert will provide a variety of information including the domain registrar of the offending domain. 
5. When a rule is triggered, consider taking action such as submitting the phishing or malware-related site to Google Safe Browsing and similar services. Requesting a domain take down directly to the domain registrar is another option, however the results depend on the willingness of the registrar to help.

Adversaries often have multiple typosquatting sites pointing to a common IP address. If you locate one actor abusing a brand and can identify that actor’s IP or email address, you can create an infrastructure alert in HYAS Insight to proactively notify you of other infringing infrastructure using that IP or email address. 

While there are more elaborate (and expensive) tools to perform this sort of brand protection work, HYAS Insight provides an effective way to mine the DNS WHOIS information available in HYAS Insight to identify and counter typosquatting. To learn more about HYAS Insight, click on Get a Demo (we love giving demos!).