WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Time and time again, we see how the cybercriminal ecosystem often mirrors what happens in the business world. This can be a criminal group emulating corporate job advertisements in order to recruit accomplices, or a forum operator using modern website design and user experience features to attract customers.
One day while using our Shadow Search™ investigation tool, I stumbled upon a network of typosquat domains. Typosquats involve changing a character in a URL so that it still looks like the original domain at first glance; for example, changing an “m” to an “rn”. We see squats all the time, but what caught my eye was that these weren’t for legitimate businesses, they were for criminal dark web sites, specifically on the Tor network.
Anyone browsing Tor will have seen similar images to these (Figure 1), where website owners highlight the legitimate .onion domains for a specific service to protect customers from scammers. We’ve seen these on marketplaces such as Dream Market, Wall Street, and even AlphaBay before it was taken down. The threat of typosquat domains on the dark web are significantly higher for these services because .onion domains are intentionally complex, often appearing as a long set of random characters; they’re called “hidden services” for a reason.
Figure 1: Dark Web marketplaces displaying mirror domains for their sites
Here is an example of what I’m talking about: a legitimate domain for the Tochka/Point Marketplace is “tochka3evlj3sxdv[.]onion” and the typosquat is “tochka3evevasc32[.]onion”.
Again, security people at corporations in every vertical know this issue exists for their businesses and it can lead to a loss in revenue, customer trust, and decline in brand reputation. Taking it to the extreme, what if one person or entity created an entire network of exact replica websites of all the companies operating in your vertical? That’s exactly what we found for dark web hidden services like AlphaBay, Hidden Answers, Valhalla, Grams, Hansa Market, and several others.
Figure 2: Splash page discovered on several dark web typosquat domains
When I first came across this splash page in late November 2018, I really didn’t think much about it. One scam site on Tor is hardly surprising. But when I kept seeing them in relation to several popular marketplaces and forums, it got me interested. A network of typosquats operating for four years, with 800 domains, all owned by the same person or entity? Can we prove that? So, doing some quick research of a unique string in the note on the site’s homepage brought back something similar to the following:
Figure 3: Using Shadow Search to identify over 200,000 dark web pages containing strings from the scam note
Wow – 216,079??
That seems like a lot, which got me interested even more. Leveraging our awesome data science colleagues within the Photon Research Team, we were able to aggregate and deduplicate all of these results and found over 350 unique .onion domains were being used to spoof “legitimate” dark web domains.
That is a big drop from the original 216,000; this is due to a couple of different reasons. For one, a large proportion of the sites on the dark web act as mirrors to the legitimate version of a dark web service (examples of this are in Figure 1). The other reason is more technical, but mainly involves the way that Digital Shadows’ Searchlight platform collects data. Using our Tochka example from earlier, tochka3evevasc32[.]onion and tochka3evevasc32[.]onion/forum/ and tochka3evevasc32[.]onion/forum/section_1/ were all collected and included within the initial 216,000 number. If you were to visit each of those pages, you would get that same splash page pictured in Figure 2. Extrapolating that to scale across Digital Shadows’ entire dark web collection, and that 216,000 becomes clearer.
With the dark web being so volatile (sites go up and down all the time) and certain sections being gated or requiring access permissions, it is a tricky thing to have complete visibility over, especially for everyday users. Several directory sites for hidden services exist, which attempt to collect the various domains for these services but could include non-legitimate links (like typosquats). We detected several of these directory sites listing website titles of “Thank you guys!”, indicating these were hosting the Figure 2 splash page. Searching across several of these directories put the number closer to 500. Given this, the 800 domains the fraudster claimed to have in their network could be possible based on these numbers.
Figure 4: Shadow Search results of the unique string between November 2018 and March 2019
Some of these sites were even reported as scams previously, though it’s not clear how widespread this knowledge was among users of these services. We detected posts on lesser known and obscure forums containing scam claims for a few of the domains now hosting the splash page (Figure 4).
Figure 4: Users questioning the legitimacy of one of the domains controlled by the scammer
Scammers are scamming. So, what?
This may not seem like a very big revelation; a scammer creating typosquat domains to conduct fraud against users of the legitimate domain. However, this can provide a good case study of what happens if the issue of typosquatting gets out of hand and taken to the extreme. The scammer claimed that they made off with a lot of money: 200 BTC, which is around $760,000 at the time of writing. That’s nothing to scoff at. If what the fraudster says is true, it proves how profitable brand impersonation and domain squatting can be.
Scammers can monetize their typosquat domains in a variety of ways, including advertising through web traffic driven to the site, harvesting credentials to sell or reuse in other fraud attacks, or directly from purchases made on these sites with no actual product being delivered. Additionally, we’ve observed some of the sites using their own Bitcoin wallets to accept donations for providing the service – a common practice for dark web sites. Though we cannot confirm that the scammer operating this typosquat network was able to get the amount of Bitcoin that they claim, they mention using a self-made payment processor on the sites, indicating that some form of purchasing was occurring.
Of course, there are several regulations and legalities which exist for clear web domains like the Internet Corporation for Assigned Names and Numbers (ICANN) and domain registries, adding more visibility into who owns a site and what they can and cannot do with it (from an impersonation perspective). This also provides more possibilities for reporting and taking down such fraudulent sites. But in 2018 alone, Digital Shadows raised over 45,000 typosquat alerts to our clients, which we also help them to remediate through managed takedowns.
Threat actors are going to continue trying to bank off of the prestige and public knowledge of well-known brands to conduct their fraudulent activities, like hosting typosquat domain websites. This is why online brand security is so important for companies operating in the digital age. When it comes to brand security, companies can do the following:
This squatting network proves that brand impersonation that goes unchecked, undetected, and unmitigated can directly lead to loss of consumer trust and incoming revenue.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.