The ThreatConnect® Domain-Spinning Workbench Spaces app provides four algorithms for identifying potential domain squats related to an input domain name. The list of domain names it provides can be used to take preventative measures against potential squats or to take action against actual squats. Users can import selected domain names and registrant email addresses into ThreatConnect as Indicators. The methods for identifying squats include open-source algorithms and algorithms developed by the ThreatConnect Research Team.
Domain Squat Identification Algorithms
The Domain-Spinning Workbench app provides four algorithms for identifying domain squats:
- Bitsquatting: The Bitsquatting algorithm finds domains that would receive traffic if a bit flip occurs in an Internet device when a given domain is requested. For more information about bitsquatting, see http://dinaburg.org/bitsquatting.html.
- DNSTwist: The DNSTwist algorithm finds domain names that look similar to a given domain name or are possible variants of a given domain name if a user makes a typo when entering in the domain name (“typosquatting”). For more information about the DNSTwist algorithm, see https://github.com/elceef/dnstwist.
- URLCrazy: The URLCrazy algorithm detects many different variations of a domain, including basic bitsquatting, typosquatting, and common misspellings. For more information about the URLCrazy algorithm, see https://www.morningstarsecurity.com/research/urlcrazy.
- XNTwist: The XNTwist algorithm detects internationalized domain names that may be squatting on a domain name. For more information about the XNTwist algorithm, refer to https://about.xntwist.hightower.space/.
WHOIS Lookup Options
The Domain-Spinning Workbench app provides two options for retrieving WHOIS data:
- DomainTools WHOIS Lookup: This option is the best choice for users who have a subscription to the DomainTools service.
- ThreatConnect WHOIS Lookup: This option is the best choice for users who do not have a subscription to the DomainTools service.
- It is recommended that all of the Playbook URLs be saved by an Organization Administrator as text variables in the user’s Organization for easier entry into the app configuration and subsequent modification. For more information on creating variables, see the “Variables” section of the ThreatConnect Organization Administration Guide.
- It is recommended that users set their Log Out Interval to 2 hours (or more) so that their logins do not time out during the spin. To change the Log Out Interval, select MY PROFILE from the dropdown menu under the Settings icon on the top navigation bar. The My Profile screen will appear with the Overview tab selected. Use the Log Out Interval drop-down menu to select a new amount of time.
Adding and Configuring the App
NOTE: Instead of changing configuration settings in one instance of the Spaces app in order to toggle between Domain Spinning Playbooks or types of WHOIS Lookup Playbooks, multiple instances of the app can be added to the Spaces screen, each with its own configuration settings (e.g., one that uses the Bitsquatting Playbook and DomainTools WHOIS Lookup, another that uses the DNS Twist Playbook and TC WHOIS Lookup, etc.), so that a different instance of the Spaces app can be used instead of changing configuration settings in one instance.
- Follow the steps in the “Adding a New Space” section of Spaces to create a Space and add the TCS - Domain Spinning v1.0 app to the Space. The final screen in this process will look like Figure 1.
- Click the pencil icon to configure the app. The Configure App screen will appear (Figure 2).
- Owner: Enter the name of the Organization that will own any Indicators and other objects imported from the Domain-Spinning Workbench app, or use the $ button to select an owner from the list of variables that appears.
- Tag to Apply to Objects Created During Import: Enter a Tag to apply to all objects imported from the app. A default Tag is provided. It may be modified if desired.
- Types of DNS Records to Look Up: This field lists default DNS Lookup record types that the app will access. Add or remove any record types as desired.
- Maximum Time of Results to Cache (in Days): The information generated by the app is stored in ThreatConnect’s Data Store. This field indicates the maximum amount of time the data is cached in the Data Store before it is refreshed upon another run of the app. The default amount of time is 14 days.
- Domain Spinning Playbook URL: Enter the URL for the Domain Spinning Playbook, or, if it has been entered as a variable (see the “Prerequisites” section above), use the $ button to select it from the list of variables that appears. The following Playbooks are valid choices: Bitsquatting, DNS Twist, URLCrazy, and XNTwist. Each Playbook uses a different algorithm to identify domains.
- DNS Lookup Playbook URL: Enter the URL for the DNS Lookup Playbook, or, if it has been entered as a variable (see the “Prerequisites” section above), use the $ button to select it from the list of variables that appears.
- WHOIS Lookup Playbook URL: Enter the URL for the WHOIS Lookup Playbook, or, if it has been entered as a variable (see the “Prerequisites” section above), use the $ button to select it from the list of variables that appears. The following Playbooks are valid choices: DomainTools WHOIS Lookup (requires a key; available only to users who have purchased a subscription to DomainTools) and ThreatConnect WHOIS Lookup (available to all ThreatConnect users; note that this service does not produce emails).
- Import Playbook URL: Enter the URL for the Import Playbook (Domain Squat Import), or, if it has been entered as a variable (see the “Prerequisites” section above), use the $ button to select it from the list of variables that appears.
- Click the SAVE button.
Using the App
- From the Spin screen (Figure 3), enter a domain name and then click the Spin button. This example uses “google.com”.
NOTE: Clicking on the down arrow to the left of the Spin button will display a list of previously searched domains, if any.
NOTE: The Spin button will be grayed out and unclickable until a period and the first letter of a top-level domain (e.g., .com, .edu) are added to the entry. To get results that make sense, enter the entire top-level domain (e.g., “google.com” rather than just “google.c”) before clicking the Spin button.
- The domain-spinning process will begin. If the domain has been spun within the Maximum Time of Results to Cache (Figure 2), then the spinning process will be short (i.e., a few seconds to several minutes), as the app will be searching only for new results since the last cache. If the domain has not been spun within the Maximum Time of Results to Cache, the process will probably take a long time (i.e., 15 minutes to 2 hours or more). Once the spin is initiated, the screen will indicate that it is collecting data for spun domains (Figure 4).
NOTE: If at any point, the spin gets interrupted (e.g., the user’s login times out, the user closes out of ThreatConnect), a subsequent re-spin will take less time, because the results of the interrupted first spin will have been cached.
- After the spin is underway, the screen will change to a countdown indicating the total number of domains in the spin and how many of those domains have not yet had their data collected (Figure 5).
NOTE: The countdown does not always move in real time. It is best used as a general measure of progress rather than an exact indicator of how many domains remain in the spinning process.
- When the spinning process finishes, a screen with the results will be displayed (Figure 6).
- The box on the left-hand side of the screen in Figure 6 provides Whois Data and DNS Data for the spun domain. Both sections may be collapsed by clicking on the minus sign to their left. The text to the right of the header for each section shows when the data in that section was last cached. To refresh the data, click on the circular arrows icon to the right of the cache information.
- Domain Squats, the box on the right-hand side of the screen in Figure 6, provides all of the potential domain squats identified by the Domain-Spinning Workbench app. The number of squats found is shown in parentheses next to the Domain Squats label. A detailed explanation of these results is provided in the next section.
- Click on the Back button above the Domain Squats box to go back to the main spin page (Figure 3).
Domain Squats Results
The results of the Domain-Spinning Workbench, as shown in Figure 6, are provided on the right-hand side of the screen. Each result consists of several components, as shown in Figure 7.
- Squat domain name: The domain name of the potential squat. The name appears twice, once in a box and once in light-gray text. If the domain has Unicode characters in it, the light-gray text will display the Unicode characters, while the text in the box will display an IDNA-encoded (punycode) domain name.
- Registrant email address: The email address under which the domain name is registered with Whois.
- Whois Data: Whois information for the potential squat. Click the plus sign (Figure 6) to expand this section. The “cached at” text on the right-hand side of this element shows when the data in this section was last cached. To refresh the data, click on the circular arrows icon to the right of the cache information.
- DNS Data: DNS information for the potential squat. Click the plus sign (Figure 6) to expand this section. The “cached at” text on the right-hand side of this element shows when the data in this section was last cached. To refresh the data, click on the circular arrows icon to the right of the cache information.
- Label: The dropdown box at the top right corner provides three options (Suspicious, Potential, Malicious) for classifying the danger level of the squat. Domains that have a registrant email address (i.e., the domain name is registered) have Suspicious as their default label. Domains that do not have a registrant email address (i.e., the domain name is not registered; “Domain Not Registered” appears in place of the registrant email address) have Potential as their default label. Users can change the label for each item to reflect their assessment of the danger level of the squat. Thus, changing a squat’s label to Malicious indicates that the user has determined that the domain is malicious.
NOTE: The label applies to both the squat domain name and the registrant email address.
- Trash (delete) icon: Deletes the domain from the results set. Note that clicking the trash icon will immediately delete the domain. No confirmation window will appear.
Importing Domain Squats Results into ThreatConnect
Follow these steps to import and save squat domain names and registrant email addresses as Indicators in ThreatConnect:
- Use the checkbox to the left of each item to select it, or click the Select All button at the top of the Domain Squats section to select everything. Use the Select None button to deselect all selected items.
NOTE: The Select All button selects all items in the search, not just the ones on the current page.
NOTE: If a squat domain name is selected, but the registrant email address associated with it is not, the registrant email address will not be imported. However, if a registrant email address is selected, but the squat domain name associated with it is not selected, the squat domain name will still be imported.
- To view all selected items, click the Show Selected button. The Domain Squat Results pane will display only items that were selected (Figure 8). Click the Show All button to go back to displaying all of the squat results.
- Click the Import button to import all selected items. A window will appear with selected items asking for confirmation to import the queried domain name as an Incident and the selected squat domain names and registrant email addresses as Indicators in ThreatConnect (Figure 9).
- Click the Import button to create the Incident and import the Indicators. When the import process is complete, the Details screen for the new Incident will be displayed (Figure 10). The Indicators will all be associated with the Incident, and the Incident will be tagged with the text entered in the Tag to apply to objects created during import field in Figure 2 (Domain Spinning Workbench in this example). The squat domain names will be imported as Hosts, and the registrant email addresses will be imported as Email Addresses.
- Figure 11 shows the Associations card for the Incident in Table view (see Associations for more information), demonstrating that the six selected Indicators have been associated to the Incident.
- Figure 12 shows the Details screen for one of the imported Indicators. Note that it is associated with the Incident created by the Domain-Spinning Workbench app, as well as with the other Indicators brought into ThreatConnect during the import process for that Incident. Also, in addition to the Tag specified in the Tag to apply to objects created during import field in Figure 2 (Domain Spinning Workbench in this example), another Tag for the label is created (Domain Spinning: Suspicious in this example).
NOTE: Every new import from the Domain-Spinning Workbench app creates a new Incident, where each Incident is imported under the name Domain Squats for <domainname.com> (e.g., Domain Squats for google.com). If an Incident with the same name already exists (e.g., if an import for Domain-Spinning Workbench results for a particular domain has already occurred), then a new Incident will be created with the same name. The Incidents will not be associated with each other. If association is desired, it must be accomplished manually. If an imported Indicator already exists in ThreatConnect, the existing Indicator will be updated with the information brought in from the Domain-Spinning Workbench app. A new Indicator will not be created.
NOTE: The Whois Data and DNS data found by the Domain-Spinning Workbench app will not be imported into ThreatConnect. That data must be viewed from inside the app by expanding the respective sections for a particular squat domain name, as shown in Figure 7. However, Whois and DNS data for an Indicator may be viewed via the Whois and DNS tabs, respectively, on the Details screen for the Indicator. See The Details Screen for more information.