background image with numbers
Blog DomainTools 101

DomainTools 101: Go Phish: How the English Language Helps Threat Actors

There is no getting around it. Even though it is a language built on rigid rules, there are so many exceptions, words that are close in meaning, sound and usage, it is common to make grammatical errors. Not so surprisingly, threat actors deploying phishing campaigns often use these grammatical imperfections to their advantage.

A typical method for threat actors is to create domains with a unique spelling of a particular brand by using letters that make the same sound without being the original spelling. In this blog post, we will dive into an example with Krispy Kreme Doughnut Corporation. Phonetically, many would expect for this brand to be spelled “Crispy Crème Doughnut”, and fellow doughnut enthusiasts may assume emails from this domain are filled with free doughnuts or coupons. Meanwhile, threat actors use this subtle play on the English language to attack your network, steal your information, or make it appear they are someone they are not.

Another common practice in phishing is to replace the letter m in an “r” and “n”, which without a closer look is very effective. With the help of DomainTools’ Iris, I located a domain that leverages this rule: krispykrerne[.]com.

At DomainTools we talk about being able to get ahead of the threat actors by being able learn more about the registrant of a domain, and what else they have also registered. We do this by pivoting out on the infrastructure and details of their domain. In the example of krispykrerne[.]com, I was able to find the threat actor by utilizing the Krispy Kreme’s Google analytics code and pivoting out to find what other domains use that same code; I found 6 domains using the same code. This is normally an indication that a threat actor scraped code from the website and used that code to build a replica website.

In Iris we can learn that the email address of the registrant for this domain is cents@dr[.]com which is tied to 170 other phishing/typo domains. Most all of them have common typos in the name, or are meant to disguise the real domain. For instance they used rinqcentral[.]com where they used the q to look like a g, or ohiovallleyhospital[.]org with an extra l, and coldvvellbanker[.]com with the two v’s to look like a w.

In this example, I was able to discover 169 additional domains that appear malicious and should be proactively blocked from my network. Additionally, I would plug in the domain names I discovered and ensure no other machines on my network had visited any of those sites.

In conclusion, your customers are important, and they value your brand, and rely upon your brand to deliver the services and good represented by your brand. That is why it is important to not only protect your brand, but your customers. Phishing is not only an attack on your brand equity, but your bottom line. Hopefully this example provided you with a few tips to approach your own security strategy.