Skip to content
Threat Feed
medium advisory

Monitor Web Traffic For Brand Abuse

This analytic identifies web requests to domains that closely resemble a monitored brand's domain, indicating potential brand abuse indicative of phishing or malware distribution attempts.

This analytic identifies web requests to domains that closely resemble a monitored brand’s domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the “ESCU - DNSTwist Domain Names” search. The goal is to detect phishing attempts or other malicious activities targeting your brand. Successful attacks could deceive users, steal credentials, or distribute malware, leading to reputational and financial damage. This technique is crucial for defenders to identify and mitigate potential brand impersonation attacks before they result in significant harm.

Attack Chain

  1. The attacker registers a domain name that is a close permutation of the target brand’s domain (e.g., using DNSTwist or similar tools).
  2. The attacker sets up a web server on the newly registered domain, mimicking the target brand’s website.
  3. The attacker sends phishing emails or distributes malicious links that direct users to the fake website.
  4. Unsuspecting users click on the links and are redirected to the malicious domain.
  5. The user’s web browser makes a request to the attacker’s server.
  6. The attacker’s server logs the request, capturing the user’s IP address and other identifying information.
  7. The attacker may attempt to steal credentials, distribute malware, or conduct other malicious activities.
  8. If successful, the attacker gains access to the user’s account or device, leading to potential data breaches or financial losses.

Impact

Successful brand abuse can lead to significant reputational and financial damage. Attackers can deceive users into divulging sensitive information, such as usernames, passwords, and credit card details. Malware distribution can result in system compromise, data loss, and ransomware infections. The number of victims depends on the scale and effectiveness of the phishing campaign. Targeted sectors can vary widely depending on the brand being impersonated.

Recommendation

  • Ingest web traffic data from web proxies or network traffic analysis tools into Splunk as described in the “how_to_implement” section.
  • Run the “ESCU - DNSTwist Domain Names” search regularly to generate domain permutations as a baseline, as indicated in the analytic description.
  • Deploy the Sigma rule Detect Web Traffic To DNSTwist Domains to detect web requests to domains that closely resemble your monitored brand’s domain.
  • Investigate and remediate any identified instances of potential brand abuse, prioritizing alerts based on the finding section’s score.

Detection coverage 2

Detect Web Traffic To DNSTwist Domains

medium

Detects web requests to domains that are permutations of the legitimate brand domain, potentially indicating phishing or brand abuse.

sigma tactics: credential_access techniques: T1566 sources: network_connection, windows

Detect Web Traffic To DNSTwist Domains - Proxy Logs

medium

Detects web requests to domains that are permutations of the legitimate brand domain, potentially indicating phishing or brand abuse. This version leverages proxy logs.

sigma tactics: credential_access techniques: T1566 sources: proxy

Detection queries are available on the platform. Get full rules →