Typosquatting is a form of cybersquatting (e.g. registering a domain that is similar to an existing domain) where a domain that is a common misspelling of another domain is registered and used for possibly malicious ends. It is an attack that has affected everyone from Google to the televangelist Jerry Falwell and has regulations against it encoded in US law. Even so, it remains extremely popular and particularly heinous and effective when used by advanced malicious actors who may rely on typosquatted domains to gull unwitting users to be more likely to click on a malicious URL in a spearphishing attack.
Detecting typosquatting attacks in realtime can be challenging as there are as many ways to typosquat as there are to make typos. Often, intrusion detection systems will generate the typosquatted domains and store them in a database for comparison. However, given the number of domains possible, this is a daunting task storage-wise. Furthermore, this approach can become out of date quickly.
We will talk about using sketching data structures in Metron to detect typosquatted domains scalably and adaptably. Furthermore, we will discuss how to ensure that the set of typosquatted domains is kept current with the domains actually seen in an organization's network.