Table of Contents
Domain Database Search
What is the threat?
When cyber criminals conduct attacks like phishing or business email compromise (BEC) against employees, they usually spoof (replicate with variation) the domain of the target organization. The idea is to build trust and lure the employees into providing credentials or downloading malware. As the original domain is already taken, the hacker reserves domains with slight variations of the original domain name. As an example, the original domain “industryservices.com” could be turned into “indusrtyservices.com” (letter swap), “industryserv1ces.com” (letter replacement), “industry–services.com” (additional characters), “industry.services” (different TLD), etc.
How can Kaduu assist in mitigating this threat?
We monitor all new domain registrations (ccTLDs, gTLDs, uTLD, sTLD). In doing so, we also record typical typo squatting techniques as mentioned above. A newly registered domain that has some similarities to the client’s domain will create an alert in Kaduu. Additionally, we monitor all SSL certificate logs since many phishing websites are secured with SSL certificates to spoof the legitimate client’s name. By monitoring the certificate transparency logs that are available online, you can detect if your organization’s name gets spoofed on SSL certificates – even in the subdomain part of the domain.
You can now search via dashboard or API in Kaduu's database for similar domain names and setup alerts. With the various built-in tools (Screenshot creation, Portscan, Geolocation etc.) you can investigate the findings in Kaduu.
How up to date is the data?
The database is updated daily using domain registration feeds. Not all domain types are processed in real time in the feeds, as there is no obligation for the domain providers to report TLD's registration to a central authority. Especially the country top level domains (ccTLD) are only recorded with a time delay (sometimes up to 2 weeks) and it can happen that domains are not included in the alerting in real-time.
How can you access the domain search?
You find the domain database search in expert mode:
| Menu | Screenshot |
|---|---|
| Domains / Database Search |  |
What are the search operators?
Available main search operators:
| Field Name | Description |
|---|---|
| createdAt | Creation date & time. |
| registrationDate | Registration date. |
| name | Domain name (default field). |
| tld | Top-level domain name (domain zone): com, org, net, de, etc. |
All search operators:
| Field Name | Description |
|---|---|
| microsoft | Search for domain names similar to microsoft with Levenshtein distance of 2. This is the equivalent of the microsoft~2 query and is its shorter version. |
| name:microsoft | Search for domain names exactly matching microsoft in any domain zone. This is the equivalent of the name:microsoft~0 query. |
| microsoft.com | Is the equivalent of name:microsoft AND tld:com query, which searches for exact microsoft.com domain in our index. |
| micro OR soft | Search for domains micro or soft in any domain zone. OR keyword is case-sensitive. This is the equivalent of micro soft search query. |
| name:micro~1 AND tld:com | Search for domains matching micro with Levenshtein distance of 1 (up to 1 typo) in .com domain zone. |
| name:micro AND NOT tld:com | Search for domains matching micro in any domain zone, except .com. |
| microsoft~2 | Search for microsoft domain with Levenshtein distance of 2 (up to 2 typos) in any domain zone. Please note that the distance of 2 is the the maximum allowed |
| *microsoft* | Search for domains containing microsoft. The following domains will match: update-microsoft.com, buy-microsoft-windows.com, microsoft-update.com, etc. |
| software*update | Search for domains containing software in the beginning and update in the end, in any domain zone. The following domains will match: softwareupdate.com, software-super-update.com. |
| registrationDate:2020-03-05 | Search for domains registered on 5th of March, 2020. |
| createdAt:[2019-01-01 TO 2020-01-01] | Search domains registered 1st of January 2019 to 1st of January 2020. |
| registrationDate:[* TO 2020-01-01] | Search domains registered til 1st of January 2020. |
| name:superbank AND (tld:net OR tld:org) AND registrationDate:[* TO 2020-08-08] | Search domains in net or org domain zones, that are equal to superbank and that were registered before August 8th 2020 |
Example search results
| Search | Screenshot |
|---|---|
| Domain is "kaduu.ch": Creates only 1 result |  |
| Similar domains to "kaduu": Creates +5000 results |  |
| Domain contains "kaduu": Creates +40 results |  |
| Domain is similar to "kaduu.ch": Creates only 7 results |  |
| Domain contains "kad" and "uu" in this order: Creates 202 results |  |
| Domain contains "kad" and "uu" and must be .com: Creates 87 results |  |
Kaduu allows you also to search for multiple words in the main domain. If both words are mandatory, the search would be *word1*word2*. But you can also search for *word2*word1*. Please note that the order of the word matters!
| Search | Screenshot |
|---|---|
| *best*service* |  |
| *service*best* |  |
Domain Alerts
- Track new results for the search: Use your exact search type to find new DB entries
- Track changes: Tracks changes in the WHOIS, Ports & DNS Changes for the specific domain
- Track similar domains: Uses ~1 domains with a Levenshtein distance of 1 (up to 1 typo) to your domain
How can you analyze the results?
You can select one or multiple search results and then analyze the different data sources like ports, WHOIS etc.
The analysis can take severeal minutes for a few domains. If you select more than 10 domains at ones, you might get a timeout. The results can then be exported or reviewed on the dashboard. Here an example how the analysis can be reviewed on the dashboard by clicking on the according domain name:
If you create an export, you will have the same information in the format you selected under the navigation item "my exports":
Here an example of a word file export:
Special Search: Typo-squatted domains
Typo-squatting is a kind of hack that targets users who incorrectly type an adress into their web browsers instead of using a search engine. Typically, users are tricked into visiting rogue websites with URLs that are common misspellings of legitimate websites. Users may be tricked into entering sensitive data on these spoofed websites.
You can search for a spoofed domain when you click on a domain in the search and then select "get new data" in the "typos" menu. Please not that this search takes a while since we are doing a live query.
