Dfend can monitor the internet and watch for registration of domains which look similar to yours.
Phishing attacks often make use of domain names which look similar enough to fool victims. For example, an attacker might host a fake login page at www.exampl3.com. If a victim isn’t paying too much attention, they’ll think they’re on example.com and enter their username and password. This gives the attacker access to their account, all because they registered a domain which used a 3 instead of an e. Another common tactic is to send emails from these similar looking domains, to phish their credentials, fool them into sending money to an account, or downloading a virus.
Adding a domain
- To add a domain, click the “Domains” link in the navigation bar.
- Towards the bottom of the page, there is a text box labelled “Domain to monitor:”.
- In the text box, type your domain name, e.g. example.com
What domains should I monitor?
For example’s sake, let’s say you’re a New Zealand charity called Kiwi Lovers.
You should start by monitoring a domain you own, e.g. "kiwilovers.nz". Dfend will then monitor for variations of "kiwilovers" on the ".nz" top-level domain (TLD), and monitor other TLDs for "kiwilovers" specifically. E.g.
Dfend will monitor variations of your domain name:
And variations on the TLD:
Now that you’ve added a domain, Dfend will schedule the first scan. This is usually done within an hour. You can also add any other domains that you want to monitor.
What notifications will I get?
Dfend currently monitors and alerts for changes to records like NS, MX and CNAME, as these are the most reliable indicators of a domain being potentially malicious.
"A records", due to their unpredictable nature (e.g. because of load balancing), cause false positives. While we monitor for A record changes, we don't alert on them. However these records are viewable in the Dfend dashboard.
Dfend also monitors for registration of domain names similar to yours.
The Domains page lists all the domains Dfend is monitoring for you, and their status. Clicking on a domain name will show you details on similar domains. Towards the bottom of the page you can find details on your own domain.
We analyze similar domains for two important aspects: whether the domain can send and receive emails, and whether it has a website. Based on these we determine a risk rating from low to high.
Clicking on the details button will show you the DNS records for each domain, and when they last changed.
DNS for your domain
The first section of the detailed results shows your own Domain Name Server records. We’ll keep an eye on these and alert you when they change. That way you’ll find out about potential domain hijacking attacks.
What can I do about similar domains?
Sometimes similar domains are other legitimate business. Other times, it could be a domain “squatter” pre-emptively buying a domain in the hopes of later making a profit from someone who wants it. These pose less of a risk to you.
When it’s unclear who owns it or why, the first step is to remain vigilant. As part of your organization’s security awareness training you can highlight these similar domains to your staff.
If a domain is presenting a clear and present threat to your organization, you should initiate your incident response plan. This may include notifying your staff and customers about the domain in question.
You can also try the following steps to have the offending domains shut down:
- Report a phishing page to Google’s Safe Browsing team
- Find out which Registrar sold the domain, and contact their abuse or support team.
- Find out which web or email provider is hosting the domain, and contact their abuse or support team
- Contact your nation’s cyber security department (often called a “CERT”)
- Report phishing to the Anti-Phishing Working Group organization
Once you’ve started monitoring your domains, you can sit back and relax. Dfend will notify you if something changes. In the meantime, these other articles might be helpful:
- Learn how to manage and respond to Alerts
- See how to monitor your cloud services
- Need to update your account, notification preferences, or see your audit log? Visit the Settings page.
- Upgrade your Dfend account to monitor more technologies and domains, and unlock Slack notifications.
- Read our blog post explaining more about Domain Monitoring