One of the ways phishing attacks catch victims is through the use of domain names that look very similar to those of legitimate sites. On Nov. 3, DomainTools announced new PhishEye capabilities that help spot potential phishing domains.
“PhishEye is our attempt to make a difference in the fight against the very nefarious and unfortunately very effective attack vector that is phishing,” DomainTools CEO Tim Chen told eWEEK. Chen has led the 15-year-old, privately held technology vendor since 2009.
Chen noted that since the company’s inception, DomainTools has been very good at collecting information about domain names. What DomainTools has done with PhishEye is create a purpose-built tool, using the company’s domain expertise, to take specific aim against the issue of phishing.
DomainTools’ platform does new domain detection as well as data collection on the domain name system. Chen explained that with PhishEye, his company is able to detect new domain registrations rapidly. The new domain detection comes by way of multiple domain discovery tools that DomainTools has in place. Chen noted that DomainTools is aware of at least 311 million domain names that are active today.
The new domain name discoveries are cross-referenced with other DomainTools capabilities, looking for malicious domains. Among the outliers that PhishEye looks for are typographical errors in a known brand name that might be used by attackers in a phishing attack.
Chen said that PhishEye allows organizations to enter a brand name into an online tool, and it will show all the versions of that brand name that are used online. Those domain versions may include legitimate users of the given brand, as well as typo domains. Users can then choose to continue to monitor a given name for activity. DomainTools discovers thousands of new domains per day and can alert users when new activity for a specified brand occurs, he said.
“PhishEye allows security teams to be made aware of new domain names that appear to be abusing a brand, enabling the security teams to take action,” Chen said.
While many phishing attacks do in fact make use of typographical errors in known brand names, other phishing attacks make use of brand name as part of a subdomain prefix or a longer host name. Security firm FireEye issued a report in June detailing its phishing discovery efforts, where it found 240 phishing domains taking aim at Apple.
Chen noted that in its initial release, PhishEye is not looking at domain prefixes and subdomains, though that is on the product’s roadmap. Future updates to PhishEye will look for potential phishing lures beyond just the core domain name, he said.
“What we’re doing now is we’re alerting security teams to potentially malicious sites,” Chen said. “In the initial release product, we also include our domain risk score.”
With the domain risk score, DomainTools evaluates new domains across multiple criteria for potential hazards and then assigns a risk score.
Looking forward, Chen noted that work will be ongoing at improving PhishEye. “There is an enormous roadmap on ways we can make PhishEye more effective,” he said. “Every company is a target for phishing.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
