1. Field
Embodiments of the present invention generally relate to the field of computer networks. In particular, various embodiments relate to methods and systems for securing email communications, particularly, outbound email communications.
2. Description of the Related Art
Communication and information sharing over the Internet is a growing trend and has become indispensable in current business and social interactions. Today, most companies have websites through which they offer information regarding the company and their products and/or services. Companies also use their websites and domains for other purposes including shareholder communications, sales of products/services, advertising and email communications. Since the advent of Internet, the popularity of electronic mail or “email” has grown to a point where it is now widely used for both personal and business communications.
As the Internet and email continue to be utilized by an ever increasing number of users, so does fraudulent and criminal activity via the Internet including increased usage of email for retrieval of confidential/meaningful information from genuine users. Phishing, spoofing, and malware are becoming more prevalent and are a growing concern that can take different forms. Cybersquatting and doppelganger domains are also increasingly becoming popular tools to trick users into believing that they are interacting with genuine companies or individuals associated with genuine companies. Cybersquatting is the act of registering a popular Internet address or a domain name, usually a company name, with intent of selling it to its rightful owner. According to the Anti-Cybersquatting Consumer Protection Act, cybersquatting relates to registering, trafficking in, or using a domain name with bad-faith intent to profit from the goodwill of a trademark belonging to someone else.
Commercial domain names, more particularly, second-level domain names of well-known companies, can be obtained from one of several registries. However, such registries do not attempt to determine whether the applicant is the rightful owner of the domain name. Consequently, a number of enterprising individuals and companies apply for and reserve domain names, either new or expired, that they think someone else will want, either now or in the future. Cyber squatters also reserve common English words, reasoning that sooner or later someone will want to use one for their websites including registering domain names that are mistyped spellings of popular web sites. Cyber squatters also regularly monitor recently expired domain names, hoping to sell back the domain name to a registrant who inadvertently allowed the domain name to expire.
Another growing concern is the use of doppelganger domains. A doppelganger domain, also commonly referred to as domain typo-squatting, is commonly used to spread malware to users who accidentally misspell a legitimate domain in their web browser. Doppelganger domains also include domain names spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/sub-domain and domain, for example, to be used for malicious purposes.
Doppelganger domains facilitate information gathering relating to trade secrets, usernames and passwords and other sensitive information.
Typically, two types of email-based attacks can be done by an attacker using a doppelganger domain—namely, a passive email attack and an active email attack. In a passive email attack, the attacker purchases the doppelganger domain and configures a mail server to receive all emails addressed to that domain regardless of the user/id it was sent to. For large organizations, a high-volume of emails are communicated everyday and a small percentage of such emails are typically sent to an incorrect destination as a result of a user error (a typo by the email's sender). For instance, instead of sending an email to xyz@microsoft.com, a user may accidently send an email to xyz@microsft.com. If the domain name microsft.com is registered and a corresponding mail service is configured appropriately, information associated with such misdirected email messages can be used by an attacker. Attackers typically exploit these types of user errors to collect emails from both internal and external users, thereby gaining access to potentially sensitive corporate or user information. Passive attacks generally rely on end users making a predetermined typographical error.
Active email attacks, on the other hand, are more common. An attacker creates a domain name that looks similar to a legitimate email domain of a well-known company and impersonates a person belonging to that particular organization in an attempt to obtain sensitive information from a target. These attacks are even more common with domain names that have sub-domain names prefixed or post-fixed. For instance, a company that has a domain name abc.com for its parent organization can have another domain name us.abc.com for its US office. In such cases, an attacker may create a domain name, such as usabc.com, and may initiate communications with users of the legitimate domain name in an attempt to obtain sensitive information.
Existing network and mail security solutions do not effectively prevent doppelganger domain name attacks and engage most efforts in manually monitoring and tracking such doppelganger domain names. In order to make Internet browsing and email communications more secure, there exists a need for systems and methods that can protect against doppelganger domain name attacks.