TuesdayTool 16: DNSTwist For Brand Intelligence

Introduction

Brand impersonation is a continuous battle every organization faces. Battle of early detection to prompt takedown of website or social media accounts impersonating and indirectly damaging the reputation of such organization. Brand impersonation can either be impersonation of domains or subdomains or impersonation of key staff members even social media handles. This could inadvertently lead to customer trust, reputation damage, and or loss of revenue.

One way to detect impersonation is to deploy brand monitoring tools which of course, come at a cost. Small to medium enterprises usually grumble about the cost of cybersecurity compared to the organization’s total profit in a financial year. This makes it challenging to fully deploy a brand monitoring tool which is part of the threat intelligence toolkit.

Interestingly, threat actors take advantage of different opportunities such as sales, new products, new business campaigns, etc. Most times, threat actors only change the top-level-domain (TLD) such as from google[.]com to google[.]uk without a change in the URL composition. The other time it may be a change in the URL composition such as g00gle[.]com. These acts usually made it easy to slip from the sight of current and potential customers of organizations.

Business Impact

Considering the push for online presence, the following could have/will happen if brand impersonation whether domain/subdomain/social media is not properly managed

1. Loss of customer
2. Loss of revenue
3. Business reputation damage
4. Loss of customer’s trust

I once wrote about brand intelligence sometime in 2022, read here.

Is it possible to detect phishing domains without paying for proprietary tools?

YES! I come bearing good news. The open-source intelligence that you can use is called DNSTWIST.

dnstwist home page

What is DNSTWIST?

DNSTwist is an open-source Python tool that allows you to detect phishing, typo squatters, and attack domains that are based on an inputted domain. A company’s domain management and brand safety administrator will find this tool to be of great use in discovering sites that are trying to harm others by pretending to be your brand.

DNSTwist Features

1. Generate permutation: it compares the original link to different possible permutation links.
2. Generate permutation link details: it provides details relating to the permutated links such as IP address, location, name server, and mail servers.
3. Generate scanned links overview: it displays the total number of permutations possible, shows the number of found and registered links
4. Export: you can export results in CSV or JSON.

How to use DNSTwist

To use DNSTwist as a phishing domain scanner, follow these steps:

1. Go to the DNSTwist website.
2. Enter the domain name you want to scan in the input box.
3. Click the ‘Twist it/Scan!’ button.
4. The tool will generate a list of possible phishing domains related to the input domain.
5. Review the generated list and investigate any suspicious domains further.

Conclusion

In summary, using online brand protection tools to detect brand, domain, and social media impersonation, and monitoring the dark web for potential threats can assist in preventing future attacks. DNSTwistl is a starting point, and manual investigation is often required to confirm whether a domain is being used for phishing.

Till I come your way again next week Tuesday, #BeCyberSmart

Cyberliza writes TuesdayTool