Online brand impersonation attacks threaten businesses large and small, but do brands really need to open their wallets to protect themselves? The answer might be more complicated than you’d think.
Free or open-source software does exist that can help organizations look for and investigate deceptive websites spoofing their brand. On the other hand, few free tools exist that allow one to take action against online brand impersonation attacks.
The goal of this article is to share some examples of free tools that can contribute to an online brand protection practice and also clarify some of their pros and cons. Did we miss a tool you think we should include? Hit us up on LinkedIn.
To start, let’s make it absolutely clear that this is not a screed against free or open-source tools. The Allure Security team will make use of some of these free tools from time-to-time to augment other methods and technology.
“Free and open-source tools can provide some helpful data for people investigating potential online brand impersonation attacks, but each tool has its own set of blinders on. And some of those blinders are very large. The tools are a mere sliver of a brand protection program. Yes, the data is helpful, but it’s not immediately actionable. Anyone using the tools still has a lot of work to do to determine whether any of the tools’ output might be actionable.”
Allure Security CEO Josh Shaul on the scope and effectiveness of free online brand protection tools
On top of figuring out which results you can do something about, there’s of course additional work in actually doing something about them!
Free and open source software offers a number of benefits: no cost, passionate user communities, and more. The thing is, in some cases, you get what you pay for. Or, you get out what you put in.
Free and open source software can have a steeper learning curve than commercial software that’s designed to be easy to use. Many free tools also don’t have dedicated support. In addition, because many free and open-source software tools are side passion projects for their developers, they’re not always receiving updates to keep them current.
While free tools can be effective within their scope, there is only so much you will be able to detect. Combining multiple tools can help. However, each tool takes time to learn and operate and context switching resulting from jumping from tool-to-tool may result in a time sink for busy employees. Below is a sampling of tools that can be used as part of an online brand protection program.
Urlscan.io allows users to input a URL and view information about the webpage located there. Urlscan.io examines the website’s content, structure, and behavior in a controlled environment to identify potential risks. It then provides detailed reports on the site’s HTTP transactions, cookies, headers, and other related data.
Where Urlscan.io falls short is that it requires you have the URL on-hand in order to scan it, meaning it is useful for the analysis of a potentially malicious website but cannot detect impersonations by itself.
There are free and paid versions of DNSLytics available. In the free version, DNSLytics allows the user to investigate a website’s DNS records, IP address, and domain provider, as well as, perform various analyses related to the website’s DNS records and IP reputation
Similarly to URLscan.io, DNSLytics requires that you have found the suspicious website already in order to scan it.
DNSTwist allows users to generate hypothetical domain names that are similar to their brand’s website, subsequently checking to see if said domain names are registered. This leads to the detection of phishing websites that use text strings related to a brand’s name in URLs. By guessing the domain name and verifying its use online, the user can then visit the potential phishing site and determine if it is malicious.
This method is only able to detect impersonations on the URLs that it generates. While there’s value there, Allure Security research finds that 71% of brand impersonations use domains that are NOT permutations of a brand’s name. So, relying on domain permutations alone will miss a majority of online brand impersonations.
Advia Credit Union’s PhishFinder was developed by an information security officer at the credit union, och0Sec. PhishFinder allows users to monitor new domain registrations (via WhoisDS.com), matches the domains with a watchlist uploaded by the user, and then assigns a risk score based on open source intelligence parameters selected by the user. The risk score is used to determine how malicious a newly registered domain is likely to be and whether it is a phishing website.
PhishFinder relies on crawling through a WHOIS dataset of 100,000 new domains daily, checking for similarities with the uploaded text file of domain names you’d like to watch. The PhishFinder tool will email a list of high-risk domains to the user and log unresolved high-risk domains in another text file.
Similar to the limitations that occur in how you deploy/use Dnstwist, Phishfinder is limited by its scope because it only detects impersonations that use the same domain name(s) uploaded to the watchlist text file.
Canarytokens are small blocks of javascript that inform the website owner if a page’s code has been copied and published to another domain. The tokens can be relatively easy to spot if you know what you’re looking for – meaning a sophisticated adversary re-creating a website from scratch is able to remove them.
Canarytokens can alert you to someone wholesale copying pages, if not the entirety, of your website. However, fraudsters do not completely clone websites as often as they once did. It’s worth considering implementing Canarytokens on your website, but know that the visibility provided by the tokens is limited.
We’ve delved into the pros and cons of various free online brand protection tools. While these tools offer valuable insights and may be a good addition to your brand protection strategy, it’s clear they have limitations. For instance, reactive tools like Urlscan.io and DNSLytics require prior knowledge of a suspicious URL, and even more proactive tools like Dnstwist have their constraints in scope and technical demands.
The takeaway? Free tools can be a starting point, but for comprehensive and less labor-intensive brand protection, considering a more robust, integrated solution may be the way forward.
If you’re looking for a solution that goes beyond the capabilities of free tools, offering wider coverage and better ease of use, Allure Security’s online brand protection-as-a-service might be just what you need. Our platform is designed to save time and extend protection far beyond what free tools can achieve, proactively identifying and addressing online brand impersonation attacks without the need for constant manual work.
*** This is a Security Bloggers Network syndicated blog from Allure Security authored by Mitch W. Read the original post at: https://alluresecurity.com/2024/01/12/5-free-online-brand-protection-software-tools-pros-and-cons/