Typo squatting


Published on

The overlooked threat created by users. Just a little project based on my own

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • BackgroundAs the enterprise cyber defenders continue to work towards attacking problems on a large scale they continue to overlook the insignificant incidents which occur across the enterprise thousands of time a month. USERS unintentionally putting the enterprise at risk while surfing the internetSquattingHas been around as long as registrars have sold domains. Started by misguided entrepreneur trying to make money, by selling names to people who had the name.. “Madonna”VariantTyposquatting is more malicious as the approach is to trick users into visiting a site by misleading & misrepresenting – A BRANDRegistrations Per DayThe transactions made remind of the stock market, On a typical day over 100K new domain addsCurrent Bad RegistrarsA little about what we saw while researching this topic, not biased, just a quick and dirty of statistics Potential What is the risk to YOU/YOUR enterpriseYou know your users
  • http://www.markmonitor.com/download/bji/BrandjackingIndex-Spring2009.pdfhttp://aliasencore.com/services/cpa-domain-recovery
  • http://www.dailychanges.com/new-domains/The industry understands registrars are in this to make money, to stay in business.We need to find or work from an Enterprise Cyber Security Perspective ways to get registrars CLEANCurrently no 100% fixes, but strategically push for “OFF LIMIT” registrars or blocks
  • .COM Domains were selected based on the current open source tools available for analysis of the Typosquatting threat. iSCSP is interested in gaining input to perform or assist in performing a large scale project on the level of threat this has become to users.Financial services were selected to present insight into an area which has been in the media for “being hacked” over the last few monthsFinance: Because institutions perform business globally, therefore a global presence, and global touchhttp://zahra.fr/guy/english/index.htm Image used: guy@zahra.fr
  • Each of the following Domains was input into a web tool which generated a list of possible typos and misprints indicating whether any domain names using these typos are currently in use. Tool (http://veralab.com/dnsdomainsearch/)Examples of how the DOMAINS are changed include the following:Common extensions such as xyzbank-online vs. xyzbankSimilarly sounding character combinations such as mispace vs. myspaceMissing characters such as gmai vs. gmailMissing double characters such as leson vs. lessonExtra double characters such as yahhoo vs. yahooWrong character sequencies such as IMB vs. IBMWrong key pressed such as fesex vs. fedex
  • Based on the data pull the following were the TOP registrars hosting Typosquatted sites.The next few slides will look into other examples from some sites analyzed and others that came to light during the investigation
  • http://spgscott.wordpress.com/2011/03/08/microsoft-update-kb2505438-typo-link-to-a-typosquatting-malware-site/
  • After studying the site, utilized the gwebtools site to get some more information on the site http://whois.gwebtools.com/sleftrade.com
  • http://www.cisco.com/en/US/prod/collateral/vpndevc/Cisco_Global_Threat_Report_4Q10.pdfhttp://www.zdnet.com/blog/security/20000-sites-hit-with-drive-by-attack-code/3476?tag=mantle_skin;content
  • Typo squatting

    1. 1. Typo squatting<br />The Threat Network Defense Teams Overlook<br />Joey Hernandez CISM<br />jhernandez@iSCSP.org<br />
    2. 2. Overview<br />Background<br />Squatting<br />Registrations Per Day<br />Variant<br />Current Bad Registrars<br />Potential <br />
    3. 3. Squatting<br />Domain squatting is the term coined when a domain is registered and held for a period of time.<br />Most often NOTHING is done with those domains<br />Most often there is underlying FINANCIAL gain expected by selling those domains to those intent on utilizing the site<br />Recent case: Galliano.fr<br />http://www.reuters.com/article/2011/03/02/us-dior-galliano-cybersquatting-idUSTRE7216UR20110302<br />
    4. 4. TypoSquatting<br />Similar Squatting<br />Targets BRAND NAME domains<br />Relies on typographical errors made by direct input URLs<br />Often involved with illegal activity<br />Also used for FINANCIAL gain<br />According to BrandjackingIndex, the risk of brand misuse worldwide is the highest in US, Germany and UK. <br />59%+ all websites using brand names for illegal purposes originate from these three countries.<br />Organization Focused on defeating these efforts<br />Alias Encore<br />
    5. 5. TLD StatisticsNew Registered Domains Per Day<br />April 02, 2011 24 Hour Period<br />The presented nameservers which gained NEW domains<br />Indicates a registrar or service provider which is making sales via domain registrations. <br />Difficult, but not impossible to vet malicious actors<br />
    6. 6. Simple Analysis<br />Ten of the top 50 Financial Services<br />Banking Services<br />Banks and Institutions<br />Representing multiple regions of the World<br />TLD: .COM<br />Ease of use for available open source tools<br />
    7. 7. Domain To Possible Typo-Variants<br />
    8. 8. Top Registrars<br />
    9. 9. Example: Chse.com<br />Notice Pop-Up<br />Additional Re-directs<br />
    10. 10. Example: Micrososft.com<br />Fake Update<br />Redirected Users To Typosquatting Site Hosting Malware<br />
    11. 11. Example: Sleftrade.com<br />Google Search<br />Finds SelfTrade.com<br />Presents results<br />Mistyped URL<br />A Robtex data bump indicates<br />Sleftrade.comis a domain controlled by two name servers at dsredirection.com.<br />Both are on the same IP network. The primary name server is ns1.dsredirection.com. <br />Incoming mail for sleftrade.com is handled by one mail server at fakemx.net. sleftrade.com has one IP number (<br />219+ Domains share the same IP<br />Also majority are “Typos”<br />Presented Blacklists from organization on this site and its servers for multiple reasons.<br />
    12. 12. Risk<br />Condition: User continue to manually type URLs<br />The possibility of suffering “harm” is HIGH<br />Consequences: Cisco Global Threat Report 4Q10<br />The rate of web malware encounters peaked in October 2010, at 250 average encounters per enterprise for the month<br />Web malware grew by 139 percent in 2010 compared to 2009<br />Uncertainty:<br />Malware continues to evolve<br />Economic Hardship brings out “The Best”<br />Users: “They Still Fall For Phishing Email”<br />Cyber Espionage<br />Mobile Devices “Those keys are too Small”<br />
    13. 13. Defensive Measures<br />Utilize browser add-ons with URL correction<br />Host Based Security Applications<br />Whitelist Domains “It’s worth the political fight”<br />Educate users on understanding of the THREAT potential<br />Your Thoughts: TYPOSQUAT@iSCSP.ORG<br />
    14. 14.
    15. 15. Information<br />Links<br />http://www.alexa.com/topsites/countries;1/GB<br />http://veralab.com/dnsdomainsearch/<br />http://whois.gwebtools.com/tumblrr.com<br />About Joey Hernandez<br />Joey Hernandez works as an International Consultant in Cyber Security and Risk Management. He has a broad background in Information Security with past projects in Vulnerability Assessments, Cyber Exercise, CERT CND Analysis, Operational Threat Research, and Tactics Development.<br />Hernandez holds an MBA in Computer Resource And Information Management, as well as being a CISSP, CISM, CE|H<br />