1. Detecting and Preventing Spear
Phishing Attacks Using DNS
Mike Saunders - @hardwaterhacker
mike@hardwatersecurity.com

2. About Mike
Pen tester with a defender background (purple team!)
17 years in IT
9 years security

3. The Problem: Typosquatting
What is it?
Intentionally misspelled domain names intended to
imitate legitimate domain names
Why is it bad?

4. The Problem
Why is it bad?
Often difficult to easily spot
Users may be duped into visiting a malicious site

5. Motivations
Financial
Advertising revenue on parked domains
Drive traffic to a competitor’s site
Malware delivery
Harvest email from misspelled domains
Phishing attacks

6. Types of Typosquatting
Repeated
characters
www.google.com www.gooogle.com
Omitted character www.amazon.com www.amzon.com
Charater swap www.defcon.org www.decfon.org
Character insertion www.derbycon.com www.derbycin.com
Missing dots www.microsoft.com wwwmicrosoft.com
Singular/plural www.apple.com www.apples.com
Vowel swapping www.fedex.com www.fadax.com

7. Types of Typosquatting
Homophones www.route.com www.root.com
Homoglyphs www.derbycon.com www.derbyc0n.com
Wrong TLD www.whitehouse.gov www.whitehouse.com
Misspelling www.arcticcat.com www.articat.com
Different country
code
www.evilcorp.com www.evilcorp.cm
Bit flipping www.facebook.com www.fccebook.com

8. Real-World Examples

9. Real-World Examples

10. Real-World Examples

11. Real-World Examples

12. Real-World Examples
Anthem BCBS
wellpoint.com targeted using we11point.com
Premera BCBS
premera.com targeted using prennera.com

13. More Real-World Examples
carefirst.com targeted with ‘l’ and ‘1’ for ‘i’.

14. More Real-World Examples

15. Available Tools
UrlCrazy
Andrew Horton - @urbanadventur3r
http://www.morningstarsecurity.com/research/urlcrazy
dnstwist
Marcin Ulikowski - @elceef
https://github.com/elceef/dnstwist

16. A Better Way
crazyparser
https://github.com/hardwaterhacker/crazyparser
Detect changes between iterations
Uses both urlcrazy and dnstwist output

17. Demo Time
Configuration files
Command line options
Output

18. Preventative Measures
Block in web proxy
Blackhole DNS
Increase monitoring
Proxy logs
email containing links to these domains
Client DNS queries

19. + and -
Will find some variations, like we11point.com
prennera.com not originally detected - dnstwist supported - 9/16
careflrst.com detected, caref1st.com wasn’t originally. dnstwist
support added 9/16

20. + and -
Will not detect things like service-paypal.com
Does not protect external users / customers
Unless you pursue domain seizure under WIPO UDRP
or US Anticybersquatting Consumer Protection Act
https://www.icann.org/en/system/files/files/guidance-
domain-seizures-07mar12-en.pdf

21. Questions?
https://github.com/hardwaterhacker/crazyparser
@hardwaterhacker
mike@hardwatersecurity.com
http://hardwatersec.blogspot.com