Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. Detecting and Preventing Spear Phishing Attacks Using DNS Mike Saunders - @hardwaterhacker
  2. 2. About Mike Pen tester with a defender background (purple team!) 17 years in IT 9 years security
  3. 3. The Problem: Typosquatting What is it? Intentionally misspelled domain names intended to imitate legitimate domain names Why is it bad?
  4. 4. The Problem Why is it bad? Often difficult to easily spot Users may be duped into visiting a malicious site
  5. 5. Motivations Financial Advertising revenue on parked domains Drive traffic to a competitor’s site Malware delivery Harvest email from misspelled domains Phishing attacks
  6. 6. Types of Typosquatting Repeated characters Omitted character Charater swap Character insertion Missing dots Singular/plural Vowel swapping
  7. 7. Types of Typosquatting Homophones Homoglyphs Wrong TLD Misspelling Different country code Bit flipping
  8. 8. Real-World Examples
  9. 9. Real-World Examples
  10. 10. Real-World Examples
  11. 11. Real-World Examples
  12. 12. Real-World Examples Anthem BCBS targeted using Premera BCBS targeted using
  13. 13. More Real-World Examples targeted with ‘l’ and ‘1’ for ‘i’.
  14. 14. More Real-World Examples
  15. 15. Available Tools UrlCrazy Andrew Horton - @urbanadventur3r dnstwist Marcin Ulikowski - @elceef
  16. 16. A Better Way crazyparser Detect changes between iterations Uses both urlcrazy and dnstwist output
  17. 17. Demo Time Configuration files Command line options Output
  18. 18. Preventative Measures Block in web proxy Blackhole DNS Increase monitoring Proxy logs email containing links to these domains Client DNS queries
  19. 19. + and - Will find some variations, like not originally detected - dnstwist supported - 9/16 detected, wasn’t originally. dnstwist support added 9/16
  20. 20. + and - Will not detect things like Does not protect external users / customers Unless you pursue domain seizure under WIPO UDRP or US Anticybersquatting Consumer Protection Act domain-seizures-07mar12-en.pdf
  21. 21. Questions? @hardwaterhacker