Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ferris Bueller’s Guide to Abuse Domain Permutations

272 views

Published on

Internet scammers move pretty fast. If you don’t stop and look around once in a while, you could miss it. Just as Ferris Bueller always had another trick up his sleeve to dupe Principle Rooney, attackers are employing homoglyphs, subdomain attacks, typo-squats, bit-squats, and similar attacks to trick internet denizens with fraudulent websites. Adversaries may register domains permutations in order to commit fraud, distribute malware, redirect traffic, steal credentials, or for corporate espionage. We know these threats have been around for a while, but not many defenders adopt proactive technical controls in their social engineering incident response plans.

The question isn’t what are we going to do about it. The question is what aren’t we going to do. With the capability to continuously monitor domain permutations for new HTTP, HTTPS, or SMTP services in real-time, the blue team doesn’t have to trust domain permutations any further than they can throw them.

In this talk, we will demonstrate red team and blue team techniques. For Buellers, demonstrations include ways to leverage domain permutations in adversary simulations. For Rooneys, we will detail how to better prepare, identify, contain, and eradicate threats that utilize domain permutations. If you’re not leveraging our recommended technical controls to defeat attackers, you risk fishing for your wallet in a yard full of rage-fueled Rottweilers.

(This was originally presented on March 3, 2019 at BSides San Francisco.)

Published in: Software
  • Be the first to comment

Ferris Bueller’s Guide to Abuse Domain Permutations

  1. 1. Twist & Shout: Ferris Buellers Guide to Abuse Domain Permutations Rob Ragan & Kelly Albrink BSidesSF 2019
  2. 2. What is this talk about? • Types of abuse with domain permutations • Why domain abuse happens • Monitoring & Defense techniques DESIGN IDEA: Use the background image below. fill agenda items in bullet points.
  3. 3. Which companies are most often targeted? • And what percentage of their domain permutations do they own? DESIGN IDEA: Make graphic based on data in spreadsheet To-do
  4. 4. 4
  5. 5. TLD Abuse
  6. 6. 6
  7. 7. Types of Abuse Domain Permutations • Typo squatting • Homoglyphs • Bit squatting • Top Level Domain (TLD) variations • Subdomain Permutations
  8. 8. Typosquatting • Definition: registering a version of the targeted domain that is likely to be mistyped • AKA URL Hijacking • Example: facebpok.com
  9. 9. Typosquatting • Definition: registering a version of the targeted domain that is likely to be mistyped • AKA URL Hijacking • Example: facebpok.com
  10. 10. Homoglyphs Definition: characters that appear the same or similar to other characters • Examples: • http://facẹboọk.com/login.html
  11. 11. MACHINE ATTACK Not likely to be mistyped Not meant to target human error Memory or storage failure
  12. 12. MACHINE ATTACK Not likely to be mistyped Not meant to target human error Memory or storage failure INTERCEPT SENSITIVE TRAFFIC Free SSL certificates make it easier for an attacker to receive sensitive data intended for the original domain https://github.com/bishopfox/cervus
  13. 13. 14
  14. 14. 15
  15. 15. https://kushaldas.in/posts/tracking-my-phone-s-silent-connections.html
  16. 16. TLD variations Definition: registering a domain with the same domain name as a targeted site, but with a different top level domain (TLD) Examples: • amazon.it • amazon.us • goo.gl • quickencustomersupport.us • www.amazon.co.jp.amazono-jp.ga
  17. 17. Subdomain permutations • Definition: appending a target company name as a subdomain to an attack domain • Examples: • *.ealthcare.com • facebook.verification.info • secure.runescape.com-try.top
  18. 18. Transition Slide
  19. 19. Phishing • Facebook homoglyph • http://facẹboọk.com/login.html
  20. 20. Malware • Old way: Fake adobe acrobat • New way: malicious chrome extensions
  21. 21. Fraud • wallets-trezor.org emulates trezor.io to try to steal cryptocurrency wallet seeds
  22. 22. TLD Abuse
  23. 23. I-cloud account example
  24. 24. Funny examples • You typed the address wrong idiots.
  25. 25. Monitoring & Defenses
  26. 26. Part 1: Monitoring
  27. 27. Generating comprehensive lists of possible domains • dnstwist by Marcin Ulikowski (elceef) • Takes a domain name as a seed and generates permutations
  28. 28. 29
  29. 29. Perceptual analysis • If there is open service on web port: • Screenshot • Fuzzyhashing • Compare to target/original
  30. 30. Splunk • Enterprise Security Content Update (ESCU)
  31. 31. Part 2: Defenses
  32. 32. Sink Holing domains Goal: redirect users from blacklisted domains to a warning page/log server • Via internal DNS Servers • Response Policy Zones (RPZ) rules • Script changes to /etc/hosts file of users • Jason Fossen released a Windows Sinkhole DNS powershell script as part of SANS SEC505 class (Update-HostsFile.ps1 and Sinkhole-DNS.ps1 )
  33. 33. 38 Response Policy Zones (RPZ) Override global DNS to provide alternate responses to queries Goal Protect users by blocking all domain permutations from being reached Block known malicious domains https://github.com/Homas/ioc2rpz PREVENT USERS FROM VISITING MALICIOUS CONTENT SINKHOLE DOMAINS
  34. 34. 39
  35. 35. 40 Chrome Warnings Based domain permutations of sites with a high PageRank Prompt user to confirm Goal Deter attacks by interpreting likely malicious domain requests and prompting user to confirm WARNINGS FOR LOOKALIKE URLS UPCOMING BROWSER PROTECTIONS https://chromium.googlesource.com/chromium/src/+/master/ docs/security/url_display_guidelines/url_display_guidelines.md
  36. 36. 41 Chrome Warnings Approximately 100 per minute Tag for further review Goal Find Content to Attack Sensitive Information WARNINGS FOR LOOKALIKE URLS UPCOMING BROWSER PROTECTIONS https://chromium.googlesource.com/chromium/src/+/master/ docs/security/url_display_guidelines/url_display_guidelines.md
  37. 37. Part 3 : Fighting Back
  38. 38. Fighting Back 1 • Scammers are lazy and will often link to images hosted on your own servers • Replace stolen images with warnings
  39. 39. Fighting back 2 - Call in the lawyers ICANN arbitration via Uniform Domain Name Dispute Resolution Policy (UDRP) • fee: $1,300 for the first domain name • if complaint filer wins, domain is transferred to them • Typical time frame: 50-60 day Anticybersquatting Consumer Protection Act (ACPA) • penalties $100,000 per domain
  40. 40. The big picture Something from this scene.
  41. 41. Questions?
  42. 42. Thank you.

×