Download - Typo squatting
Overview
• Background• Squatting• Registrations Per Day• Variant• Current Bad Registrars• Potential
Squatting
• Domain squatting is the term coined when a domain is registered and held for a period of time.– Most often NOTHING is done with those domains– Most often there is underlying FINANCIAL gain
expected by selling those domains to those intent on utilizing the site
• Recent case: Galliano.fr• http://www.reuters.com/article/2011/03/02/us-dior-galliano-cybersquatting-idUSTRE7216UR20110302
TypoSquatting
• Similar Squatting– Targets BRAND NAME domains– Relies on typographical errors made by direct input URLs– Often involved with illegal activity– Also used for FINANCIAL gain
• According to Brandjacking Index, the risk of brand misuse worldwide is the highest in US, Germany and UK. – 59%+ all websites using brand names for illegal purposes
originate from these three countries.• Organization Focused on defeating these efforts
– Alias Encore
TLD StatisticsNew Registered Domains Per Day
Rank Name Server New In 1 DOMAINCONTROL.COM 44,354 20,370
2 BLANK-NAMESERVER.COM 6,578 03 RENEWYOURNAME.NET 3,769 1334 1AND1.COM 2,613 5555 DSREDIRECTION.COM 2,552 6,5146 WORLDNIC.COM 2,492 7097 NAME-SERVICES.COM 2,396 11,7398 VALUE-DOMAIN.COM 1,923 2519 HOSTGATOR.COM 1,846 2,062
10 REGISTRAR-SERVERS.COM 1,734 49211 HICHINA.COM 1,655 41312 XINNETDNS.COM 1,650 62813 OVH.NET 1,624 19914 REGISTER.COM 1,580 72115 NAME.COM 1,562 86816 BLUEHOST.COM 1,550 77417 DUGOOHOO.COM 1,234 2418 ABOVE.COM 1,078 22019 DREAMHOST.COM 954 67020 YAHOO.COM 944 159
• April 02, 2011 24 Hour Period– The presented
nameservers which gained NEW domains
– Indicates a registrar or service provider which is making sales via domain registrations.
– Difficult, but not impossible to vet malicious actors
Simple Analysis
• Ten of the top 50 Financial Services– Banking Services– Banks and Institutions
• Representing multiple regions of the World– TLD: .COM• Ease of use for available open
source tools
Domain To Possible Typo-Variants
Financial Institution URL Location Current Typosquatted URLS
Chase Bank chase.com Global 52
HDFC Bank Ltd hdfcbank.com Global, India 49
ICICI Bank icicibank.com Global, India 45
HSBC hsbcgroup.com Global, France 9
Wonga.com wonga.com Global, United Kingdom 35
TD Bank Financial Group td.com Global, Canada 16
CareCredit carecredit.com Global, United States 52
Union Bank of Switzerland ubs.com Global, Switzerland 33
Hang Seng Bank hangseng.com Global, China 33
DBS Bank Ltd dbs.com Global, Asia 40
Total 364
Top Registrars
2%3%
3% 3% 3%
4%
4%
5%
15%17%
19%
21%
Typosquatter Sites By Registrar
Dynadot.com
Above.com
Barginregister.com
Basicfusion.com
Nameking.com
Hebeidomains.com
Tirupatidomains.in
Tucows.com
Godaddy.com
Moniker.com
Enom.com
Fabulous.com
Example: Chse.com
Additional Re-directs
Notice Pop-Up
Example: Micrososft.com
• Fake Update• Redirected Users
To Typosquatting Site Hosting Malware
Example: Sleftrade.com• Google Search
– Finds SelfTrade.com– Presents results
• Mistyped URL• A Robtex data bump indicates• Sleftrade.com is a domain controlled by
two name servers at dsredirection.com.• Both are on the same IP network. The
primary name server is ns1.dsredirection.com.
• Incoming mail for sleftrade.com is handled by one mail server at fakemx.net. sleftrade.com has one IP number (208.73.210.29).
• 219+ Domains share the same IP– Also majority are “Typos”
• Presented Blacklists from organization on this site and its servers for multiple reasons.
Risk
• Condition: Users continue to manually type URLs• The possibility of suffering “harm” is HIGH• Consequences: Cisco Global Threat Report 4Q10
– The rate of web malware encounters peaked in October 2010, at 250 average encounters per enterprise for the month
– Web malware grew by 139 percent in 2010 compared to 2009• Uncertainty:
– Malware continues to evolve– Economic Hardship brings out “The Best”– Users: “They Still Fall For Phishing Email”– Cyber Espionage– Mobile Devices “Those keys are too Small”
Defensive Measures
• Utilize browser add-ons with URL correction• Host Based Security Applications• Whitelist Domains “It’s worth the political
fight”• Educate users on understanding of the THREAT
potential
• Your Thoughts: [email protected]
Any Questions
InformationLinks• http://www.alexa.com/topsites/countries;1/GB• http://veralab.com/dnsdomainsearch/• http://whois.gwebtools.com/tumblrr.com
About Joey Hernandez MBA CISM CISSPJoey Hernandez works as an International Consultant in Cyber Security and Risk Management. He has a broad background in Information Security with past projects in Vulnerability Assessments, Cyber Exercise, CERT CND Analysis, Operational Threat Research, and Tactics Development.
Is a former US Air Force Officer with a background in Military Intelligence and Cyber Operations
Hernandez holds an MBA in Computer Resource And Information Management, as well as being a CISSP, CISM, CE|H
http://twitter.com/#!/Joey_Hernandezhttp://www.linkedin.com/in/joeyhernandez