Typo squatting

The Threat Network Defense Teams Overlook

Joey Hernandez CISMjhernandez@iSCSP.org

Overview

• Background• Squatting• Registrations Per Day• Variant• Current Bad Registrars• Potential

Squatting

• Domain squatting is the term coined when a domain is registered and held for a period of time.– Most often NOTHING is done with those domains– Most often there is underlying FINANCIAL gain

expected by selling those domains to those intent on utilizing the site

• Recent case: Galliano.fr• http://www.reuters.com/article/2011/03/02/us-dior-galliano-cybersquatting-idUSTRE7216UR20110302

TypoSquatting

• Similar Squatting– Targets BRAND NAME domains– Relies on typographical errors made by direct input URLs– Often involved with illegal activity– Also used for FINANCIAL gain

• According to Brandjacking Index, the risk of brand misuse worldwide is the highest in US, Germany and UK. – 59%+ all websites using brand names for illegal purposes

originate from these three countries.• Organization Focused on defeating these efforts

– Alias Encore

TLD StatisticsNew Registered Domains Per Day

Rank Name Server New In 1 DOMAINCONTROL.COM 44,354 20,370

2 BLANK-NAMESERVER.COM 6,578 03 RENEWYOURNAME.NET 3,769 1334 1AND1.COM 2,613 5555 DSREDIRECTION.COM 2,552 6,5146 WORLDNIC.COM 2,492 7097 NAME-SERVICES.COM 2,396 11,7398 VALUE-DOMAIN.COM 1,923 2519 HOSTGATOR.COM 1,846 2,062

10 REGISTRAR-SERVERS.COM 1,734 49211 HICHINA.COM 1,655 41312 XINNETDNS.COM 1,650 62813 OVH.NET 1,624 19914 REGISTER.COM 1,580 72115 NAME.COM 1,562 86816 BLUEHOST.COM 1,550 77417 DUGOOHOO.COM 1,234 2418 ABOVE.COM 1,078 22019 DREAMHOST.COM 954 67020 YAHOO.COM 944 159

• April 02, 2011 24 Hour Period– The presented

nameservers which gained NEW domains

– Indicates a registrar or service provider which is making sales via domain registrations.

– Difficult, but not impossible to vet malicious actors

Simple Analysis

• Ten of the top 50 Financial Services– Banking Services– Banks and Institutions

• Representing multiple regions of the World– TLD: .COM• Ease of use for available open

source tools

Domain To Possible Typo-Variants

Financial Institution URL Location Current Typosquatted URLS

Chase Bank chase.com Global 52

HDFC Bank Ltd hdfcbank.com Global, India 49

ICICI Bank icicibank.com Global, India 45

HSBC hsbcgroup.com Global, France 9

Wonga.com wonga.com Global, United Kingdom 35

TD Bank Financial Group td.com Global, Canada 16

CareCredit carecredit.com Global, United States 52

Union Bank of Switzerland ubs.com Global, Switzerland 33

Hang Seng Bank hangseng.com Global, China 33

DBS Bank Ltd dbs.com Global, Asia 40

Total 364

Top Registrars

2%3%

3% 3% 3%

4%

4%

5%

15%17%

19%

21%

Typosquatter Sites By Registrar

Dynadot.com

Above.com

Barginregister.com

Basicfusion.com

Nameking.com

Hebeidomains.com

Tirupatidomains.in

Tucows.com

Godaddy.com

Moniker.com

Enom.com

Fabulous.com

Example: Chse.com

Additional Re-directs

Notice Pop-Up

Example: Micrososft.com

• Fake Update• Redirected Users

To Typosquatting Site Hosting Malware

Example: Sleftrade.com• Google Search

– Finds SelfTrade.com– Presents results

• Mistyped URL• A Robtex data bump indicates• Sleftrade.com is a domain controlled by

two name servers at dsredirection.com.• Both are on the same IP network. The

primary name server is ns1.dsredirection.com.

• Incoming mail for sleftrade.com is handled by one mail server at fakemx.net. sleftrade.com has one IP number (208.73.210.29).

• 219+ Domains share the same IP– Also majority are “Typos”

• Presented Blacklists from organization on this site and its servers for multiple reasons.

Risk

• Condition: Users continue to manually type URLs• The possibility of suffering “harm” is HIGH• Consequences: Cisco Global Threat Report 4Q10

– The rate of web malware encounters peaked in October 2010, at 250 average encounters per enterprise for the month

– Web malware grew by 139 percent in 2010 compared to 2009• Uncertainty:

– Malware continues to evolve– Economic Hardship brings out “The Best”– Users: “They Still Fall For Phishing Email”– Cyber Espionage– Mobile Devices “Those keys are too Small”

Defensive Measures

• Utilize browser add-ons with URL correction• Host Based Security Applications• Whitelist Domains “It’s worth the political

fight”• Educate users on understanding of the THREAT

potential

• Your Thoughts: TYPOSQUAT@iSCSP.ORG

Any Questions

InformationLinks• http://www.alexa.com/topsites/countries;1/GB• http://veralab.com/dnsdomainsearch/• http://whois.gwebtools.com/tumblrr.com

About Joey Hernandez MBA CISM CISSPJoey Hernandez works as an International Consultant in Cyber Security and Risk Management. He has a broad background in Information Security with past projects in Vulnerability Assessments, Cyber Exercise, CERT CND Analysis, Operational Threat Research, and Tactics Development.

Is a former US Air Force Officer with a background in Military Intelligence and Cyber Operations

Hernandez holds an MBA in Computer Resource And Information Management, as well as being a CISSP, CISM, CE|H

http://twitter.com/#!/Joey_Hernandezhttp://www.linkedin.com/in/joeyhernandez