typo squatting

Download Typo squatting

Post on 09-Jun-2015

1.808 views

Category:

Technology

5 download

Embed Size (px)

DESCRIPTION

The overlooked threat created by users. Just a little project based on my own

TRANSCRIPT

  • 1. Typo squatting
    The Threat Network Defense Teams Overlook
    Joey Hernandez CISM
    jhernandez@iSCSP.org

2. Overview
Background
Squatting
Registrations Per Day
Variant
Current Bad Registrars
Potential
3. Squatting
Domain squatting is the term coined when a domain is registered and held for a period of time.
Most often NOTHING is done with those domains
Most often there is underlying FINANCIAL gain expected by selling those domains to those intent on utilizing the site
Recent case: Galliano.fr
http://www.reuters.com/article/2011/03/02/us-dior-galliano-cybersquatting-idUSTRE7216UR20110302
4. TypoSquatting
Similar Squatting
Targets BRAND NAME domains
Relies on typographical errors made by direct input URLs
Often involved with illegal activity
Also used for FINANCIAL gain
According to BrandjackingIndex, the risk of brand misuse worldwide is the highest in US, Germany and UK.
59%+ all websites using brand names for illegal purposes originate from these three countries.
Organization Focused on defeating these efforts
Alias Encore
5. TLD StatisticsNew Registered Domains Per Day
April 02, 2011 24 Hour Period
The presented nameservers which gained NEW domains
Indicates a registrar or service provider which is making sales via domain registrations.
Difficult, but not impossible to vet malicious actors
6. Simple Analysis
Ten of the top 50 Financial Services
Banking Services
Banks and Institutions
Representing multiple regions of the World
TLD: .COM
Ease of use for available open source tools
7. Domain To Possible Typo-Variants
8. Top Registrars
9. Example: Chse.com
Notice Pop-Up
Additional Re-directs
10. Example: Micrososft.com
Fake Update
Redirected Users To Typosquatting Site Hosting Malware
11. Example: Sleftrade.com
Google Search
Finds SelfTrade.com
Presents results
Mistyped URL
A Robtex data bump indicates
Sleftrade.comis a domain controlled by two name servers at dsredirection.com.
Both are on the same IP network. The primary name server is ns1.dsredirection.com.
Incoming mail for sleftrade.com is handled by one mail server at fakemx.net. sleftrade.com has one IP number (208.73.210.29).
219+ Domains share the same IP
Also majority are Typos
Presented Blacklists from organization on this site and its servers for multiple reasons.
12. Risk
Condition: User continue to manually type URLs
The possibility of suffering harm is HIGH
Consequences: Cisco Global Threat Report 4Q10
The rate of web malware encounters peaked in October 2010, at 250 average encounters per enterprise for the month
Web malware grew by 139 percent in 2010 compared to 2009
Uncertainty:
Malware continues to evolve
Economic Hardship brings out The Best
Users: They Still Fall For Phishing Email
Cyber Espionage
Mobile Devices Those keys are too Small
13. Defensive Measures
Utilize browser add-ons with URL correction
Host Based Security Applications
Whitelist Domains Its worth the political fight
Educate users on understanding of the THREAT potential
Your Thoughts: TYPOSQUAT@iSCSP.ORG
14. 15. Information
Links
http://www.alexa.com/topsites/countries;1/GB
http://veralab.com/dnsdomainsearch/
http://whois.gwebtools.com/tumblrr.com
About Joey Hernandez
Joey Hernandez works as an International Consultant in Cyber Security and Risk Management. He has a broad background in Information Security with past projects in Vulnerability Assessments, Cyber Exercise, CERT CND Analysis, OperationalThreat Research, and Tactics Development.
Hernandez holds an MBA in Computer Resource And Information Management, as well as being a CISSP, CISM, CE|H