Post on 09-Jun-2015
Embed Size (px)
DESCRIPTIONThe overlooked threat created by users. Just a little project based on my own
- 1. Typo squatting
The Threat Network Defense Teams Overlook
Joey Hernandez CISM
Registrations Per Day
Current Bad Registrars
Domain squatting is the term coined when a domain is registered and held for a period of time.
Most often NOTHING is done with those domains
Most often there is underlying FINANCIAL gain expected by selling those domains to those intent on utilizing the site
Recent case: Galliano.fr
Targets BRAND NAME domains
Relies on typographical errors made by direct input URLs
Often involved with illegal activity
Also used for FINANCIAL gain
According to BrandjackingIndex, the risk of brand misuse worldwide is the highest in US, Germany and UK.
59%+ all websites using brand names for illegal purposes originate from these three countries.
Organization Focused on defeating these efforts
5. TLD StatisticsNew Registered Domains Per Day
April 02, 2011 24 Hour Period
The presented nameservers which gained NEW domains
Indicates a registrar or service provider which is making sales via domain registrations.
Difficult, but not impossible to vet malicious actors
6. Simple Analysis
Ten of the top 50 Financial Services
Banks and Institutions
Representing multiple regions of the World
Ease of use for available open source tools
7. Domain To Possible Typo-Variants
8. Top Registrars
9. Example: Chse.com
10. Example: Micrososft.com
Redirected Users To Typosquatting Site Hosting Malware
11. Example: Sleftrade.com
A Robtex data bump indicates
Sleftrade.comis a domain controlled by two name servers at dsredirection.com.
Both are on the same IP network. The primary name server is ns1.dsredirection.com.
Incoming mail for sleftrade.com is handled by one mail server at fakemx.net. sleftrade.com has one IP number (18.104.22.168).
219+ Domains share the same IP
Also majority are Typos
Presented Blacklists from organization on this site and its servers for multiple reasons.
Condition: User continue to manually type URLs
The possibility of suffering harm is HIGH
Consequences: Cisco Global Threat Report 4Q10
The rate of web malware encounters peaked in October 2010, at 250 average encounters per enterprise for the month
Web malware grew by 139 percent in 2010 compared to 2009
Malware continues to evolve
Economic Hardship brings out The Best
Users: They Still Fall For Phishing Email
Mobile Devices Those keys are too Small
13. Defensive Measures
Utilize browser add-ons with URL correction
Host Based Security Applications
Whitelist Domains Its worth the political fight
Educate users on understanding of the THREAT potential
Your Thoughts: TYPOSQUAT@iSCSP.ORG
14. 15. Information
About Joey Hernandez
Joey Hernandez works as an International Consultant in Cyber Security and Risk Management. He has a broad background in Information Security with past projects in Vulnerability Assessments, Cyber Exercise, CERT CND Analysis, OperationalThreat Research, and Tactics Development.
Hernandez holds an MBA in Computer Resource And Information Management, as well as being a CISSP, CISM, CE|H