Typo squatting involves registering misspelled brand name domains for financial gain, often to host malware or phishing sites. Analysis found that 10 top financial institutions were targets of typo domain registrations using common TLDs like .com. Examples showed typo domains redirecting to sites with malware or fake updates. Defensive measures recommended include browser plugins to correct URLs, host-based security, whitelisting domains, and educating users.
3. Squatting Domain squatting is the term coined when a domain is registered and held for a period of time. Most often NOTHING is done with those domains Most often there is underlying FINANCIAL gain expected by selling those domains to those intent on utilizing the site Recent case: Galliano.fr http://www.reuters.com/article/2011/03/02/us-dior-galliano-cybersquatting-idUSTRE7216UR20110302
4. TypoSquatting Similar Squatting Targets BRAND NAME domains Relies on typographical errors made by direct input URLs Often involved with illegal activity Also used for FINANCIAL gain According to BrandjackingIndex, the risk of brand misuse worldwide is the highest in US, Germany and UK. 59%+ all websites using brand names for illegal purposes originate from these three countries. Organization Focused on defeating these efforts Alias Encore
5. TLD StatisticsNew Registered Domains Per Day April 02, 2011 24 Hour Period The presented nameservers which gained NEW domains Indicates a registrar or service provider which is making sales via domain registrations. Difficult, but not impossible to vet malicious actors
6. Simple Analysis Ten of the top 50 Financial Services Banking Services Banks and Institutions Representing multiple regions of the World TLD: .COM Ease of use for available open source tools
11. Example: Sleftrade.com Google Search Finds SelfTrade.com Presents results Mistyped URL A Robtex data bump indicates Sleftrade.comis a domain controlled by two name servers at dsredirection.com. Both are on the same IP network. The primary name server is ns1.dsredirection.com. Incoming mail for sleftrade.com is handled by one mail server at fakemx.net. sleftrade.com has one IP number (208.73.210.29). 219+ Domains share the same IP Also majority are “Typos” Presented Blacklists from organization on this site and its servers for multiple reasons.
12. Risk Condition: Users continue to manually type URLs The possibility of suffering “harm” is HIGH Consequences: Cisco Global Threat Report 4Q10 The rate of web malware encounters peaked in October 2010, at 250 average encounters per enterprise for the month Web malware grew by 139 percent in 2010 compared to 2009 Uncertainty: Malware continues to evolve Economic Hardship brings out “The Best” Users: “They Still Fall For Phishing Email” Cyber Espionage Mobile Devices “Those keys are too Small”
13. Defensive Measures Utilize browser add-ons with URL correction Host Based Security Applications Whitelist Domains “It’s worth the political fight” Educate users on understanding of the THREAT potential Your Thoughts: TYPOSQUAT@iSCSP.ORG
15. Information Links http://www.alexa.com/topsites/countries;1/GB http://veralab.com/dnsdomainsearch/ http://whois.gwebtools.com/tumblrr.com About Joey Hernandez MBA CISM CISSP Joey Hernandez works as an International Consultant in Cyber Security and Risk Management. He has a broad background in Information Security with past projects in Vulnerability Assessments, Cyber Exercise, CERT CND Analysis, Operational Threat Research, and Tactics Development. Is a former US Air Force Officer with a background in Military Intelligence and Cyber Operations Hernandez holds an MBA in Computer Resource And Information Management, as well as being a CISSP, CISM, CE|H http://twitter.com/#!/Joey_Hernandez http://www.linkedin.com/in/joeyhernandez
Notes de l'éditeur
BackgroundAs the enterprise cyber defenders continue to work towards attacking problems on a large scale they continue to overlook the insignificant incidents which occur across the enterprise thousands of time a month. USERS unintentionally putting the enterprise at risk while surfing the internetSquattingHas been around as long as registrars have sold domains. Started by misguided entrepreneur trying to make money, by selling names to people who had the name.. “Madonna”VariantTyposquatting is more malicious as the approach is to trick users into visiting a site by misleading & misrepresenting – A BRANDRegistrations Per DayThe transactions made remind of the stock market, On a typical day over 100K new domain addsCurrent Bad RegistrarsA little about what we saw while researching this topic, not biased, just a quick and dirty of statistics Potential What is the risk to YOU/YOUR enterpriseYou know your users
http://www.dailychanges.com/new-domains/The industry understands registrars are in this to make money, to stay in business.We need to find or work from an Enterprise Cyber Security Perspective ways to get registrars CLEANCurrently no 100% fixes, but strategically push for “OFF LIMIT” registrars or blocks
.COM Domains were selected based on the current open source tools available for analysis of the Typosquatting threat. iSCSP is interested in gaining input to perform or assist in performing a large scale project on the level of threat this has become to users.Financial services were selected to present insight into an area which has been in the media for “being hacked” over the last few monthsFinance: Because institutions perform business globally, therefore a global presence, and global touchhttp://zahra.fr/guy/english/index.htm Image used: guy@zahra.fr
Each of the following Domains was input into a web tool which generated a list of possible typos and misprints indicating whether any domain names using these typos are currently in use. Tool (http://veralab.com/dnsdomainsearch/)Examples of how the DOMAINS are changed include the following:Common extensions such as xyzbank-online vs. xyzbankSimilarly sounding character combinations such as mispace vs. myspaceMissing characters such as gmai vs. gmailMissing double characters such as leson vs. lessonExtra double characters such as yahhoo vs. yahooWrong character sequencies such as IMB vs. IBMWrong key pressed such as fesex vs. fedex
Based on the data pull the following were the TOP registrars hosting Typosquatted sites.The next few slides will look into other examples from some sites analyzed and others that came to light during the investigation