Typo Squatting Domains

On September 9^th of 2017 Equifax the Credit Ratings major of U.S.A was in news. Now to those who are aware of the process it might not be something of a shock, after all, it just announced a major breach that affected almost half of America's population and the way they handled the issue was also subject of intense media and political debate.

But the news on this particular day was not related to this matter, well not entirely, but the context in which I am taking it as an example is not.

It was pointed out in media that Equifax`s employees have mistakenly tagged a non-authorized website in its Twitter response to its customers as a site that could be visited for more information on the breach and its effects on distraught customers.

Now the good news is that those tweets were promptly taken down and the nature of the site itself was created by a security researcher with the purpose of showing Equifax`s weak security controls.

It is interesting to point out the video made by Last Week Tonight show reflecting the then state of Equifax breach here.

Now coming to the main purpose of the article from the trip down the memory I was fascinated by how such an error could have been committed by an organization of such a size but did not pursue it completely until recently where a typo-ridden email brought my focus back to the issue.

It turns out this is a practice that is as old as internet and the use of it for malicious purpose quickly followed in applying it to meet their needs. An email sent from PaypaI about a failed transaction or an email from Outlook about a blocked account, are some of the best examples of this case.

This process is known as Typosquatting.

Wikipedia puts typosquatting as follows “Typosquatting, also called URL hijacking, a sting site, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).”

Simply put it is an evil twin posing as a legitimate website.

In this article we will be dealing with the ways in which a suspicious domain is modified to look like a legitimate website and the ways to tackle the issue from an organizational point of view.

But before we get into the nitty-gritty of the issue I would like to highlight on why you as a part of organization`s security team should focus on the issue.

The main point that comes to the top of my mind is it puts the legitimacy of  your organization`s band at risk and if the situation is something similar to that of Equifax it might bring up the questions about your organizations will to deal with customers which is a cornerstone of any modern day business economy.

The second risk it might cause is something more internal, how many times as an analyst have you been forced to deal with cases where an unsuspecting employee ended up forwarding confidential information to a sender posing as someone from the organization. It looked like a legitimate company domain at first look they all say making you question the effectiveness of all the mandatory security training of your organization.

The third concern is monetary in nature for example if someone is registering a domain by the name facebooks.biz will automatically increase traffic to his site with almost minimum to no technical skill.

Also it is illegal in some jurisdictions as many time domain names are treated as part of Trademarks and utilizing it might trigger infringement clauses.

Some of the ways Typos are used in generating the fake websites are given below.

1. Bitsquatting: anticipates systems encountering errors
2. Homoglyph: replaces a letter (or several) in the domain name with other letters to make the fake domain look as similar as possible to the original (correct) one.
3. Repetition: repeats a character in the domain, i.e., 'www.faceboook.com'
4. Transposition: swapping letters, i.e., 'www.faecbook.com'
5. Replacement: replacing letters/characters in the domain - i.e., 'www.fasebook.com'
6. Ommission: purposefully leaving out a character or letter from the domain
7. Insertion: inserting an extra letter into the domain
8. Missing dot: removing the dot from the domain name identifier - i.e., 'www.facebookcom.com'
9. Singularization or Pluralization: adding or removing the plural identifier (s) at the end of the domain, i.e., 'www.facebooks.com'
10. Vowel swap: replaces a vowel within the domain name
11. Wrong TLD: replaces the top-level domain suffix
12. Soundsquatting: takes advantage of word similarity, i.e., pronunciation and context

Now that we have looked at how the fake domain names are being generated we will look at how the issue can be resolved. There are a number of offline and online tools that help an organization get a picture of how many active domains are there that could be posing as you or a part of your online footprint.

There are a number of products in the market that make brand protection a part of their security offering. If you are looking to take a much more Open source approach don't worry I have you covered.

There are two options I can think of online and offline.

Online: Domain Security Radar`s online tool ImmuniWeb Trademark Monitor [www.htbridge.com/radar/] offers you a list of domains that match your domain name and even categorizes them into three types:

• Potential Cyber Squatting
• Potential Typo Squatting
• Phishing

Else you can use another site named dnstwister.report which also gives you a list of domains that have been observed based on the domain name you have provided .

Offline options include tools like URLCrazy or dnstwist by Marcin Ulikowski which provides a list of possible domains using the above-mentioned methods as generation models.

Once you have a list of possible domain names you can verify on the following points in order to thin out the herd by ruling out inactive domains, domains owned by your organization as false positives and then set to tackle the rest of the domains based on your Org`s standard procedure . It might range from outright blocking the domains at a proxy level to monitoring the traffic from those domains to and fro from the organizations or asking the DNS registers to take down the domain if it has been observed to be a clear infringement of your organization's trademark policy.

To end we have observed how typosquatting can pose a risk to your organization not just financially and legally but in terms of brand value then we have focused on the ways in which the domain are created and used then we moved on to identifying such domains and finally on how to deal with such domains.

So the next time when you are faced with an email claiming to be from Paypal which in initial example has the letter ‘L’ replaced with capitalized letter 'I', you can be certain that you have a plan in place to deal with such incidents.

This guy`s blog is something I always enjoy reading: https://zeltser.com/domain-name-variations-in-phishing/ You might find some interesting details there.

This paper on typosquatting from Carnegie Mellon University :- https://conferences.sigcomm.org/imc/2017/papers/imc17-final215.pdf Please read it to get a better understanding of the issue and how the typosquatting appears in view of both sender and recipient.

This paper on commonly used techniques to generate a similar looking or sounding websites and how to deal with them: https://arxiv.org/pdf/1603.02767.pdf.

And finally this playbook from Demisto about typosquatting on how to approach the issue as an incident response in an organization: https://www.demisto.com/cybertypo-squatting-playbook

 Also finally google the issue for further information.