Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Is there an epidemic of typo squatting? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is there an epidemic of typo squatting?

One of our readers, Jim, wrote in earlier today to say he has noticed an increase in "working" typo squatting over the last 2 months or so.  That is, he's seen users accidently surfing to them or being redirected there by some sort of malicious javascript trickery.  His question for us (and the rest of you) is, is this a local phenomenon or are the bad guys making more use of this tactic?  I'm not currently setup to monitor this type of activity, so I figured I'd ask our loyal readers.  Do you monitor your proxy and DNS logs for this type of activity and have you seen an increase?  Leave a comment below or our contact form to let us know.  Below are just a few examples of the domains he has seen.

Bogus domains include:

  • audilble.com
  • boatrader.com
  • charleesschwab.com
  • chsse.com
  • cnnmonet.com
  • dilymail.co.uk
  • loanadminstration.com
  • myunh.com
  • nydailnews.com
  • nydailynew.com
  • nyeater.com
  • nylottory.org

 

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Jim

400 Posts
ISC Handler
It's associated with this: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1761012
Anonymous
Posts
I still maintain that the registrars should be held accountable for the types of domains they register. Registrars shouldn't be allowed to register typosquatting domains any more than they should be allowed to register malware domains.
Anonymous
Posts
What was boatrader.com supposed to typosquat? To me this sounds like the perfect domain for a reptile pet shop.. ;-)
@joeblow: Registrars are supposed to be completely ignorant of what domains they register for which person. That's part of the net neutrality. As I said above - your typosquatting domain is my pet shop homepage...
Visi

40 Posts Posts
@Visi oops, okay, perhaps that one wasn't a typo squat, I assumed it was for boattrader.com, but that particular one could be legit, but most of the others (and many more we've received) are clearly malicious in intent.
Jim

400 Posts Posts
ISC Handler
Intent can be hard to determine in the absence of actions - see The Minority Report (the book is much better than the movie). I'll freely grant that nydailynew.com or nylottory.com are pretty obvious typosquats, but where does one draw the line, and who judges in advance of malicious action? What's the appeal process for people who get wrongly shut down? What reparations can they expect for loss of business while their domain is shut down, and who pays them? I agree this is a problem, but creating a solution is not a trivial exercise.
Anonymous
Posts
Even without the net neutrality concerns, this is a very difficult issue to police. Assuming that typo-squatted domains are malicious, as an individual/organization you can use a proxy/white-listing service to protect yourself from yourself (fat fingering domain names, etc.). However, as we all know too well even legitimate (whitelisted) websites can be malicious if compromised. Again, the best defense is using a system that is fully patched and secure as possible.
da1212

69 Posts Posts
Forgot to answer the original questions:
Yes, we monitor this through our proxy and no, we have not seen an increase of events related typo-squatted domain names.
da1212

69 Posts Posts
With McAfee we also see in the last two month a lot of detections of JS/Redirector.ar where the name of the detected file is a typo squatting of a regulare web page. The detection can be reproduced by visiting the web page with the typo squatting. Unfortunatelly VirusTotal.com doesn't detect the site as infected. Before the JS/Redirector.ar detections the JS/Blacole-Redirect variants were very popular tha last year.
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!