My next class:
LINUX Incident Response and Threat HuntingOnline | Japan Standard TimeOct 21st - Oct 26th 2024

Is there an epidemic of typo squatting?

Published: 2013-05-07. Last Updated: 2013-05-07 02:05:31 UTC
by Jim Clausing (Version: 1)
8 comment(s)

One of our readers, Jim, wrote in earlier today to say he has noticed an increase in "working" typo squatting over the last 2 months or so.  That is, he's seen users accidently surfing to them or being redirected there by some sort of malicious javascript trickery.  His question for us (and the rest of you) is, is this a local phenomenon or are the bad guys making more use of this tactic?  I'm not currently setup to monitor this type of activity, so I figured I'd ask our loyal readers.  Do you monitor your proxy and DNS logs for this type of activity and have you seen an increase?  Leave a comment below or our contact form to let us know.  Below are just a few examples of the domains he has seen.

Bogus domains include:

  • audilble.com
  • boatrader.com
  • charleesschwab.com
  • chsse.com
  • cnnmonet.com
  • dilymail.co.uk
  • loanadminstration.com
  • myunh.com
  • nydailnews.com
  • nydailynew.com
  • nyeater.com
  • nylottory.org

 

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords: typo squatting
8 comment(s)
My next class:
LINUX Incident Response and Threat HuntingOnline | Japan Standard TimeOct 21st - Oct 26th 2024

Comments

It's associated with this: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1761012
I still maintain that the registrars should be held accountable for the types of domains they register. Registrars shouldn't be allowed to register typosquatting domains any more than they should be allowed to register malware domains.
What was boatrader.com supposed to typosquat? To me this sounds like the perfect domain for a reptile pet shop.. ;-)
@joeblow: Registrars are supposed to be completely ignorant of what domains they register for which person. That's part of the net neutrality. As I said above - your typosquatting domain is my pet shop homepage...
@Visi oops, okay, perhaps that one wasn't a typo squat, I assumed it was for boattrader.com, but that particular one could be legit, but most of the others (and many more we've received) are clearly malicious in intent.
Intent can be hard to determine in the absence of actions - see The Minority Report (the book is much better than the movie). I'll freely grant that nydailynew.com or nylottory.com are pretty obvious typosquats, but where does one draw the line, and who judges in advance of malicious action? What's the appeal process for people who get wrongly shut down? What reparations can they expect for loss of business while their domain is shut down, and who pays them? I agree this is a problem, but creating a solution is not a trivial exercise.
Even without the net neutrality concerns, this is a very difficult issue to police. Assuming that typo-squatted domains are malicious, as an individual/organization you can use a proxy/white-listing service to protect yourself from yourself (fat fingering domain names, etc.). However, as we all know too well even legitimate (whitelisted) websites can be malicious if compromised. Again, the best defense is using a system that is fully patched and secure as possible.
Forgot to answer the original questions:
Yes, we monitor this through our proxy and no, we have not seen an increase of events related typo-squatted domain names.
With McAfee we also see in the last two month a lot of detections of JS/Redirector.ar where the name of the detected file is a typo squatting of a regulare web page. The detection can be reproduced by visiting the web page with the typo squatting. Unfortunatelly VirusTotal.com doesn't detect the site as infected. Before the JS/Redirector.ar detections the JS/Blacole-Redirect variants were very popular tha last year.

Diary Archives