At S4xJapan, we presented a small internal research project on DNS squatting. The topic has been refreshed in my mind because of a recent Cylance report on Japanese critical infrastructure being breached by watering hole attacks (see their SPEAR team report on the topic here).

I really got interested in DNS squatting after this talk by Artem Dinaburg at defcon 19. It is a really good presentation, and shows how a person can unintentionally visit the wrong website, due to bit-flip errors that can occur with no human mistake required.

Of course, most squatting occurs because of typos. Yours truly is famous for typo’ing a lot while slamming website domains into my browser search bar.

There is a nice tool, called dnstwist, which provides a quick and automatic way of searching for common typing mistakes: bit squats, typos with transpositions, as well as more malicious squats like homoglyphs, which are commonly used in phishing attacks.

For the S4 talk, we looked at 11 major ICS vendors’ domains. Of these, there were over 400 squat domains, and over 20 of the squat domains were hosting malicious content.

The way that a lot of domain-squatting works is via rental.  The owner of the domain rents ‘redirect time’. Advertisers, or malware networks, rent redirect time to capture visitors. Occasionally these redirects point the end user to competitor products, with frequent redirects to malware downloads or ‘your computer is infected’ social engineering scams (often requiring that you call ‘Microsoft Technical Support’, where the person on the other end directs you to install a remote access trojan on your PC).

An interesting future research project might be renting some time on these domains to see what sorts of visitors we get: client OS, vulnerable browsers, and IP address ranges would all be pretty interesting.

We obtained several dozen malware samples from the websites.  Of the samples, all were adware/spyware that hijacked the end user’s web browser to overlay additional advertising.

Interestingly, one of the malware samples targeted OS X (the sample is targeted based on the user-agent string of the visitor).  This sample had a 0/55 hit rate on virus total in late October.  Today, it is recognized by at least some of the AV vendors, although the number is still less than half.

Unfortunately, it is very difficult to deal with a squat after-the-fact: the hefty legal obstacles to getting a domain similar to a company trademark mean that most vendors give up.  During our initial research, we contacted a number of affected vendors, and all reported that the legal hurdles would mean no action (even when the squat was actively hosting malware).  So, our best advice at the moment is to be proactive.

Scouring your own web sites for typolinks would be one good thing to do. A few vendors can be found with ‘link typos’, which point to potential squat domains. These link typos make for a great target for the attacks, since it is a lot more likely that a victim will visit the link. Finding and fixing such typos can help a lot.

Another proactive measure would be to simply register domains similar to their own. For only a few hundred or few thousand dollars per year, this would mitigate an easy attack vector. Some vendors are doing this already, probably more for ‘people can’t type our name correctly’ reasons than for ‘attacks might use this to hack our clients’, so really there are two business cases for registering the domains.

Image by Lance Goyke