Way back at S4xJapan, 2015, Labs did a small research project on DNS domain squatting. We never thought that it would amount to much in terms of press, but did think that would be a useful talk to spur vendors into action before it was too late. Already we have discovered some very popular ICS vendors where these squat domains are hosting malware; as Dale says, it is only a matter of time before someone gets smart (and nasty), and clones a legitimate vendor website onto a squat domains. The evildoer could host malicious software updates, bad security advice, and possibly even harvest end user credentials.
We revamped the talk slightly for S4xEurope, focusing on a few European vendors who were victims of domain squatting behavior. We are happy to publish the slides to the talk, which covers not only domain squatting but some old topics of DNS tunneling and zone transfer issues that we’ve seen with some frequency.
We would also like to point out that EnergySec published a paper on one of these issues — DNS tunneling — some time ago. It is worth reading if you are in the energy sector, as it is a not-uncommon mistake to see on such networks.
In Japan, we hit upon the idea of scouring websites for potentially malicious links. For example, if you are an ICS vendor, perhaps you should look through your support forums for links to homoglyphs of your domain name — it could be evildoers trying to trick your users into downloading some malicious software or firmware. While our tool is nowhere near perfect, we did write a basic version of such a webcrawler under the unimaginative name TypoScraper. You can snag a copy from our github ‘scripts’ repository, and do with it as you will.
Image by jenniferboyer