2018-03-07What to do when a Data Breach happened
Cybersquatting and typosquatting both pose serious risks to your organization and may affect your organization's reputation, income, intellectual property, trade secrets, and security. Cybersquatting is generally defined as registering a domain using a trademark in bad faith, usually with the intent to make a profit from either ad revenue, the intent of selling the domain to the trademark owner, or possibly more malicious intent. Typosquatting is a form of cybersquatting where someone has registered a domain that they know will be a common typo. Typosquatting is always done with malicious intent and usually for Phishing. Why did we do this? This is definitely not a new subject. So in considering this and the fact that there has been so much discussion on it from so many various sources throughout the years, our team at Kromtech Security decided to see just how many organizations are taking this old threat seriously. What we found came as a real surprise to us, it is still not taken seriously by the majority. How was the research conducted? We employed custom scripts along with DNSTwist, a readily available Python script for the purpose of generating permutations of popular domain names, to gather our results. For the data we used lists of popular domains, sites, and social networks from Moz500, Fortune 1000 (2012), Quantcast Top 50 (US), and Majestic Million (Top 10k). Then we filtered and visualized the results. These similar domains (here using facebook.com as an example) were tested using our scripts along with DNSTwist and fuzzers (generators) for the following variations: Addition (facebookx.com) Bitsquatting (faccebook.com) Homoglyph (facebookᏂ.com, fäcebook.com) Insertion (faceboook.com) Omission (facebok.com) Repetition (faceboook.com) Replacement (facebool.com) Subdomain (face.book.com) Transposition (fcaebook.com) Vowel-swap (feicbook.com) Various (facebookcom.com) We found similar domains in all these variations throughout our research using each of the data lists. Figure 1. This figure shows the percentage of each variation of the similar domains found using the Moz500 list. It was interesting to see which variations were the largest slices of the pie. While all variations need to be considered, these variations should receive the primary focus when your organization is registering similar domains. Figure 2. Total quantity of scanned domains. As you can see, we scanned a lot of domains. Next, we filtered the results to classify the percentage of these similar domains that were legitimate domains, the percentage that were registered but down, the percentage that were mostly parked domains, domains for sale, or domains full of advertisements (which we labeled in total as Other), and the percentage of “potentially malicious” domains. Figure 3. This figure shows the percentage of each classification using the Moz500 list. Focusing on the “Potentially Malicious” section, we'd like to note that this section consists of registered domains where we could not find a link to the original domain and the registered domain contained at least one phishing hit from VirusTotal. While this does not guarantee that it is malicious, we consider it a fairly good indicator that it may be. Now 3.6% looks small in the chart above, but please remember that this is just one list, it is a very large quantity when combined with the total volume of domains that we scanned using all of the data lists and variations. We were amazed to find this, we were also very surprised to find the gray are labeled “Other” to be so large, after all, this is not a new topic, there should not be this many. So we dug deeper, we wanted to find out next just how many similar domains to existing domains that were still available for anyone to register and use to host ads, phishing sites, or anything that someone can think of to profit off an existing trademark. We found quite a number of these similar domains still available. Figure 4. Quantity of generated similar domains per original domain So given such a large number of generated similar domain names, we wondered how many domain owners, if any, were actually taking this old threat seriously. We did find that some are, but they are definitely in the minority. Figure 5. This chart shows similar domains registered by the original domain owner (top 30) All we did here was test to see if the similar domain registered by the original domain owner redirected to the original domain, we did not test to see if it was to protect against typosquatting or for Black Hat SEO. You can see from this chart that the drop just in the top 30 is quite significant, especially considering that we scanned hundreds of thousands of similar domain names. What did we learn? We found ourselves completely shocked. So many organizations are not taking this old threat seriously. There have been countless research papers and articles on this very subject spanning years. It has been made very clear that this type of activity exists. It's been repeatedly demonstrated how someone can use this type of attack to steal logins and passwords through typosquatted redirects, trick users into sending sensitive documents via phishing, profit off the good name of an existing trademark, steal customers, perform social engineering, and compromise systems. So why is this still not taken seriously by so many? Is it ignorance or apathy? We don't have the answer to this, but we do hope that this research shows the extent of the still existing threat and sheds even more light on the risk organizations are taking by ignoring it. What can you do about it? Register your trademark, if not already done. You can do this with the United States Patent and Trademark Office. This a critical piece when pursuing cybersquatters and typosquatters in order to prove that you are the legitimate holder of the trademark. Record the proper domain ownership in the domain registration, this is the only record for your ownership of your domain. The domain should be registered using the company name or senior management rather than employees or contractors. Ensure there are at least two names on the registration so that both will be notified of any changes. Pay attention to expiration, if your domain expires, you may find that it ends up purchased by someone else, leaving you with a fight or cost to get it back. Purchase variations of your domain name. Check your domain name against a service such as https://dnstwister.report. The report will show you which domains have already been registered and which you can register yourself (those that contain “None resolved” in the IP column). Then go register the domains you choose (see Figure 1 for which domains should receive primary focus) and set up redirects from those domains to your domain. How to help protect your employees from falling prey to phishing via typosquatting: Use anti-spoofing technology. Update your DNS to include DNSSEC, SPF, and DKIM. Secure your e-mail gateways, add detection software that can identify mismatched From headers and envelope sender addresses, identify and highlight trusted domains, and add a subject tag to any external message received that clearly shows it came from an outside source. Encrypt sensitive materials sent internally or to vendors using S/MIME, PGP, or OpenPGP. Use digital certificates and PKI where-ever possible for access control. Block external sites via router or firewall, allowing access to only what is needed for your employees to perform their job. Add reputation-based content filtering so your employees can easily recognize less reputable links, and employ regular monitoring of the logs to update your rules as needed. Train your employees. The best prevention is a solid education. Ensure that all employees know what to look for to make certain that they will not fall prey to such attacks. Protect your domain(s) from existing squatters: In the US, you can file a lawsuit against a cybersquatter under the Anticybersquatting Consumer Protection Act (ACPA), found at 15 U.S.C. § 1125(d). The ACPA allows you to file in federal court to obtain a court order forcing the squatter to transfer the domain name to you. You may even be able to get additional damages awarded (up to $100,000). In order to prevail, you must present proof that the squatter had a bad faith intent to profit from your business, that your registered trademark was distinctive at the at the time the squatter registered it, and that it is either identical or similar enough to be confusing. Use the international arbitration system created by the Internet Corporation of Assigned Names and Numbers (ICANN) titled Uniform Domain-Name Dispute-Resolution Policy. If you can show through proper arbitration that the domain name is identical or similar enough to be confusing to your registered trademark or service mark, that the current domain owner does not have any rights or legitimate interests in that domain name, and that it is being used in bad faith, the domain name will be canceled or transferred to you. However, ICANN does not have a process to provide additional remedies, such as damages awarded. How can Kromtech Security help? First, we hope our research here helps the most and awakens those who have been sleeping through this threat. Beyond that, we do provide consulting for specific companies and you can also download our tools to help secure your organization: https://github.com/kromtech/key-inspector https://github.com/kromtech/s3-inspector Interesting Cases: Facebook.com, Whatsapp.com, Office.com, Googleusercontent.com, Teamviewer.com Figure 6. This chart compares facebook.com, whatsapp.com, teamviewer.com, office.com, and googleusercontent.com. As you can see, Facebook.com is highly targeted, with a fair amount of typosquatted and potentially malicious domains. Teamviewer.com appears to be the most proactive of this group. Figure 7. Comparing facebook.com to whatsapp.com we can see that both are being highly targeted with potentially malicious similar domains. Figure 8. This chart shows that Microsoft Office 365 does not take cybersquatting or typosquatting that seriously. We expected a lot more from Microsoft, especially with a flagship product. Figure 9. googleusercontent.com is Google’s cloud service. We expected a little more of a proactive approach from Google. Figure 10. This chart shows that teamviewer.com, which provides remote desktop access, has taken typosquatting somewhat seriously. Figure 11. An example of a parked domain Other reference cases RedBull wins: http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2018-0021 Credit Karma wins: http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2018-0029 http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2018-0031 http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2018-0035 Charter Communications loses: http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-0040 O2 Worldwide Limited loses: http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-0658 Donald Trump wins: http://www.wipo.int/amc/en/domains/search/text.jsp?case=d2010-2220 Tom Cruise wins: http://www.wipo.int/amc/en/domains/decisions/html/2006/d2006-0560.html Bruce Springsteen loses: https://www.theregister.co.uk/2001/02/09/bruce_springsteen_loses_cybersquatting_dispute/ Kevin Spacey loses: https://www.theregister.co.uk/2001/11/26/kevin_spacey_loses_pivotal_cybersquatting/ WIPO UDRP Domain Name Decisions (gTLD) for all years: http://www.wipo.int/amc/en/domains/decisionsx/index-gtld.html Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center. Do you have security tips or suggestions? Contact: firstname.lastname@example.org
Subscribe for the latest security news and discoveries
Thank you for subscribing to our Newsletter. To finish the subscription process, please visit your email.