Typosquatting: Awareness and Hunting

Published: 2017-05-20
Last Updated: 2017-05-20 06:01:52 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

Typosquatting has been used for years to lure victims… You receive an email or visit an URL with a domain name which looks like the official one. Typosquatting is the art of swapping, replacing, adding or omitting some letters to make a domain looking like the official one. The problem is that the human brain will correct automatically what you see and you think that you visit the right site. I remember that the oldest example of typosquatting that I saw was “mircosoft.com”. Be honest, at the first time, you read "microsoft.com" right? This domain was registered in 1997 but it has been taken back by Microsoft for a while. Longer is your domain name, more you have available combinations of letters to generate fake domains. Sometimes it's difficult to detect rogue domains due to the font used to display them. An “l” looks like a “1” or a “0” looks like an “O”.

Yesterday, I found a nice phishing email related to DHL (the worldwide courier company). The message was classic: DHL claims that somebody passed by your home and nobody was present. But this time, it was not a simple phishing page trying to collect credentials, there was a link to a ZIP file. The archive contained a malicious HTA file that downloaded a PE file[1] and executed it. Let’s put the malware aside and focus on the domain name that was used: dhll.com (with a double “L”).

A quick check reveals that this domain is hopefully owned by DHL (not “DHL Express” but the “Deutsche Post DHL” who owns the courier company:

Domain Name: dhll.com
Registry Domain ID: 123181256_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2016-09-23T04:00:10-0700
Creation Date: 2004-06-22T00:00:00-0700
Registrar Registration Expiration Date: 2017-06-22T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Deutsche Post AG
Registrant Organization: Deutsche Post AG
Registrant Street: Charles-de-Gaulle-Strasse 20
Registrant City: Bonn
Registrant State/Province: -
Registrant Postal Code: 53113
Registrant Country: DE
Registrant Phone: +49.22818296701
Registrant Phone Ext:
Registrant Fax: +49.22818296798
Registrant Fax Ext:
Registrant Email: domains@deutschepost.de
Registry Admin ID:Admin Name: Domain Administrator
Admin Organization: Deutsche Post AG
Admin Street: Charles-de-Gaulle-Strasse 20
Admin City: Bon
Admin State/Province: -
Admin Postal Code: 53113
Admin Country: DE
Admin Phone: +49.22818296701Admin Phone Ext:
Admin Fax: +49.22818296798
Admin Fax Ext:
Admin Email: admincontact.domain@deutschepost.de
Registry Tech ID:
Tech Name: Technical Administrator
Tech Organization: DHL
Tech Street: 8701 East Hartford Drive
Tech City: Scottsdale
Tech State/Province: AZ
Tech Postal Code: 85255
Tech Country: US
Tech Phone: +1.4089616666
Tech Phone Ext:
Tech Fax: -
Tech Fax Ext:
Tech Email: netmaster@dhl.com
Name Server: ns4.dhl.com
Name Server: ns6.dhl.com
DNSSEC: unsigned

The zone "dhll.com" is also hosted on the DHL name servers. That’s a good point that DHL registered potentially malicious domains but... if you do this, don’t only park the domain, go further and really use it! It's not because the domain has been registered by the official company that bad guys cannot abuse it to send spoofed emails.

First point: "dhll.com" or "www.dhll.com" do not resolve to an IP address. If you register such domains, create a website and make them point to it and log who’s visiting the “fake” page. You can display an awareness message or just redirect to the official site. This will also prevent your customers to land on a potentially malicious site and improve their experience with you.

The second point is related to the MX records. No MX records were defined for the "dhll.com" domain. Like with the web traffic, build a spam trap to collect all messages that are sent to *@dhll.com. By doing this, you will capture traffic potentially interesting and you will be able to detect if the domain is used in a campaign (ex: you will catch all the “non-delivery receipts” in the spam trap.

Finally, add an SPF[2] record for the domain. This will reduce the amount of spam and phishing campaigns. 

To conclude, registering domain names derived from your company's name is the first step but don't just park them and use them for hunting and awareness!

A quick reminder about the tool dnstwist[3] which is helpful to generate lists of a rogue domains (from an offensive as well as defensive point of view). Here is an example based on dhl.com:

# docker run -it --rm jrottenberg/dnstwist --ssdeep --mxcheck --geoip dhl.com
      _           _            _     _
  __| |_ __  ___| |___      _(_)___| |_
 / _` | '_ \/ __| __\ \ /\ / / / __| __|
| (_| | | | \__ \ |_ \ V  V /| \__ \ |_
 \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.01}

Fetching content from: http://dhl.com ... 200 OK (396.3 Kbytes)
Processing 56 domain variants ................ 48 hits (85%)

Original*       dhl.com States NS:ns4.dhl.com MX:mx1.dhl.iphmx.com SSDEEP:100%
Bitsquatting    ehl.com NS:pdns03.domaincontrol.com MX:smtp.secureserver.net
Bitsquatting    fhl.com      -
Bitsquatting    lhl.com      -
Bitsquatting    thl.com States NS:dns1.name-services.com MX:us-smtp-inbound-1.mimecast.com
Bitsquatting    dil.com States NS:ns1.sedoparking.com MX:localhost
Bitsquatting    djl.com Kong NS:ns1.monikerdns.net
Bitsquatting    dll.com States NS:ns43.domaincontrol.com MX:smtp.secureserver.net
Bitsquatting    dxl.com States NS:ns59.worldnic.com SPYING-MX:dxl-com.mail.protection.outlook.com
Bitsquatting    dhm.com States NS:ns19.worldnic.com MX:dhm.com
Bitsquatting    dhn.com NS:pdns07.domaincontrol.com MX:smtp.secureserver.net
Bitsquatting    dhh.com NS:dns1.iidns.com
Bitsquatting    dhd.com      NS:ns-west.cerf.net MX:dhd-com.mail.protection.outlook.com
Homoglyph       bhl.com States NS:ns79.worldnic.com SPYING-MX:bhl-com.mail.protection.outlook.com
Homoglyph       dhi.com States NS:ns10.dnsmadeeasy.com
Homoglyph       clhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Homoglyph       dlhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Homoglyph       dihl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Homoglyph       dh1.com Islands NS:ns43.worldnic.com SPYING-MX:p.webcom.ctmail.com
Hyphenation     d-hl.com States 2400:cb00:2048:1::6818:7c86 NS:fiona.ns.cloudflare.com MX:mx1.emailowl.com
Hyphenation     dh-l.com States NS:ns1.sedoparking.com MX:localhost
Insertion       duhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dhul.com NS:ns1.dominioabsoluto.com
Insertion       djhl.com NS:f1g1ns1.dnspod.net
Insertion       dhjl.com     -
Insertion       dnhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dhnl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dbhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dhbl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dghl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dhgl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dyhl.com     NS:dns17.hichina.com MX:mxbiz1.qq.com
Insertion       dhyl.com     -
Omission        dl.com NS:ns1.gridhost.com SPYING-MX:mail.b-io.co
Omission        dh.com States NS:a5-67.akam.net SPYING-MX:mx1.dhltd.iphmx.com
Omission        hl.com States NS:ns57.domaincontrol.com MX:mail0.hl.com
Repetition      ddhl.com Kong NS:ns11.domaincontrol.com SPYING-MX:ddhl-com.mail.protection.outlook.com
Repetition      dhll.com     -
Repetition      dhhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Replacement     rhl.com States NS:ns1.hungerhost.com MX:mx.spamexperts.com
Replacement     chl.com NS:nameserver.ttec.com MX:smtp2.mx.ttec.com
Replacement     xhl.com States NS:ns1.uniregistrymarket.link
Replacement     shl.com States NS:eu-sdns-01.shl.com SPYING-MX:mxa-0016ba01.gslb.pphosted.com
Replacement     dul.com NS:pdns01.domaincontrol.com MX:smtp.secureserver.net
Replacement     dnl.com      -
Replacement     dbl.com States NS:ns53.worldnic.com SPYING-MX:p.webcom.ctmail.com
Replacement     dgl.com NS:ns62.downtownhost.com MX:dgl.com
Replacement     dyl.com States NS:ns-1768.awsdns-29.co.uk MX:mail.dyl.com
Replacement     dhk.com States NS:ns1.dhk.com MX:dhk.com.us.emailservice.io
Replacement     dho.com States NS:ns1bqx.name.com
Replacement     dhp.com States NS:dhp.com MX:mailhub.dhp.com
Subdomain       d.hl.com     -
Subdomain       dh.l.com     -
Transposition   hdl.com States NS:ns1.systemdns.com MX:aspmx.l.google.com
Transposition   dlh.com NS:ns1.ascio.net SPYING-MX:mail.dlh.com
Various         wwwdhl.com States NS:ns.deutschepost.de

[1] https://www.virustotal.com/en/file/f438ba968d6f086183f3ca86c3c1330b4c933d97134cb53996eb41e4eceecf53/analysis/
[2] https://support.google.com/a/answer/33786?hl=en
[3] https://github.com/elceef/dnstwist

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

4 comment(s)


Diary Archives