Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - .COM.COM Used For Malicious Typo Squatting InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

.COM.COM Used For Malicious Typo Squatting

Published: 2015-08-10
Last Updated: 2015-08-10 18:47:01 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Today, our reader Jeff noted how domains ending in ".com.com" are being redirected to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous "com.com" domain name was sold by CNET to known typo squatter dsparking.com [1]. Apparently, dsparking.com paid $1.5 million for this particular domain.  Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazon's cloud.

All .com.com hostnames appear to resolve to 54.201.82.69, also hosted by Amazon (amazon.com.com is also directed to the same IP, but right now results in more of a "Parked" page, not the fake anti-malware as other domains)

The content you receive varies. For example, on my first hit from my Mac to facebook.com.com , I received the following page:

And of course the fake scan it runs claims that I have a virus :)

As a "solution", I was offered the well known scam-app "Mackeeper"

Probably best to block DNS lookups for any .com.com domains. The IP address is likely going to change soon, but I don't think there is any valid content at any ".com.com" host name. 

The Whitehat article does speak to the danger of e-mail going to these systems. A MX record is configured, but the mail server didn't accept any connections from me (maybe it is overloaded?).

Amazon EC2 abuse was notified.

[1] https://blog.whitehatsec.com/why-com-com-should-scare-you/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
4 comment(s)
Diary Archives