Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: .COM.COM Used For Malicious Typo Squatting - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
.COM.COM Used For Malicious Typo Squatting

Today, our reader Jeff noted how domains ending in "" are being redirected to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous "" domain name was sold by CNET to known typo squatter [1]. Apparently, paid $1.5 million for this particular domain.  Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazon's cloud.

All hostnames appear to resolve to, also hosted by Amazon ( is also directed to the same IP, but right now results in more of a "Parked" page, not the fake anti-malware as other domains)

The content you receive varies. For example, on my first hit from my Mac to , I received the following page:

And of course the fake scan it runs claims that I have a virus :)

As a "solution", I was offered the well known scam-app "Mackeeper"

Probably best to block DNS lookups for any domains. The IP address is likely going to change soon, but I don't think there is any valid content at any "" host name. 

The Whitehat article does speak to the danger of e-mail going to these systems. A MX record is configured, but the mail server didn't accept any connections from me (maybe it is overloaded?).

Amazon EC2 abuse was notified.


Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4507 Posts
ISC Handler
Aug 10th 2015
One way to mitigate this problem on a per-user basis might be to disable the "helpful" feature most browsers have built-in of automatically adding .com to any domain name entered by the user which doesn't resolve as typed. I don't know if any of the Big Four are clever enough to recognize an existing .com TLD (this is one of the first misfeatures I turn off in a new browser install), but if they aren't, they would become part of the problem here.

I understand why the browser makers do this, but it's about as good an idea as Site Finder was. (Remember Site Finder, back in 2003? It's how Network Solutions got themselves on my permanent shit-list.)

A second way, though useful only for someone running their own DNS server or cacheing resolver, would be to declare that it's authoritative for, and respond to any such internally-originating queries either with localhost or some convenient dead-end system -- or even a monitored honeypot, if you have one handy.

13 Posts
Does anyone know how to disable this feature in Internet Explorer 10 and 11?
1 Posts
I too would be interested in an answer to anon's question, as well as how to control this behavior in Chrome, Safari, Opera, and (if possible, which I doubt) the mobile browsers.

I should note that this setting is deliberately hidden in Firefox, so you need to use about:config to change it. Look for the string "fixup", and change the boolean setting that enables this behavior to "false".

13 Posts
IIRC, Internet Explorer and Chrome (at least) no longer use the autocomplete method to try and expand the server name of a URL.

For IE, the option has been obsolete since IE7 ( ).
Ian B

6 Posts

Sign Up for Free or Log In to start participating in the conversation!