Cyber Squatting Playbook

Cyber/Typo-squatting Playbook

|

Introduction

Internet is mainly made of names and numbers by means of URLs and IPs; when a user connects to a website, the DNS (Domain Name System) translates the human-friendly domain name into website’s IP address. Businesses and social activities are, of course, strictly related to these identifiers and so does cyber criminals. While in the beginning, there were concern about phishing (URL hijacking, fake URL, incorrect url address, etc.) aimed at collecting credential via email, nowadays there is also the problem of social websites, such as Facebook and Twitter, where criminals are registering names of a company or executives, like the CEO or directors introducing problems of brand abuse where the so called cybersquatting – also known as domain-name squatting – is extended to a company’s or people’s identity. Cybersquatting refers to the registration of internet names by criminals in order to get some profit. Cybersquatters registers variants of popular trademarked names, a practice known as typosquatting or URL hijacking, a techniques which relies on mistakes such as typos made by users when typing a URL into a web browser in order to led the users to a fake website owned by cyber criminals. For example when a user ends up with a domain name typo, such as compant.com instead of company.com, or gets redirected to a domain name similar to the intended ones, they end up at the typosquatting site instead of getting a “not found” message. Something similar happens when a phishing email shows a link that may seems to be the intended ones while actually it’s not; consider that the more closely an URL looks like the actual domain, the more incisive is the attack. Cybersquatting is a primary vehicle for phishing attacks, the fake domain name typically is registered to displays advertisement or deliver malware or to catch emails or to leverage a good company brand reputation.

Today’s SOC/IRT, as a component of the security defence program, should run an effective domain risk evaluation that can be considered a good solution to extend the anti-phishing program. Being these threats linked to Brand Protection and Intellectual Property Right a legal consultant support within the team is highly recommended so that legal action can be enforced. An effective security program can include a continuous domain name monitoring to purchase domain names, shutdown fake websites, etc.

Cyber/Typo-squatting Hunting

Proactively check to see if a cyber criminal has registered squatting domains based on your constituency’s domain name. There are mainly three ways to get this job done:

  1. Manual check, querying whois and similar, typically useful in case of few domain names;
  2. Online tool, designed to check a bunch of domain names;
  3. Offline tool, designed to check several domain names on a regular basis with scripting capacities.

Cyber/Typo-Squatting Playbook

ID

XXXXXX

Title

Hunting for cyber/typo-squatting registered domains

Date

03-02-2017

Owner

Demisto

Objective Statement

This playbook provides practical instructions for cyber/typo-squatting registered domains. The primary goal is to find malicious or illegal domain names, and take them offline. This playbook will enable security analysts to detect malicious domain activities targeting the domain name to protect, by searching for domains registered in different TLDs, domains imitating domain names or business identity, domains with typos in body, owned by a third party. The goal is to prevent or stop malicious activities such as cybersquatting or typosquatting. Basically the first reaction is to try to shutdown the domain through the help of the ISP, domain Registrar, national CERT and even law enforcement, until you the right channel is reached and the threat is mitigated.

Scope and Applicability

CERT/SOC incident analysts. This playbook should be run at least once a week.

Tools

Squatting detection relies mainly on DNS analysis tools; as long as you can develop your tool, there are some for free. One is available online and is named “Malicious Domain Discovery Service” the tool is at https://www.htbridge.com/radar/ a command line tool is available into the Linux distro Kali and is named URLCrazy (https://www.morningstarsecurity.com/research/urlcrazy). Microsoft “MSR Strider URL Tracer” is a windows tool developed by Microsoft (http://research.microsoft.com/URLTracer).

Methodologies, Procedures and Tools

The detection of a squatting threat – necessary to set initial incident context – although can be reported by a user or an entity aimed at gathering intelligence from Internet can be done by means of a domain name hunting service. Right before jumping to Investigation Steps and Response steps let’s have a look on how to hunt for cyber/typo-squatting domain names. Please consider that hunting for squatting domains can lead to phishing domain names, hence a link to the phishing playbook should be considered.

Hunting for squatting domains

The detection of potential malicious domanin names can be done by means of remote services or local tools.

  1. Remote tool => Query any online service in order to find cybersquatted, typosquatted and phishing websites that may spoof your domain, corporate brand or digital identity. A tool is provided as a free service by HTBridge (Malicious Domain Discovery Service).
    1. Go to the Domain Security Radar page at https://www.htbridge.com/radar/
    2. Enter a domain name into the text box (for privacy reason, you better flag the check box “Do not use search results in statistics”) press Enter.
    3. Wait for the Domain Security Analysis, then view the sections. At the time of this writing, there are three test results, Potential Cybersquatting, Potential Typosquatting and Phishing)
    4. You might get some discovered websites that may be used for cybersquatting and typosquatting against tested domain name or brand.
    5. Get all the details (Domain, IP address, Domain Registrar, Created).
    6. Validate findings (see Investigation Steps section).
  2. Local tool => Query the local tool “URLCrazy” in order to generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage:
    1. Open a shell and type: #urlcrazy -h to check if the tool works properly.
    2. Enter a domain name such as #urlcrazy domain-name.tld press Enter.
    3. Wait for the URLCrazy Domain Report output. Several hostnames will be processed.
    4. You might get some discovered websites that may be used for cybersquatting and typosquatting against tested domain name or brand.
    5. Get all the details (Typo, DNS-A, DNS-MX, Extn).
    6. Validate findings (see Investigation Steps section).

Engage

Let’s assume that the hunting team or a user, reported a potential malicious domain name, run the following steps.

Set initial incident context

Note the details of the domain name under analysis (eg. domain name: demisto.org, IP: 72.52.4.119, domain registrar: GoDaddy.com, LLC, created: 10.02.2017).

Initial triage

Make sure that there is relevant information in the incident.

Assign and involve appropriate personnel

Invite the relevant users for investigation – security analysts expert and legal experts if needed.

Investigate the squatting domain

Check whois data

Type the potential squatting domain name into Dbot tool, eg.:

!whois query=demisto.org to find if exists an:

  • A record (Address record, an A record maps a domain name to the IP address of the system hosting the domain).

!whoismx query=demisto.org to find if exists an:

  • MX record (Mail eXchanger record, an MX record specifies a mail server responsible for accepting email messages on behalf of a recipient’s domain). This could be used to hijack an email user session.

If the whois record is not available, then the domain is not registered; no further action is required. If the domain exists verify if it is a squatting domain or a legitim domain name registration not intended for fraud. This require a bit of analysis by a security analyst. For instance quite often, the domain name under vet could result as a parked domain name that provides ads, beside consider that domain-name X being someway close to domain-name Y does not necessarily mean domain-name X is an intentional squatting domain of domain-name Y. The next step is to classify the domain name as false positive if your company own it or it is a legitim domain owned by a not malicious entity. For instance, let’s assume that demisto.org is a domain registered by a competitor, then it could catch visitors of the demisto.com domain and take any advantages, including emails mistakenly sent to the mail exchange of demisto.org. This could led to an incident requiring the shutdown of the domain in case of infringement. So at the end of the analysis, if the reported domain name is indeed a squatting domain name, mark it as a threat and move to next steps.

Is this a real squatting domain name?

CASE NO

Close the investigation as false positive and reply to the reporting entity that it is not a threat.

  • DN owned by the constituency, it’s a licit domain, no action is required;
  • DN owned by a third part, it’s a licit domain, no action is required;

CASE YES

The DN, owned by a third part, it’s a squatting domain, action is required;

Assess severity

Based on the information collected, change the severity if needed.

Assign and involve appropriate personnel.

Invite the relevant bodies for investigation – legal expert if needed.

Assign the type of DN

  • it’s a malware domain for phishing purposes;
    • run the phishing playbook;
  • it’s an infringement of copyright (a brand abuse);
  • it’s an advertisement domain (a clickbait);

Response Section

Contact the domain name Registrar and Registrant

Notify all details to Registrar and Registrant. Find out whether there is a reasonable explanation for the use of the DN, or if the registration is intended only to sell the DN. Evaluate with the Registrar to remove the malicious domain name and update the registry accordingly. Depending on legal requirements or company procedure, you may need to involve the legal department, PR department, upper management and/or other personnel in case of a trademark infringement or similar fraud.

In case of phishing, clickbait:

Notify IT to update PROXY filters

Give IT the domain name so that they can set the PROXY with a filter to avoid future attacks.

Blackholing squatting domain on DNS

Work with IT to black hole the squatting domain. This should be blocked on the DNS by resolving to 127.0.0.1.

Consider following the Phishing Playbook

Final steps

Issue report to CISO by email