DetectingSpearPhishingAttacks
0 likes926 views
This document discusses typosquatting, which involves registering misspelled domain names to mimic legitimate domains. Typosquatters aim to trick users into visiting malicious sites for financial or malware delivery purposes. Various typosquatting techniques are described, along with real world examples. Available tools for detecting typosquatting like UrlCrazy and dnstwist are outlined. The document also presents CrazyParser, a tool developed by the author that improves on earlier tools. Methods for preventing typosquatting like blocking domains and monitoring DNS queries are recommended.
DetectingSpearPhishingAttacks
- 1. Detecting and Preventing Spear Phishing Attacks Using DNS Mike Saunders - @hardwaterhacker mike@hardwatersecurity.com
- 2. About Mike Pen tester with a defender background (purple team!) 17 years in IT 9 years security
- 3. The Problem: Typosquatting What is it? Intentionally misspelled domain names intended to imitate legitimate domain names Why is it bad?
- 4. The Problem Why is it bad? Often dif鍖cult to easily spot Users may be duped into visiting a malicious site
- 5. Motivations Financial Advertising revenue on parked domains Drive traf鍖c to a competitors site Malware delivery Harvest email from misspelled domains Phishing attacks
- 6. Types of Typosquatting Repeated characters www.google.com www.gooogle.com Omitted character www.amazon.com www.amzon.com Charater swap www.defcon.org www.decfon.org Character insertion www.derbycon.com www.derbycin.com Missing dots www.microsoft.com wwwmicrosoft.com Singular/plural www.apple.com www.apples.com Vowel swapping www.fedex.com www.fadax.com
- 7. Types of Typosquatting Homophones www.route.com www.root.com Homoglyphs www.derbycon.com www.derbyc0n.com Wrong TLD www.whitehouse.gov www.whitehouse.com Misspelling www.arcticcat.com www.articat.com Different country code www.evilcorp.com www.evilcorp.cm Bit 鍖ipping www.facebook.com www.fccebook.com
- 12. Real-World Examples Anthem BCBS wellpoint.com targeted using we11point.com Premera BCBS premera.com targeted using prennera.com
- 13. More Real-World Examples care鍖rst.com targeted with l and 1 for i.
- 15. Available Tools UrlCrazy Andrew Horton - @urbanadventur3r http://www.morningstarsecurity.com/research/urlcrazy dnstwist Marcin Ulikowski - @elceef https://github.com/elceef/dnstwist
- 16. A Better Way crazyparser https://github.com/hardwaterhacker/crazyparser Detect changes between iterations Uses both urlcrazy and dnstwist output
- 17. Demo Time Con鍖guration 鍖les Command line options Output
- 18. Preventative Measures Block in web proxy Blackhole DNS Increase monitoring Proxy logs email containing links to these domains Client DNS queries
- 19. + and - Will 鍖nd some variations, like we11point.com prennera.com not originally detected - dnstwist supported - 9/16 care鍖rst.com detected, caref1st.com wasnt originally. dnstwist support added 9/16
- 20. + and - Will not detect things like service-paypal.com Does not protect external users / customers Unless you pursue domain seizure under WIPO UDRP or US Anticybersquatting Consumer Protection Act https://www.icann.org/en/system/鍖les/鍖les/guidance- domain-seizures-07mar12-en.pdf