Internet scammers move pretty fast. If you don’t stop and look around once in a while, you could miss it. Just as Ferris Bueller always had another trick up his sleeve to dupe Principle Rooney, attackers are employing homoglyphs, subdomain attacks, typo-squats, bit-squats, and similar attacks to trick internet denizens with fraudulent websites. Adversaries may register domains permutations in order to commit fraud, distribute malware, redirect traffic, steal credentials, or for corporate espionage. We know these threats have been around for a while, but not many defenders adopt proactive technical controls in their social engineering incident response plans. The question isn’t what are we going to do about it. The question is what aren’t we going to do. With the capability to continuously monitor domain permutations for new HTTP, HTTPS, or SMTP services in real-time, the blue team doesn’t have to trust domain permutations any further than they can throw them. In this talk, we will demonstrate red team and blue team techniques. For Buellers, demonstrations include ways to leverage domain permutations in adversary simulations. For Rooneys, we will detail how to better prepare, identify, contain, and eradicate threats that utilize domain permutations. If you’re not leveraging our recommended technical controls to defeat attackers, you risk fishing for your wallet in a yard full of rage-fueled Rottweilers. (This was originally presented on March 3, 2019 at BSides San Francisco.)

1. Twist & Shout: Ferris Buellers
Guide to Abuse Domain
Permutations
Rob Ragan & Kelly Albrink
BSidesSF 2019

2. What is this talk about?
• Types of abuse with domain
permutations
• Why domain abuse
happens
• Monitoring & Defense
techniques
DESIGN IDEA:
Use the background image below.
fill agenda items in bullet points.

3. Which companies are most often targeted?
• And what percentage of their domain permutations do they own?
DESIGN IDEA:
Make graphic based on data in
spreadsheet
To-do

4. 4

5. TLD Abuse

6. 6

7. Types of Abuse Domain Permutations
• Typo squatting
• Homoglyphs
• Bit squatting
• Top Level Domain (TLD) variations
• Subdomain Permutations

9. Typosquatting
• Definition: registering a
version of the targeted
domain that is likely to be
mistyped
• AKA URL Hijacking
• Example: facebpok.com

10. Typosquatting
• Definition: registering a
version of the targeted
domain that is likely to be
mistyped
• AKA URL Hijacking
• Example: facebpok.com

11. Homoglyphs
Definition: characters that appear the same or similar to other
characters
• Examples:
• http://facẹboọk.com/login.html

12. MACHINE ATTACK
Not likely to be mistyped
Not meant to target human error
Memory or storage failure

13. MACHINE ATTACK
Not likely to be mistyped
Not meant to target human error
Memory or storage failure
INTERCEPT SENSITIVE TRAFFIC
Free SSL certificates make it easier for an
attacker to receive sensitive data intended
for the original domain
https://github.com/bishopfox/cervus

14. 14

15. 15

16. https://kushaldas.in/posts/tracking-my-phone-s-silent-connections.html

17. TLD variations
Definition: registering a domain with the same domain name as a
targeted site, but with a different top level domain (TLD)
Examples:
• amazon.it
• amazon.us
• goo.gl
• quickencustomersupport.us
• www.amazon.co.jp.amazono-jp.ga

18. Subdomain permutations
• Definition: appending a target
company name as a
subdomain to an attack
domain
• Examples:
• *.ealthcare.com
• facebook.verification.info
• secure.runescape.com-try.top

19. Transition Slide

20. Phishing
• Facebook homoglyph
• http://facẹboọk.com/login.html

21. Malware
• Old way: Fake adobe
acrobat
• New way: malicious
chrome extensions

22. Fraud
• wallets-trezor.org
emulates trezor.io to try
to steal cryptocurrency
wallet seeds

23. TLD Abuse

24. I-cloud account example

25. Funny examples
• You typed the address wrong idiots.

26. Monitoring & Defenses

27. Part 1: Monitoring

28. Generating comprehensive lists of possible
domains
• dnstwist by
Marcin Ulikowski
(elceef)
• Takes a domain
name as a seed
and generates
permutations

29. 29

30. Perceptual analysis
• If there is open service on web port:
• Screenshot
• Fuzzyhashing
• Compare to target/original

35. Splunk
• Enterprise Security
Content Update
(ESCU)

36. Part 2: Defenses

37. Sink Holing domains
Goal: redirect users from blacklisted domains to a warning page/log
server
• Via internal DNS Servers
• Response Policy Zones (RPZ) rules
• Script changes to /etc/hosts file of users
• Jason Fossen released a Windows Sinkhole DNS powershell script as part of
SANS SEC505 class (Update-HostsFile.ps1 and Sinkhole-DNS.ps1 )

38. 38
Response Policy Zones (RPZ)
Override global DNS to provide
alternate responses to queries
Goal
Protect users by blocking all
domain permutations from being
reached
Block known malicious domains
https://github.com/Homas/ioc2rpz
PREVENT USERS FROM VISITING MALICIOUS CONTENT
SINKHOLE DOMAINS

39. 39

40. 40
Chrome Warnings
Based domain permutations of sites
with a high PageRank
Prompt user to confirm
Goal
Deter attacks by interpreting likely
malicious domain requests and
prompting user to confirm
WARNINGS FOR LOOKALIKE URLS
UPCOMING BROWSER PROTECTIONS
https://chromium.googlesource.com/chromium/src/+/master/
docs/security/url_display_guidelines/url_display_guidelines.md

41. 41
Chrome Warnings
Approximately 100 per minute
Tag for further review
Goal
Find Content to Attack
Sensitive Information
WARNINGS FOR LOOKALIKE URLS
UPCOMING BROWSER PROTECTIONS
https://chromium.googlesource.com/chromium/src/+/master/
docs/security/url_display_guidelines/url_display_guidelines.md

42. Part 3 : Fighting Back

43. Fighting Back 1
• Scammers are lazy and will often link to images hosted on your own
servers
• Replace stolen images with warnings

44. Fighting back 2 - Call in the lawyers
ICANN arbitration via Uniform Domain Name Dispute Resolution Policy
(UDRP)
• fee: $1,300 for the first domain name
• if complaint filer wins, domain is transferred to them
• Typical time frame: 50-60 day
Anticybersquatting Consumer Protection Act (ACPA)
• penalties $100,000 per domain

45. The big picture Something from this scene.

46. Questions?

47. Thank you.