My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Typosquatting: Awareness and Hunting

Published: 2017-05-20. Last Updated: 2017-05-20 06:01:52 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

Typosquatting has been used for years to lure victims… You receive an email or visit an URL with a domain name which looks like the official one. Typosquatting is the art of swapping, replacing, adding or omitting some letters to make a domain looking like the official one. The problem is that the human brain will correct automatically what you see and you think that you visit the right site. I remember that the oldest example of typosquatting that I saw was “mircosoft.com”. Be honest, at the first time, you read "microsoft.com" right? This domain was registered in 1997 but it has been taken back by Microsoft for a while. Longer is your domain name, more you have available combinations of letters to generate fake domains. Sometimes it's difficult to detect rogue domains due to the font used to display them. An “l” looks like a “1” or a “0” looks like an “O”.

Yesterday, I found a nice phishing email related to DHL (the worldwide courier company). The message was classic: DHL claims that somebody passed by your home and nobody was present. But this time, it was not a simple phishing page trying to collect credentials, there was a link to a ZIP file. The archive contained a malicious HTA file that downloaded a PE file[1] and executed it. Let’s put the malware aside and focus on the domain name that was used: dhll.com (with a double “L”).

A quick check reveals that this domain is hopefully owned by DHL (not “DHL Express” but the “Deutsche Post DHL” who owns the courier company:

Domain Name: dhll.com
Registry Domain ID: 123181256_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2016-09-23T04:00:10-0700
Creation Date: 2004-06-22T00:00:00-0700
Registrar Registration Expiration Date: 2017-06-22T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Deutsche Post AG
Registrant Organization: Deutsche Post AG
Registrant Street: Charles-de-Gaulle-Strasse 20
Registrant City: Bonn
Registrant State/Province: -
Registrant Postal Code: 53113
Registrant Country: DE
Registrant Phone: +49.22818296701
Registrant Phone Ext:
Registrant Fax: +49.22818296798
Registrant Fax Ext:
Registrant Email: domains@deutschepost.de
Registry Admin ID:Admin Name: Domain Administrator
Admin Organization: Deutsche Post AG
Admin Street: Charles-de-Gaulle-Strasse 20
Admin City: Bon
Admin State/Province: -
Admin Postal Code: 53113
Admin Country: DE
Admin Phone: +49.22818296701Admin Phone Ext:
Admin Fax: +49.22818296798
Admin Fax Ext:
Admin Email: admincontact.domain@deutschepost.de
Registry Tech ID:
Tech Name: Technical Administrator
Tech Organization: DHL
Tech Street: 8701 East Hartford Drive
Tech City: Scottsdale
Tech State/Province: AZ
Tech Postal Code: 85255
Tech Country: US
Tech Phone: +1.4089616666
Tech Phone Ext:
Tech Fax: -
Tech Fax Ext:
Tech Email: netmaster@dhl.com
Name Server: ns4.dhl.com
Name Server: ns6.dhl.com
DNSSEC: unsigned

The zone "dhll.com" is also hosted on the DHL name servers. That’s a good point that DHL registered potentially malicious domains but... if you do this, don’t only park the domain, go further and really use it! It's not because the domain has been registered by the official company that bad guys cannot abuse it to send spoofed emails.

First point: "dhll.com" or "www.dhll.com" do not resolve to an IP address. If you register such domains, create a website and make them point to it and log who’s visiting the “fake” page. You can display an awareness message or just redirect to the official site. This will also prevent your customers to land on a potentially malicious site and improve their experience with you.

The second point is related to the MX records. No MX records were defined for the "dhll.com" domain. Like with the web traffic, build a spam trap to collect all messages that are sent to *@dhll.com. By doing this, you will capture traffic potentially interesting and you will be able to detect if the domain is used in a campaign (ex: you will catch all the “non-delivery receipts” in the spam trap.

Finally, add an SPF[2] record for the domain. This will reduce the amount of spam and phishing campaigns. 

To conclude, registering domain names derived from your company's name is the first step but don't just park them and use them for hunting and awareness!

A quick reminder about the tool dnstwist[3] which is helpful to generate lists of a rogue domains (from an offensive as well as defensive point of view). Here is an example based on dhl.com:

# docker run -it --rm jrottenberg/dnstwist --ssdeep --mxcheck --geoip dhl.com
      _           _            _     _
  __| |_ __  ___| |___      _(_)___| |_
 / _` | '_ \/ __| __\ \ /\ / / / __| __|
| (_| | | | \__ \ |_ \ V  V /| \__ \ |_
 \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.01}

Fetching content from: http://dhl.com ... 200 OK (396.3 Kbytes)
Processing 56 domain variants ................ 48 hits (85%)

Original*       dhl.com      199.40.253.33/United States NS:ns4.dhl.com MX:mx1.dhl.iphmx.com SSDEEP:100%
Bitsquatting    ehl.com      45.33.14.247 NS:pdns03.domaincontrol.com MX:smtp.secureserver.net
Bitsquatting    fhl.com      -
Bitsquatting    lhl.com      -
Bitsquatting    thl.com      50.57.5.162/United States NS:dns1.name-services.com MX:us-smtp-inbound-1.mimecast.com
Bitsquatting    dil.com      72.52.4.119/United States NS:ns1.sedoparking.com MX:localhost
Bitsquatting    djl.com      117.18.11.145/Hong Kong NS:ns1.monikerdns.net
Bitsquatting    dll.com      68.178.254.85/United States NS:ns43.domaincontrol.com MX:smtp.secureserver.net
Bitsquatting    dxl.com      69.74.234.98/United States NS:ns59.worldnic.com SPYING-MX:dxl-com.mail.protection.outlook.com
Bitsquatting    dhm.com      192.241.215.84/United States NS:ns19.worldnic.com MX:dhm.com
Bitsquatting    dhn.com      62.129.139.241/Netherlands NS:pdns07.domaincontrol.com MX:smtp.secureserver.net
Bitsquatting    dhh.com      103.241.230.134/India NS:dns1.iidns.com
Bitsquatting    dhd.com      NS:ns-west.cerf.net MX:dhd-com.mail.protection.outlook.com
Homoglyph       bhl.com      206.188.192.219/United States NS:ns79.worldnic.com SPYING-MX:bhl-com.mail.protection.outlook.com
Homoglyph       dhi.com      199.36.188.56/United States NS:ns10.dnsmadeeasy.com
Homoglyph       clhl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Homoglyph       dlhl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Homoglyph       dihl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Homoglyph       dh1.com      208.91.197.27/Virgin Islands NS:ns43.worldnic.com SPYING-MX:p.webcom.ctmail.com
Hyphenation     d-hl.com     104.24.124.134/United States 2400:cb00:2048:1::6818:7c86 NS:fiona.ns.cloudflare.com MX:mx1.emailowl.com
Hyphenation     dh-l.com     72.52.4.119/United States NS:ns1.sedoparking.com MX:localhost
Insertion       duhl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dhul.com     82.194.88.4/Spain NS:ns1.dominioabsoluto.com
Insertion       djhl.com     47.89.24.50/Canada NS:f1g1ns1.dnspod.net
Insertion       dhjl.com     -
Insertion       dnhl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dhnl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dbhl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dhbl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dghl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dhgl.com     209.61.212.161/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Insertion       dyhl.com     NS:dns17.hichina.com MX:mxbiz1.qq.com
Insertion       dhyl.com     -
Omission        dl.com       104.247.212.218 NS:ns1.gridhost.com SPYING-MX:mail.b-io.co
Omission        dh.com       54.204.28.210/United States NS:a5-67.akam.net SPYING-MX:mx1.dhltd.iphmx.com
Omission        hl.com       107.154.105.117/United States NS:ns57.domaincontrol.com MX:mail0.hl.com
Repetition      ddhl.com     180.149.253.156/Hong Kong NS:ns11.domaincontrol.com SPYING-MX:ddhl-com.mail.protection.outlook.com
Repetition      dhll.com     -
Repetition      dhhl.com     209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com
Replacement     rhl.com      107.161.31.165/United States NS:ns1.hungerhost.com MX:mx.spamexperts.com
Replacement     chl.com      216.222.148.100 NS:nameserver.ttec.com MX:smtp2.mx.ttec.com
Replacement     xhl.com      69.172.201.153/United States NS:ns1.uniregistrymarket.link
Replacement     shl.com      69.171.27.23/United States NS:eu-sdns-01.shl.com SPYING-MX:mxa-0016ba01.gslb.pphosted.com
Replacement     dul.com      62.129.139.241/Netherlands NS:pdns01.domaincontrol.com MX:smtp.secureserver.net
Replacement     dnl.com      -
Replacement     dbl.com      198.173.111.6/United States NS:ns53.worldnic.com SPYING-MX:p.webcom.ctmail.com
Replacement     dgl.com      216.107.145.5 NS:ns62.downtownhost.com MX:dgl.com
Replacement     dyl.com      99.198.109.164/United States NS:ns-1768.awsdns-29.co.uk MX:mail.dyl.com
Replacement     dhk.com      98.191.212.87/United States NS:ns1.dhk.com MX:dhk.com.us.emailservice.io
Replacement     dho.com      75.126.101.248/United States NS:ns1bqx.name.com
Replacement     dhp.com      199.4.150.5/United States NS:dhp.com MX:mailhub.dhp.com
Subdomain       d.hl.com     -
Subdomain       dh.l.com     -
Transposition   hdl.com      216.51.232.170/United States NS:ns1.systemdns.com MX:aspmx.l.google.com
Transposition   dlh.com      212.130.57.148/Denmark NS:ns1.ascio.net SPYING-MX:mail.dlh.com
Various         wwwdhl.com   199.41.238.47/United States NS:ns.deutschepost.de

[1] https://www.virustotal.com/en/file/f438ba968d6f086183f3ca86c3c1330b4c933d97134cb53996eb41e4eceecf53/analysis/
[2] https://support.google.com/a/answer/33786?hl=en
[3] https://github.com/elceef/dnstwist

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

4 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

Worth noting that the CLI command in your screenshot doesn't work on the publicly available dnstwist 1.04b docker container. I had to add the name of the python script so this worked for me: "docker run -it --rm dcumbo/dnstwister dnstwist.py --ssdeep --mxcheck --geoip --registered blah.com".

If there was something you did so that you don't have to specify the name of the script in the docker command, please let me know!
I'm not using the same Docker image. The one used on my diary is jrottenberg/dnstwist. The entrypoint is different and allows just to pass arguments.
Good remark, thanks!
Hello Xavier,
thank you for spotting about the dhll.com domain.
We (DHL) indeed got that one re-registered to us (probably as a result of some legal dispute about trademarks) and probably forgot to create the right SPF/DMARC records for that one.
Now the situation should be fixed and from SPF and DMARC it should be clear this domain should not be used for any e-mailing. I hope it will make the internet better place - a bit.

Michal Ambroz
DHL
Hello Michal,
Good to hear that. Thank you for the feedback!
/x

Diary Archives