Networking

Three ways to prevent data leakage due to typo-squatting

Typo-squatting is more than a way to make a buck. It also enables data leakage. Secretive attackers don't even put up a page corresponding with the squatted-domain. Only an MX record exists to forward e-mails to potentially malicious mail servers.

Typo-squatting isn't new. Criminals, unethical merchandisers, and general malcontents have for years leveraged our inability to consistently type the right letters every time when entering a domain name. The cautious were able—and still are for the most part—to differentiate between a false, squatter page and the real thing. However, criminals are apparently taking their growing penchant for secrecy to a new level, declaring squatter rights on e-mail messages.

In this post, I define typo-squatting in general and how it's being employed for more insidious purposes. I then explore recommendations for dealing with this emerging data leakage threat.

What is "typo-squatting"

According to Microsoft researchers,

Typo-squatting refers to the practice of registering domain names that are typos of their target domains, which usually host websites with significant traffic.

From the business perspective, many of the typo-squatting cases involve "bad-faith" domain registrations or trademark violations. Worse yet, it is not uncommon to see a typo domain displaying ads from competitors of the target-domain owner or even negative ads against the owner.

Source: Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-squatting, Yi-Min Wang, Doug Beck, Jeffrey Wang, Chad Verbowski, and Brad Daniels, Microsoft Research, 2006

It's not difficult to hit the wrong key and not know it until you click Send or press Enter. Most squatter domain names are based on common mistakes related to key proximity. For example, instead of typing adventuresinsecurity.com, my pinky might slip and type z or q instead of a, resulting in zdventuresinsecurity.com or tom.olzak@qdventuresinsecurity.com. (See your keyboard for key placement.) If an outside entity was sending sensitive information in an e-mail body or its attachment, a squatter might now have it. Can you say HIPAA violation? Of course, everyone adheres to regulatory restrictions, like using encrypted e-mail, don't they?

Squatting a domain consists of three steps:

  1. Identify the target domain. The domain selected depends on the squatter's objectives. He or she might want to garner advertising revenue or recruit bots. In these cases, high traffic domains are best. However, squatters seeking to defame or besmirch target the focus of their ire, regardless of traffic potential. This means any organization is a potential victim.
  2. Construct a typo-list. There are many different ways to misspell or incorrectly construct a domain name. Squatters can either spend the night recording all the possibilities, or they can use one of the tools available to quickly construct them. Figure 1 is a clip from web-professor.net. His Typo Squatter tool allegedly shows not only possible names. It also lists whether the name is available, who owns it, and its potential squatting value (based on Overture Score). I tried testing the search capabilities to include in this article, but I repeatedly received an error.
  3. Purchase and setup the domains. The final step is selecting the domain names and setting them up on what are often ethically questionable provider sites. Delivery of ads, malware, or collection of email containing sensitive information is now possible. Figure 2 depicts an overall view of today's typo-squatting environment.

Figure 1: Web Professor Typo Squatter

Figure 1: Web Professor Typo Squatter

 

Figure 2: The Typo-squatting Industry, Microsoft 2006 Figure 2: The Typo-Squatting Industry (Microsoft 2006)

Mounting a typo-squatting defense

The first step in mounting a defense against squatter data theft is understanding the threat. This article is just the beginning. There are many sources of information about typo-squatting on the Internet, including the Microsoft research provided above.

Next, ensure all email from external domains is properly protected. Insist that customers, vendors, employees and anyone else using external email services only send sensitive information via protected channels. One way to ensure this is implementation of a secure mail system. We use Tumbleweed. No client installs necessary, and it allows on-the-fly enrollment.

Finally, assess and mitigate your risk. Tools are available to help identify squatters and their potential threat to your organization. Tools like Web Professor's Typo Squatter (Figure 1) can be turned against squatters, although it is fairly slow and doesn't dig as deep as you might wish. Vera Labs also has a nice online tool. See Figure 3. However, after testing these and other tools, I found Strider URL Tracer with Typo-Patrol to be my preferred squatter detection and analysis tool. (The tool doesn't like IE7, but it works fine with IE8 BETA in IE7 emulation mode.)

Figure 3: VeraLabs Anti-type-squatter Tool Figure 3: Vera Labs Anti-type-squatter Tool

Figure 4 shows URL Tracer's main window. To test the speed and effectiveness of this tool downloaded from Microsoft, I typed in my domain name and clicked on the Generate button. Within seconds, I had a list of 295 variations. To save time, I selected the first 10 and clicked on Scan. Figure 5 shows the results.

Figure 4: Strider URL Tracer with Typo Patrol Figure 4: Strider URL Tracer with Typo Patrol

 

Figure 5: Results from Strider URL Tracer Scan Figure 5: Results from Strider URL Tracer Scan

Only one variation, wdventuresinsecurity.com, was found. And it was found at OpenDNS.com. The findings are highlighted in red because the scan detected cookies. This was interesting, since I use OpenDNS for my home DNS service. Using Sandboxie, I loaded IE7 and attempted to navigate to wdventuresinsecurity.com. The result was an OpenDNS page asking if I actually meant adventuresinsecurity.com. After a few seconds, the page reverted to the normal search/ad page OpenDNS provides when it has no idea where the URL you entered resides. No big threat here, but at least I know the tool works and quickly delivers results.

The scan list generated above can also be used to minimize squatting opportunities. Companies with sufficient funds might consider buying the most probable targets to keep them out of the hands of individuals or organizations over which they have no control.

The final word

Typo-squatting is more than a way for scammers to make a quick buck. It can also lead to data leakage. The more secretive attacker doesn't even put up a page to correspond with the squatted-domain. Only a DNS MX record exists to forward emails to the appropriate, potentially malicious, mail server. Organizations that follow proven practices for protecting their email and good name are reasonably safe. However, those who ignore the growing threat posed by these attacks are facing increasing risks.

About Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks

Free Newsletters, In your Inbox