San-Serif Rules Everything Around Me

all right we are in a lightning talk please mute your phones if you haven't already my name is Andy I have up here our speaker Travis Knapp pray sec he is talking about sans-serif' rules everything around me so go for it cool good morning everyone I'm Travis and this is San serif fools everything around me it's a journey into deception fishing the law social media and also the fortune 1000 so I live in San Francisco went to City College of San Francisco wrote this talk about six months ago and got accepted start working for NCC group down the street so here we go so social media is a big thing everyone uses it we've got some

URLs here and for me to me they look pretty much like the same thing and take a closer look does anyone see a difference between these would you say that it's the same way if you think they're the same link razor and cool you read the description of this talk so let's talk about style San serif is a style of font Arial is a sans serif font courier is a serif font and the difference is you can see courier has a little like swoops on the end called serifs and most computer applications use sans-serif fonts and that lies the issue if you walk down Market Street this is the word serif ring and that's sans serif font just to confuse you a

little bit so what's the big deal we've got a fake bank called luxury or one bank that is a lowercase L we've got I up Cherie one bank that's a lowercase I you can use this to do it Ibn attack an internationalized domain name homograph attack for example those two links if we look at the code you can see that the bottom one is actually an uppercase I now Facebook displays links a mixed case format upper and lower case so you can get away with this the same thing for Twitter you can do the same thing same thing for gmail same thing for Apple iMessage and it go on and on now that you've seen this

you're gonna start noticing a lot of service you just ease have the same issue so what can we do with this happen have some fun so first I looked at the fortune 500 but I'd step back and say I'll look at the fortune 1000 and I looked for companies with the letter L in their name there's 535 just one L I didn't look for two and let's see which ones have registered the misspelling so I alternated that first letter L with a I and who was records to see if anyone had owned them and there were 447 companies without the unregistered burglar who hadn't registered that misspelled version so that's a big you know that's

a lot of fun you could have and I did with the letter I as well it's not as deceptive but you can still do with I diverting that to L there 605 and this is just one one instance of I not to you so 472 unregistered aversions and as a bonus there's a showing up there's some companies I just haven't registered their domain names as they're listed in the Fortune 1000 net fortune.com so that's a big attack vector if you want to have even more fund so I reached out I made some proof of concept using the fort's in 25 the most valuable companies in the world there were seven companies without the registered versions so i

registered five put up a little educational page saying hey this isn't what you're looking for hit up Google Twitter Apple Facebook everyone by Apple responded within three days and said yeah we see that's a problem but we're not gonna change anything so that's Apple responded but I never really heard their thoughts on this so some companies actually have a defensive measure for instance Facebook in the URL preview and the bottom of the image for the site it converts it all the uppercase which kind of gives the user a chance to notice something is up when you type in your URL in the browser it converts at all to lowercase usually like Firefox Chrome and edge I'll do

this which is kind of cool so that's the problem that they're displaying things in mixed case so I had these domain names for the fortune 25 and I wasn't doing thing with them they were just sitting there you know wasn't spamming people with it I'm not trying to get in trouble so they said hey this isn't what you're looking for so just they're just sitting there and I started getting these weird emails from law firms saying hey your your website is buying this company's trademark and I was like hmm okay this is interesting let's see where this goes a law firm hit me up and you know tried to get legal threats against me for just owning these

domain names and having a little informational page up trying to help people they call it an unsolicited lesson and Internet security so I would offered the companies the domain name most of them are cool but just me taking it down and having a point to nothing the one law firm I tried to give it to them I transferred the gave them Alco to let them own the domain name and I woke up the next morning it was pointing to a huge spammy looking page at home so I was like oh they got me like I got got by someone else but as it turns out that they just set it up wrong and the funny

thing was is they wanted CC me on an email with the company I was trying to reach out to which was a little suspect they had patents and whatnot but it brought up my thought that there's companies that are monitoring for this but instead of registering the domain name they're just sending out legal threats and I don't think that's the right way if you you work for a company and you have this problem just registered the name it'll be a lot easier to deal with and probably a little bit cheaper and some things you can do to monitor this is just check the misspellings there's a script called DNS twist which will run through a bunch of

different permutations of your domain name and it'll say hey this one is registered this one isn't you should check it out there's a screenshot in the next slide and there was actually a talk last year left found out about last week by Rob Regan and Kelly all drink they took a deep dive into the subject and it's amazing the things they found and just hop on google and type ID and homograph attack so yeah this is DNS twist on that domain I registered luxury one bank you can see it's found the i-x re1 Bank and it gives you the IP address there's some subdomain called a bank comm which just takes any input you put in before

that and sends it to their IP which is kind of suspicious but who knows and some untold things I didn't see coming was with my fake websites in my browser when you type your typing your address out the letter ID becomes u4l so that fake website gets filled before the real one that's kind of like a interesting find if you don't clear cache or browser history and there's this has been used to get malicious Python libraries into the official repository for Python what's called jellyfish and the first L was actually I and it was stealing SSH keys and people were just installing it it's a six time that's happened against the Python libraries and then if you're looking for

certificates I had mixed opinions but I'm cool with whatever gets people learning about the subject there's a group called thug crowd they have the certified lower case security ship posting professional certificate which is here you can hang on your wall quick glance it looks like you have really gone the extra mile for your knowledge and yeah I recommend checking that out and that's me forgot to change the last slide for the title so it's a little misconfigure but thank you

and I got three minutes left if anyone has any questions one company was just like oh that's really cool you found that if you just take it down we're cool but no one was like what can we what can we do to prevent this no one really seemed to care and the company I work for this is a really successful phishing attack like it it always works so and there are security companies out there that have this issue which I find interesting and I reached out to them and they just didn't respond so it's up top no I decided to keep this topic just to L&I since it's the one of those because I know there are some defenses

against that but yeah that is the other for sure for sure cool all right I think that's it so thank you for coming no just legal threats yeah sweet all right well have a good rest the conference and thank you