Ferris Bueller's Guide to Abuse Domain Permutations

awesome welcome you guys so today we're gonna be talking about abuse domain permutations this is gonna be twist and shout Ferris Bueller's guide to abuse domain permutations yeah and my name is Rob I work out of our San Francisco office as does Kelly we both get involved in a lot of red teaming a lot of offensive security penetration testing and continuous security efforts but this topic was really inspired by like something that started playing with a few years ago just the concept of what happens whenever you have you sit and register domains that are perhaps like slight variations of common domains or your target domains and what can you do really do with these also the

inspiration for this was when I saw that besides SF was 80s movie theme that like have to do a Ferris Bueller theme talk because he was ultimately I think the best social engineer really fooled everybody and so the problem really comes from the trust issue that we have where we're expecting users to know what's going on in a URL bar to know what a green lock means versus red lock versus a not trusted versus not know message at all or really being aware of how to interpret a URL knowing the difference between a scheme a subdomain a domain a TLD and then all of the other parts that can happen after that and and by logic really can't expect

people to pay attention to URLs or expect them to really understand them so this creates an opportunity for attackers especially opportunistic attackers to at a broad scale of start to attack major brands and so what brands did we take a look at really we observe that like these are some of the major digital brands or some of the major financial branch that experienced the most types of fraud or attack involving domain permutations and so a little bit about what we did to research this was we took each of these companies domains primary domains generated all of the possible variations and then actually did subdomain discovery on those variations port scanning on those variations for common web ports and

actually captured screenshots of what is available on those those services yeah and so this will give you a better idea of like what we actually saw this like in in total like we generated thirty four hundred and fifty-seven like subdomains that had services on them on those sixteen major brands and found everything that we'll go through some of like the more examples of what actual attacks we saw on those and then we actually wanted to figure out which of those brands had which of those permutations resolved to a name server that was owned by those brands and the only one that stood out as an outlier was Amazon as they actually had control of fifty nine percent of their

permutations and it was going to show like going through Ilya their brands but it really got to be very dismal most of the other tech brands like Netflix or or PayPal Google had around 10% and then as you kind of got into the financial sector they had even less so I didn't like that I thought that was gonna be more interesting aspect of the research but they really like don't have much control over over these these permutations currently which means there's a lot of them were parking pages a lot of them would be an opportunity for an attacker to register and then use in subsequent attacks so there's next slide is going to show you some of the

screenshots of the actual abuse to means that we were studying and you can kind of get an idea of the different types of phishing attacks some of them are just put in your credit card number here others are going to be more credential theft runescape was actually something that we saw a lot of and this is just kind of give you an idea of what we turned up in our research yeah we group the Vice visual similarity so we could actually see like these are all the ones that are asking you to confirm your Facebook credentials these are the ones asking for your Google Drive it was like very that there was a lot of cloning or

slight variations or just like going right after personal information and an attempt to to hijack an account yeah this select the list goes on and on and on we didn't to some of the specific examples we saw a lot of interesting evolutions of malware attacks that maybe existed like five or six years ago but today don't and that was really a one of the other things I was super motivated to like Kelly and I wanted to see like oh people are using Google Docs to actually host on a domain that has reputation and launch their their phishing attack from there instead of hosting it on their own domain so it was really interesting to actually see like

what these were being used for we also took a lot of information from fishtank comm which is a clearinghouse where you can go submit suspected phishing pages and actually classify them I'll have other people kind of contribute to this and say like these are definitely phishing let's blacklist them and that's what prompts you getting things in your browser that say are you like are you sure you want to go - this has been flagged as suspicious and a lot of that ties in with all we saw on these permutations so let's get into some of the different types of domain abuse we have shown you a lot of examples but there's actually lots of different

categories so up here you can see some of those there's typosquatting Homa glyphs bit squatting all different kinds of ways that we can kind of permeant ate and swap around letters in the domain and then there's top-level domain variations which is actually another really interesting attack and we're seeing way more subdomain variations so let's kind of look at a couple examples of each one of these so typosquatting is something that we're all probably familiar with and we have some examples up here so you can see Facebook it would be the actual domain and then below it are going to be - kind of similar domains maybe the it's closed on the keyboard other techniques or terms of

like omissions skipping a letter and really the goal here is to target something that you could realistically type into the keyboard on accident this is targeting the human element yeah and we actually noticed like as we were doing this research week over week changes in what was served up so this is actually a screenshot from last week where it was a variation actually of Facebook but it prompted to say Amazon gift certificate you've been selected grand prize winner and then it would go on to prompt you to enter personal information and credentials and and then this is as we as recent as yesterday same domain serving up CBS winner like March 2019 so attackers are actually adapting to make

it look relevant to look make it not constantly be serving up the same content and really going after that opportunistic attack of someone literally just making a typo as they go to commonly requested domains yes so this is one you can actually look at it's live today Facebook with the first o represent the P and this is something that we've seen that's been live for several weeks and it's changing constantly as we're looking at it yeah humma glyphs is I think a super interesting attack where you're actually taking the Unicode variations of letters that look similar but may have accent marks or may have may even just be like a Turkish I that's a slightly smaller

looking like alphanumeric I and at this point we see you're just trying to coerce a person into visiting a link that just looks extremely similar we see a lot of these and even in the example the Facebook when we saw their I think we thought it was like dirt on our screen but it's actually like two dots under the O's that is was another prompt for fishing we're going to actually like some of the examples of attacks we saw on these as well bit squatting is the type of variation on domain that's very different than the rest of the ones we'll be talking about bit squatting is actually a machine attack rather than a human attack and the variations on these

come from typically a hardware failure most commonly in memory it could also be a hard drive failure it could be in transit at a network component but I'd say most commonly and the research that we've seen is it's happening at in memory and the basics of how it works is is actually that ASCII representation of the character changing whenever a zero floats to one or one flips to a zero and so in the like example here like cnn.com if the last bit of the byte that's representing that the second end switched to a one it would change to con comm and at this point like you're actually the victim here what necessarily be a human amidst

because that n is very far away from the Oh on a QWERTY keyboard it would be affecting a machine and one thing that seeing this happen more and more with it is with mobile phones so we actually and the other thing that I think that's that this is really pertinent to is being able to intercept sensitive traffic now that certificates are free there's been quite a few def con black on top black eye talks on this over the years like five or six of them but the last one I believe was in 2015 and their demonstration kind of got stopped at the point when they would have had to spend $300,000 on domain certificates which

wasn't feasible I was like a college student that was doing the research but now with things like let's encrypt and every cloud provider giving you free certificates I think this issue's is one of the most impactful that deserves a lot more attention because you can now intercept sensitive traffic by getting enough free SSL certificate and putting it on domains like these and a couple years ago started gathering these domains and researching this and actually there's a link here in the sides that will post to customize elq dashboard to be able to track that these that were open sourced on the bishop fox github and in some initial data that we've collected with it for DNS bit flips we actually see

like about every two 12 hours on extreme really popular domains about 500,000 requests where there's the opportunity to poison DNS caches and then serve up other content to to visitors again very opportunistic attack we can't control which machines fail and which ones come to this but becomes an opportunity to to like victimize a lot of devices specifically on the HTTP request is that we saw and collected the teal graph here actually represents Android devices and then as drill down into the data more it was specifically t-mobile devices which had me thinking that since iPhones are doing this less although they still do it and we're seeing more Android and specifically specifically t-mobile that it's likely very inexpensive devices

that have cheaper memory in them that have higher failures and time rates and end up collecting a lot more data gonna actually continue to explore this out have a whole presentation dedicated to this in April that will be doing but a member of the freedom of the press actually published some interesting research just this month or that was on observing in one week's time which companies his cell phone made made requests to and it was an iPhone so removing for for Apple which was the whenever he's looking at all companies you kind of see on this graph here the other CD ends and just other major tech companies that requests we're going to which I think there's a big opportunity

to see what other domains are registered that are bid flips are better attackers are bit squatting on and then are able to intercept sensitive traffic from cell phones so another type of domain abuse that we looked at we saw a lot of was top-level domain variations so this is where the kind of final portion of your domain could be possibly different top-level domains you can register with say Leica IT or dot US and in our own assessments at Bishop box we actually have had a lot of success reg registering dot IT domains in social engineering scenarios where we would call someone up and say hi I'm from your company's IT department dot IT is actually

Italy's top-level domain and you have to be a European Union citizen to purchase one of those so this is another one that we've seen a lot of subdomain permutations this is where you can attach an actual company name as a sub domain of a very another domain that you own the example that we're showing up here is that secure runescape com - attacker domain so that's just another example that we saw that was super super pervasive among our research yeah we also saw a lot of wild card like where they would have dot health care like as you can see up there that anything that was on the front of that that could basically represent every healthcare

company organization was now routed to two fraudulent sites so why are people doing this there's some kind of obvious examples like phishing or malware but we actually saw a lot of other types of uses yeah and so this is actually on that hummock left we mentioned where has the dots under the O's this was it seems like a bear targeted attack of spearfishing because it was a Portuguese design for mobile version which may be even less noticeable what's in the URL bar depending on how your browser on the mobile device represents it or just may not be something you you look at as you click a link this actually also had directory listing enabled on it and

there was a data XT file that had credentials from cell phone numbers and passwords were Facebook that they stole and there's only a few so it really seems like it might have been like a fear spearfishing a type of attack one of the evolutions we saw in the malware on these was five or six years ago you may have seen a lot of Acrobat or flash attacks now with chrome having about over 60% of the market share and browsers there was a lot of attacks that were prompting to install malicious chrome extensions that would then be able to be granted a lot of permissions to spy on traffic to steal other credentials or to really just gather a

lot of information on what that users doing great another thing that we saw a lot of was fraud so this is example of a Bitcoin Hardware wallet trays or and you can see here in this example that it was trying to prompt a user to if they had plugged in their hardware wallet that it was broken oh no and you need to enter in your recovery seed so this is something that we can see that's definitely kind of more adaptive to the modern cryptocurrency world an example of a TLD variation off started most people know you can do this with was that for major media corporations like we even saw on some of their teal teases

we're investigating this that there was a white supremacy site that was being hosted on a variation of Fox news.com and yeah like just having that association of course something didn't want another example we saw was a lot of phishing sites and variations on iCloud or subdomain variations of this where the URL being very long actually prevented a user on the mobile device from seeing the rest of the URL and this is actually like real examples from when I was with some friends in Barcelona this summer one of our friends unfortunately had their phones stolen off a table while we were eating tapas outside and started since you can't really unlock an iPhone these days without having

they started receiving text messages to that device because it the phone number was associated with that account that the attacker could see and then these were like the very convincing looking text messages and actually went to the phishing site started doing content discovery with it on burp and found deep in one of the directories a text file that referenced this Twitter account just like oh I see you found the eye phishing iCloud fishing kit if you want to buy this from me and he was like basically I'm selling these know some news and had tons of variations of iCloud set up to prepared to to sell to people that were trying to recover access to a stolen iPhone not all of the

examples that we saw were abuse this was actually kind of a funny one of Wells Fargo with two V's as a W and it was just kind of to make people aware of domain abuse and call them idiots at the same time yeah we also saw a lot of other researchers that actually had these domains and actually like certain inform people like oh you've reached this as an idea and Homa glyph attack like this is what this means and you're you need to make sure you like go to the correct version of this site let's talk about some monitoring and defenses so this one the first step kind of before you implement any kind of monitoring is

that you want to generate a list of all of the possible abuse domain permian tations so for that we recommend this tool dns twist which is absolutely excellent it does all different types of the permutations that we talked about including Homa glyphs so here's an example video of kind of what that looks like yeah this would really be if you're working on like blue team or on defense of your organization and you actually just want to investigate what what are all the variations and are they is there something hosted and being served on them this is a great Python script to be able to do that this is actually what we used to initially seed our research and

actually be able to discover which services were open and what would all the subdomains that had stuff exposed for web applications are supposed to screenshot but there's actually another service that say if you want to do this more at the personal level or you don't have a lot of domains that you want to look at and there's a gentleman named Brian Sears that made this fishfinder dot IO site that basically does what but DNS twist is doing but also allows you to just load in a bunch of domains and actually get a report that shows which ones have been registered recently which ones have mail servers on them which ones have web servers on them and

and he'll do a lot of other generation of the the different other additional words you may want to add to that to like log in to try to fish someone and then generate a full report to give you a better idea of what's what's exposed another tool that you might already be using in your enterprises Splunk and Splunk actually has this es-tu feature where you can feed in your results from DNS twist and start monitoring and alerting on potential domain abuse yeah so we've actually seen some financial institutions whenever we're doing phishing exercises that are doing this this monitoring through third-party service but we did want to call out that if you have Splunk enterprise like you

can do this in-house and basically get an alert any time any variation or any domain that contains your company's name is registered so let's talk about some defenses once you've already kind of alerted on potential domain abuse so sink holing domains I think is a really underutilized mechanism whether you're trying to protect your personal network or your organization's network there's a lot of opportunities to do things using response policy zones which is kind of get into another great open source project is this IOC to rpz response policy zones are designed to allow you to override the global DNS systems or even you could do this within a corporate network to basically take every one of those variations that you

generate from DNS twists and pipeline that into a config rule that says these now all go to a page that warns a user that they had been fished and then at whenever we see a request on that we trigger an incident to the the soccer to the blue team to say let's go through the rest of our our it's a response playbook to mitigate the risk of this attack they're also great thing about this is it's set up to integrate a bunch of different feeds for malware a bunch of different malicious domains to malicious IP addresses you could do like the entire fishtank list of domains you do the entire any threat Intel feeds that you

want to tap into and basically automatically black list in the sinkhole these domains this is really designed for you to even just set up and run on your own laptop like I was the in the cloud but then run a local bind server but if you if you are looking for more like an oppressor of this like Akamai supports this functionality Infoblox supports this power DNS you if you you may also have something that's like an enterprise tool that can you leverage our PC our pcs yeah it's like this is an example of they're actually using like 30,000 different domains that are just unreachable now from their DNS bye-bye this also can be great for privacy if

you are trying to eliminate analytic sites or other things tracking you it's a great way to just make it so your computer will never resolve those another I'd say a really encouraging thing is this was actually just announced at the enigma conference in January that Google is actually looking at building in protection and from this into the browser and so in their canary version right now in chrome there's actually a feature to if the page is high if what you're requesting is a variation of something that has a high PageRank you can turn on this warning now that just prompts the user to confirm that they like meant to visit that variation and they actually have a

really good guide that they've been working on for if you're writing software that is representing URLs allowing users to type in URLs or to may load them in from from X and route put all of the like putting together basically have best practices guidelines on how to represent them so that it users aren't easily fooled like a lot of custom software they may be a trim things like paths or trim things like subdomains and that leads to an attacker like more being likely to exploit a victim user and so yeah this is a flag to turn on in chrome if you're if you're working on the canary version great so what happens when you've actually

identified somebody who's registered one of these domains for your organization one thing that you can do is image replacement as a warning so this is an example that we generated of Chase Bank of just attackers are lazy they may actually use images that you're posting on your site and you can leverage that to your benefit to kind of give a warning to employees when they visit an attack site that this isn't the real thing another option you have a couple legal options here one is ICANN arbitration so there can be a little bit of financial penalties this process though does give whoever owns the domain 20 days to respond and usually the total time line is anywhere from fifty to

sixty days to recover the domain yeah but what we've seen for like some of those like TLD variations if there's like a white supremacy site on one domain and that's a major brand on the other there I can't gonna respond pretty much immediately and let you take take that down yeah we also have this other the anti cyber spotting consumer protection act and this one leverages some pretty harsh penalties of a hundred thousand dollars per domain so this is another kind of legal route that you could potentially take to recover some of these domains yeah so ultimately there's an opportunity here I'd say if you're if you haven't investigated what's on your site you can use use

something like DNS twist to generate all those permutations and there's really an opportunity to put more technical controls in place to prevent users from accessing these really taking the like the training of people and taking like the trusting of URLs out of the equation and leveraging these technical controls in place of that to protect an entire workforce or even yourself at the individual level if you're worried about this like yourself being a victim of one of these types of attacks and with that any questions I can't see anything you looked at about three thousand domains but you also mentioned TLD variations so for your sample set how much did you take into account various TL DS in your

permutations so it was less of the TLD permutations that came most of those came from looking at the feeds on fish tank where you can go to fish tanks API and actually just download the last ten thousand entries that they've seen and I we basically searched for keywords in those domains being like face book or Twitter or Netflix and and processed all those into our analysis as well and that's where the bulk of the TLD variations came from up here so I'd say like the the aspect there is I think a lot of the research around it has been focused on things that are in the Alexa top 1 million or things that humans would typically go to but that's the

wrong approach to think about it and the better analysis would be like what is my phone in my pocket making a requests you all day every day what is my laptop most likely making requests like I've gone in and looked at Little Snitch and I'm like oh most of this to Apple because I'm on a Mac but there's all these other ones like even going or maybe if it's a Microsoft box it's going to Windows Update on a frequent basis or office update and I'd say to like continue to explore that we should actually be looking at making like an Alexa top 1 million 4 machines of what are our machines making requests to and that's a

much more interesting question and then if you have something that's just getting hit with billions or trillions of requests from users around the world all day every day now we have a very rich environment for opportunistic attacks yeah absolutely that's where I think like if you have ECC memory and your servers and things that's happening less and less although it still can happen at the we've seen cases where it's actually out perhaps on the hard disk level and that like that hard drive actually has a flip bit and it's just sitting there making requests out to a different domain than was intended so it still can't happen but I'd say the bulk of it is gonna be cheap phones in

Southeast Asia that are making requests because there are high temperatures or humidity or something like that yeah and any time you introduce any kind of wireless element you're gonna have the issue of potential radiation just flipping a bit there - ok one two more last questions I'm curious about the voice spots mistakes that they make is it possible to add those variations I'm sorry what was the question like voice BOTS say Alexa or Google home yeah that is something really interesting that we did start to look at but it's such a wide field that we didn't really want to include it just because we wouldn't have time but that's something that we're definitely seeing like for example I've

heard of a capital one being registered an app as capital wan to try to take advantage of maybe somebody's accent so that is happening absolutely yeah and actually and in some of the research I love to talk more about this because I found some open source libraries for doing like meta meta phone analysis where you would actually take a set of text and if the computer and you can run this in JavaScript like I'm a client-side with like an extension it would sound out what it was her whatever text it had and it would create a unique hash to the sound of of that or like the enunciation of it and if you had a

whitelist of other things that you said if it ever sounds like this like send me an alert or blacklist this or redirect to a warning page that would be like a potential like technical control that could be put in place to defend against this as well yeah great question well Robin Kelly thank you guys very much it's been a pleasure and it's great having you guys [Applause]