Thursday, March 26, 2015

Implementing passive DNS monitoring to prevent phishing attacks

The idea of typosquatting - registering a domain name which mimics that of a valid web site - is not a new concept.  In fact, in the US, laws aimed at preventing typosquatting were introduced as far back as 1999. In the beginning, typosquatting was a way to voice a gripe with the intended target or to generate advertising revenue from mistyped domain names. Criminal organization tactics evolved to use typosquatting as a way to deliver malware to anyone who accidentally happened upon the page.

Recent high profile attacks against Anthem BCBS and Premera Blue Cross highlight the evolution of typosquatting from opportunistic attacks to targeted attacks on specifically targeted organizations. While Premera has been tight-lipped about the methods used to breach their network, more is known about the Anthem attack.  Analysis of both attacks by outside sources, however, point to the involvement of typosquatting attacks.

In the case of Anthem BCBS, formerly known as Wellpoint, a typosquatted domain we11point[.]com was registered in April of 2014. The Premera attack, which originally took place in May of 2014, appears to be associated with a typosquatted domain prennera[.]com. In both cases, to the casual observer, the typosquatted domains are nearly indistinguishable from their legitimate counterparts. It is known that we11point[.]com was used in a phishing attack targeted on Anthem employees in order to deliver malware which afforded the attackers a foothold in Anthem's network.  It is suspected that prennera[.]com was used for the similar purposes.

In an effort to protect my corporate network against these kinds of attacks, I looked for ways to detect typosquatted domains that might be used in targeted phishing attacks. Fortunately, I did not have to look far. Andrew Horton of Morningstar Security created URLCrazy to automatically generate various permutations of a given domain name using a number of different methods included character omission, character swapping, and homoglyphs, the kind used in the Anthem attack.

Using URLCrazy is straight forward, with easy to understand options including keyboard layout. Since possible typos are based on the keyboard layout being used, URLCrazy supports several keyboard layouts. Output can be sent to the screen or formatted as a CSV, with the option of saving the output to a file.

URLCrazy Usage
URLCrazy usage

In addition to generating typosquatting candidates, URLCrazy also checks whether those domains have already been registered. Below are two examples of the output generated for and Note that in the Wellpoint example, URLCrazy actually generated the same homoglyph used in the Anthem attack.

URLCrazy -
URLCrazy output for

URLCrazy - homoglyphs
Homoglyphs of

For my purposes, I wanted to be able to take a list of domains owned by the company and generate possible typos I could use as an early warning system for possible phishing attacks. I took the company domains and fed them to URLCrazy. I then performed a review of each domain that was already registered and classified them as either a valid site or a typosquatter and recorded these designations in a CSV. The typosquatted domains were then fed into our web proxy to prevent access to them in the event they are used in a phishing attack.

I wrote a simple python script which calls URLCrazy and compares the output against my CSV of identified domains. If a new typosquatted domain is registered, it will be detected and an alert will be generated and sent to the security analyst team for review. If the domain is indeed a typosquatted domain and not a legitimate website, the domain is again fed into our web proxy, blocking access. The CSV is then updated to include this new domain, ensuring we don't receive continued alerts.

My script, crazyParser, can be retrieved from my GitHub:

This approach can be classified as a passive, reactive approach. If reviews are performed on a frequent and regular basis, it will serve as an effective defense against possible typosquatting attacks. This approach approach does not provide protection against phishing campaigns against your customers using typosquatted domains, however.

In order to proactively protect your customers, it may be necessary to identify typosquatting candidates and purchase those domains. These domains can then be redirected to the legitimate target domain name. This approach can become costly for smaller organizations with many domain names, and can become an management nightmare. It is generally considered best practice to have domain expiry notifications sent to a group mailbox to prevent domain registrations from lapsing after key personnel leave your organization.

In the event a domain has been registered which appears to be an obvious attempt to capitalize on typos of your legitimate domain name, the Universal Domain-Name Dispute-Resolution Policy may provide some relief. The UDRP allows for domain name holders to petition for the transfer of typosquatted domains to their control under certain circumstances.

Most commercial web proxies provide a categorization for web sites. In may cases, a newly-registered domain name will not yet have been categorized by your proxy vendor. As a final course of action, you can block access to all uncategorized web sites. This may provide a window of protection against domains used in phishing attacks. Blocking access to uncategorized web sites is generally considered a good practice.

As targeted phishing attacks continue to rise as an effective attack vector, this kind of DNS reconnaissance can serve as a reactive early warning system and even be used proactively to defend against attacks.

As always, I hope you found this post useful and your feedback is always welcome!