[gnso-rap-dt] Phishers using typosquat domains - both new and purchased "parking" domains

[Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>]

I got permission to forward this information on from an investigator who's been 
looking into rather unusual phishing attacks against various smaller UK banks.  
It cuts across many of the areas we've been talking about, and with the use of 
purchased "parking" domains with brand variants in them, represents a new 
direction for phishers.  We've seen some similar use of "one-time only" logins 
(cookies/IP/unique code) access along with typosquats in several cases, but 
this one is nastier.  The major challenge here is that there's often no 
evidence that the registrar will be able to see to confirm a shut-down request, 
since there's no spam (just waiting for fat fingers) and with one-time use, 
very little chance a reported URL will lead to a phishing site that can be 
verified directly.  These sites are STILL verifiable, but it's a lot more work. 
 This also blurs the lines we've been trying to draw around squatting vs. 
criminal malicious use.  All of a sudden, a lot of those "annoying" typosquat 
domains are potentially a lot more dangerous to the Internet user community as 
a whole.

If anyone would like to chat with Iain about his report, I can put you in 
direct contact - I'm not putting his e-mail out on this public list!

Best,

Rod

Rod Rasmussen
President and CTO
Internet Identity

> All,
> 
> I wanted to pass on details of a evolved typophishing MO that has been used 
> against a small number of UK banks over the past few months. This attack 
> strategy was first noted last September and is currently not well known 
> outside of the UK banking sector and law enforcement. 
> 
> In the past we have all seen phishing sites on typosquatted domain names of 
> the victims. These have normally been classical dinosaur phish, with a simple 
> 1:1 relationship of domain name to hosting IP and easily spotted and 
> shutdown. However, in the latest typophishing attacks there is a blending of 
> a number of existing attack methodologies to give a hard to detect attack 
> where customers may not even know they have compromised their credentials. 
> 
> The attackers register a large number (often 30 or more feeder domains) of 
> typosquats of the victim domain, normally clustered under one or two domain 
> registrants. These registrant details look to be those of identity theft 
> victims where their plastic cards have been compromised and used to buy the 
> domains. As the attackers are going after smaller less attacked brands these 
> typosquats have not yet been registered. However, in some cases existing 
> typosquats have been purchased by the attackers and transferred to them.
> 
> These domains are then setup to do a 302 redirect when visited onto a 
> "mothership" domain. This typosquatted domain is typically the one that has 
> the closest resemblance to the victim domain. It is registered using a 
> different registrant to the first batch of redirecting domains, often using a 
> Russian name and Russian registrar. This "mothership" hosts the phishing 
> pages, in an analogous manner to Avalanche or Rockphish fast flux attacks. In 
> some cases there can be a two stage redirection to another batch of feeder 
> domains before going to the "mothership".
> 
> The pages are a good copy of the target site, but what is unusual is the 
> anti-analysis capability of this "mothership". You effectively have one 
> chance to see the pages - it appears to do a combination of IP tracking and 
> cookies. Second and subsequent visits to the page result in a redirection 
> from any of the feeder domains directly to the genuine victim website, or to 
> Google. Unless doing analysis of links and redirections the "mothership" 
> domain will not be seen. It also appears that the pages are not always on on 
> the "mothership" further making identification of what is going on difficult. 
> Once victims have entered their credentials into the "mothership" they are 
> then passed onto the legitimate online banking site where they login - it is 
> suspected that the phishing pages tell the user that they have entered their 
> details incorrectly the first time to get round partial passwords by 
> capturing two logon attempts. 
> 
> This one time visit functionality has been seen before in phishing sites, but 
> to use it in this MO is clever as it means that takedown companies who are 
> unaware of the MO will miss the "mothership" domain as part of their 
> activity. It also means that domain registrars who are approached to take 
> domains down may be reluctant as to their eyes no criminal activity is going 
> on, as it is just a redirecting typosquat which does not abuse their terms 
> and conditions.
> 
> From a fraud prevention aspect this MO could be confused with a man in the 
> browser trojan attack, as when defrauded customers are asked questions they 
> are unaware of having given their credentials away. All they have done wrong 
> is mistyped the genuine online banking website address, which they have ended 
> up logged onto  in the end. They are not aware that the typophish has 
> captured their credentials before passing them into the genuine site as part 
> of this via a man in the middle.
> 
> I'll be interested to see if anyone else has spotted this MO - I know from 
> speaking to people at the end of last year that there was poor awareness of 
> this and how the attackers had blended a number of existing attack strategies 
> into one clever one. At the moment it does not appear that a trojan is being 
> dropped as part of the attack via drive by download, but I would expect that 
> it may well come in a future evolution.
> 
> Regards,
> 
> Iain
> 
> -- 
> Iain Swaine
> Principal Consultant
> Ensequrity