RE: [gnso-rap-dt] Phishers using typosquat domains - both new and purchased "parking" domains

["Berry Cobb" <berrycobb@xxxxxxxxxxxxxxxxxxx>]

Thank you for sharing this Rod.  This further proves how innovative and ever
adapting the criminal community can be.

I've always tried to envision a day when typosquats were a thing of the
past. All that ultimately comes up is a day when the physical presence of
hardware is no longer required to enter the address of a website we wanted
to visit.  Yes, that's right telepathy.  Some of the things I have read
signal we might just see that in our lifetime.  But up until then, what can
we do about it?

I have no doubt that even the most skilled of web surfers make the mistake
of a URL typo now and then.  In fact, I have gone as far as to when I made
that mistake against a brand that I trust, I contact that brand to inform
them of issue.....but I digress.

It seems to me the only "real" interim solution to typos in the browser bar
is through strong education at the end user level.  As with every new
technology or innovation, a set of controls must be placed around the use of
that technology.  Sometimes the provider can control the safety mechanisms
and other times we rely on the user consuming the technology to be educated
in its' use.  With the case of typo errors, it is the later.  I do not claim
to be an expert educator or marketer, but I will toss this out as fodder for
change.....

Today, we see some forms of consumer education from the financial community
relative to spam and phishing etc.  I will further state that I do not claim
to be an expert in financial industry activities and only going on my own
experiences.  I invite anyone on the list with experience in the financial
industry's current practices to chime in.  Anyway, the education one
typically sees is statements in emails or perhaps the financial
institution's website that advise consumers to be aware that they will never
solicit for contact information or online user IDs & passwords.  In other
cases we might see some education that expresses caution when clicking
emails that may resemble communication from the financial institution.  I am
sure there is a vast range of outreach.  But ultimately, I do not think the
present realm of outreach is significant to combat the problem regardless of
traditional spam phishing or typo-phishing.

I envision some sort of globally coordinated advertising and education
campaign directly presented by the legitimate financial community that
further educates its customers and consumers of their data.  Consumers
should BOOKMARK their respective financial institutions website that they
wish to conduct online business with.  It is defiantly my current practice
for all online financial activities.  I've always maintained this practice
because I was aware of the threat.  It was never done because it was for
ease of use.  Perhaps this campaign is separate from existing education and
marketing channels or perhaps it piggybacks existing ones. I imagine there
is a range of possibilities. In some ways, I could see it as a public
service announcement message and or messaging attached to the end of
practically any every communication relative to online financial activities.
Appropriate countermeasures must reflect the seriousness of this issue.  

Obviously the fodder here is clearly outside the scope of ICANN to mandate.
But is there a way that we can partner with key stakeholders to build
momentum for change?  Again reflect back to the idea of a perfect state
where typosquat is a relic.  How can we get there?

Thanks again for sharing Rod.


Berry A. Cobb
Infinity Portals LLC
866.921.8891


-----Original Message-----
From: owner-gnso-rap-dt@xxxxxxxxx [mailto:owner-gnso-rap-dt@xxxxxxxxx] On
Behalf Of Rod Rasmussen
Sent: Monday, January 25, 2010 01:11
To: Registration abuse list ICANN
Subject: [gnso-rap-dt] Phishers using typosquat domains - both new and
purchased "parking" domains


I got permission to forward this information on from an investigator who's
been looking into rather unusual phishing attacks against various smaller UK
banks.  It cuts across many of the areas we've been talking about, and with
the use of purchased "parking" domains with brand variants in them,
represents a new direction for phishers.  We've seen some similar use of
"one-time only" logins (cookies/IP/unique code) access along with typosquats
in several cases, but this one is nastier.  The major challenge here is that
there's often no evidence that the registrar will be able to see to confirm
a shut-down request, since there's no spam (just waiting for fat fingers)
and with one-time use, very little chance a reported URL will lead to a
phishing site that can be verified directly.  These sites are STILL
verifiable, but it's a lot more work.  This also blurs the lines we've been
trying to draw around squatting vs. criminal malicious use.  All of a
sudden, a lot of those "annoyi!
 ng" typosquat domains are potentially a lot more dangerous to the Internet
user community as a whole.

If anyone would like to chat with Iain about his report, I can put you in
direct contact - I'm not putting his e-mail out on this public list!

Best,

Rod

Rod Rasmussen
President and CTO
Internet Identity

> All,
> 
> I wanted to pass on details of a evolved typophishing MO that has been
used against a small number of UK banks over the past few months. This
attack strategy was first noted last September and is currently not well
known outside of the UK banking sector and law enforcement. 
> 
> In the past we have all seen phishing sites on typosquatted domain names
of the victims. These have normally been classical dinosaur phish, with a
simple 1:1 relationship of domain name to hosting IP and easily spotted and
shutdown. However, in the latest typophishing attacks there is a blending of
a number of existing attack methodologies to give a hard to detect attack
where customers may not even know they have compromised their credentials. 
> 
> The attackers register a large number (often 30 or more feeder domains) of
typosquats of the victim domain, normally clustered under one or two domain
registrants. These registrant details look to be those of identity theft
victims where their plastic cards have been compromised and used to buy the
domains. As the attackers are going after smaller less attacked brands these
typosquats have not yet been registered. However, in some cases existing
typosquats have been purchased by the attackers and transferred to them.
> 
> These domains are then setup to do a 302 redirect when visited onto a
"mothership" domain. This typosquatted domain is typically the one that has
the closest resemblance to the victim domain. It is registered using a
different registrant to the first batch of redirecting domains, often using
a Russian name and Russian registrar. This "mothership" hosts the phishing
pages, in an analogous manner to Avalanche or Rockphish fast flux attacks.
In some cases there can be a two stage redirection to another batch of
feeder domains before going to the "mothership".
> 
> The pages are a good copy of the target site, but what is unusual is the
anti-analysis capability of this "mothership". You effectively have one
chance to see the pages - it appears to do a combination of IP tracking and
cookies. Second and subsequent visits to the page result in a redirection
from any of the feeder domains directly to the genuine victim website, or to
Google. Unless doing analysis of links and redirections the "mothership"
domain will not be seen. It also appears that the pages are not always on on
the "mothership" further making identification of what is going on
difficult. Once victims have entered their credentials into the "mothership"
they are then passed onto the legitimate online banking site where they
login - it is suspected that the phishing pages tell the user that they have
entered their details incorrectly the first time to get round partial
passwords by capturing two logon attempts. 
> 
> This one time visit functionality has been seen before in phishing sites,
but to use it in this MO is clever as it means that takedown companies who
are unaware of the MO will miss the "mothership" domain as part of their
activity. It also means that domain registrars who are approached to take
domains down may be reluctant as to their eyes no criminal activity is going
on, as it is just a redirecting typosquat which does not abuse their terms
and conditions.
> 
> From a fraud prevention aspect this MO could be confused with a man in the
browser trojan attack, as when defrauded customers are asked questions they
are unaware of having given their credentials away. All they have done wrong
is mistyped the genuine online banking website address, which they have
ended up logged onto  in the end. They are not aware that the typophish has
captured their credentials before passing them into the genuine site as part
of this via a man in the middle.
> 
> I'll be interested to see if anyone else has spotted this MO - I know from
speaking to people at the end of last year that there was poor awareness of
this and how the attackers had blended a number of existing attack
strategies into one clever one. At the moment it does not appear that a
trojan is being dropped as part of the attack via drive by download, but I
would expect that it may well come in a future evolution.
> 
> Regards,
> 
> Iain
> 
> -- 
> Iain Swaine
> Principal Consultant
> Ensequrity