Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Typosquatting

Assertiveness is a valuable quality for the C-Level and cyber crooks alike

Posted: 30 Mar 2015 01:00 PM | Jose Barajas


Beware, spear-phishing is striking again - Websense Security Labs has become aware of recent spear-phishing attempts utilizing what appear to be forwarded legitimate email messages and a typo-squatted domain. If these targeted attempts are successful, then the combination of a trusting nature, orthographic chicanery, and the lack of internal verifications can result in a huge financial loss to a business. Swift and Sophisticated According to the evidence reviewed by Websense Security Labs, the malicious actor registered a typo-squatted domain name with a single character difference (a repeated character) from the target domain. Registration of the fraudulent domain occurred on the same day as the attack. Shortly after registration, email communication emanated from an address that mimicked that of a company executive, excluding the domain. The email requested a wire transfer and referenced a previous conversation between employees. It also included details of the destination account in a PDF attachment. Language within the email was vague but commanding, appropriate to the industry, and most importantly it demonstrated familiarity. As with any good sting, the tricksters had done their research. The onset of the attack appears to have begun with an email crafted to look like a legitimate forwarded message. In the subsequent fraudulent communiques, names and email addresses of key players were used to help assert legitimacy. Hiding in Plain Sight It’s important to note that this attack was neither a case of spoofing nor of a forged domain in the display headers. All email communication about this transfer of funds – not an insignificant amount – occurred via an email address utilizing the newly-registered hostname. The fraudsters merely relied on the similarities of the domains – and knowledge of key players within the company – to try to achieve their objective. Similar techniques have been used in the past, such as those that targeted the trading firm Scoular in 2014 . The FBI is still attempting to recover the $17 million lost in that case, which also involved legitimate employee names with fake email aliases. Another common phishing technique encountered by Websense involved forged From addresses in the display headers rather than typo-squatting, and a reply-to address that was not on the corporate domain. In most other ways, these attempts were similar, involving vaguely-worded requests to confirm transaction details. While fraudsters did their homework enough to know exactly who the execs on mahogany row were, and the appropriate support staff that might process such a request on their behalf, they tried to rely primarily on the fact that no one would double-check the reply-to address if the From address appeared legitimate. Spear-Phishing from a Position of Power Aside from the fact that the emails in this and other spear-phishing attacks emanated from a domain nearly identical to the target domain, relied on a reply-to address going unexamined, or used known names and email addresses to gain confidence, the agents of this fraud relied on several other key factors for their success: namely, power structure and the lack of protocol. Put simply, the perpetrators were trying to count on obeisance and obedience: when the CEO or CFO tells you to do something, you do it. The phishers also relied on brevity to convey urgency and mask identity (unfamiliar syntax can raise red flags). They also requested several updates to further underscore the importance of speed. In this instance, phishers were trying to play on the similarity of domains, but they also preyed on the eagerness of most employees to please. In some cases, it may not be the absence of protocol as much as the willingness to sidestep established procedure when receiving a request from a high-level executive. This was the case in the Scoular incident , where skirting SEC regulations was cited as a reason for communicating only via email. Mitigation “Trust, but verify,” is wisdom famously imparted by Ronald Reagan. In a case such as this, we can see that lack of verification, especially in matters regarding financial transactions, can have significant consequences. Such attacks can be prevented by utilizing practices that ensure that multiple forms of validation (especially one that is out-of-band) are in place. While email has become an essential communication tool, a single point of contact allows for greater risk when it is compromised. In some industries, such as those in the financial sector, it is not uncommon to transfer large sums of money, such as the amounts requested in this case. Thus, the amount itself may not raise an eyebrow. Nonetheless, it is recommended that protocols be implemented and followed that could help to eliminate compliance with fraudulent requests. Education is a key piece of the puzzle as well. Employee training around phishing attacks, typo-squatting and general awareness of email security attacks goes a long way. Updated SPF records can combat true spoofing attempts, but for phishing attempts such as typo-squatting, vigilance remains a strong defense. At Websense Security Labs, we are constantly on the lookout for attack trends such as these across our customer base, and use the information gathered to shore up our defenses for all our customers. Primary contributor: Cristina Houle Other contributors: Jose Barajas, Rajiv Motwani with inputs from Ran Mosessco and Heather Campbell

Read more > 

Filed under: , , , ,

no comments

Can't Sleep? Let's Count a Typosquat Hive

Posted: 30 Jan 2013 07:27 AM | Carl Leonard


The Websense® ThreatSeeker® network has uncovered a typosquat hive hosting hundreds of hosts targeting well-known brands.  This hive constantly moves around to evade detection.  Numerous popular brands are being abused – can you spot the difference between these scam URLs and the real ones?

 

 

 

Upon further analysis we discovered a connection between those hosts:

 

  1. Most of them are hosted on the same IP address, 208.73.210.128.
  2. They lead to scam survey websites and spam websites.
  3. They attempt to circumvent detection and lie low by periodically shifting from serving threats to serving default parking pages without threats.
...

Read more > 

Filed under: ,

no comments

The rise of a typosquatting army

Posted: 22 Jan 2012 03:30 AM | uwang


The week before we published a blog that discussed typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site. The Websense® ThreatSeeker® Network has discovered over 7,000 typosquatting sites within this single network. These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site (which we showed you in this blog). After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed based on the their interests. An example of such advertisment is a free movie downloader as shown below. Currently, these spam advertisements are not spreading maliciously. However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks. You'd surprised by the number of visitors who mistype popular domain names. These mistyped domains generate a huge amount of traffic (some sites even managed to reach the Alexa top 250 list). For the careless users who fill in the survey, the cyber-criminals obtained their sensitive data. All of this can be translated into profit. Based on online web site valuation tools such as worthofweb.com (as shown below), we expect that attackers are pulling in a substantial income from typosquatting campaigns. Websense Security Labs will continue monitor these campaigns and Websense customers are protected from these threats via ACE, our Advanced Classification Engine .

Read more > 

Filed under: ,

no comments

Typosquatting social web gains top Alexa ranking

Posted: 11 Jan 2012 01:00 AM | uwang


Websense® ThreatSeeker® Network has detected fraudulent Web sites that have made it to the global top 250 high Alexa ranking list. These are amazing results for fraudulent Web sites, as some of them rank even better than genuine big name portals. In this campaign, the fraudulent sites pretend to be from YouTube, and they try to lure you in by saying you have been selected to complete a survey for a chance to win a gift such as an iPhone 4S. Survey scams were very common in the past year, and were usually spread within social networks like Facebook or Twitter. They often used hot topics to lure visitors. We have already blogged about these incidents, and customers are encouraged to educate themselves about these attacks so they do not to fall for this kind of technique. Here is the snapshot of the current campaign: An interesting thing we found is that survey campaigns that spread in social networks are usually localized by area or language. This means that traffic for spam sites used in campaigns are limited to related countries or regions. However, video rewards survey campaigns can spread globally as they have a high Alexa rank almost in every country, and they have no language barrier. Additionally, the spam site server checks the IP addresses of visitors and shows the location information on the page to appear more authentic. One of the spam sites used in this campaign is video-rewardz.com, which at its peak, reached Alexa’s top 250 list. The spam site has a high Alexa rank dating from Dec 19th 2011. The spam site is still available now and has a lot of traffic. How is it possible for spam sites to have so much traffic? After conducting some research, we found that the major source is from mistyping of the twitter.com Web site. This type of attack is called typosquatting, and it is not new. We have blogged about this in the past; yet this campaign is popular because attackers get good results from this campaign. The attacker needs to register several typosquatting sites for Twitter and redirect the typosquat site to another site such as video-rewardz.com. This explains why it is global spam campaign, and why it can generate so much traffic. Twitter is very popular site and it’s easy for people to mistype this URL. To prevent such attacks, some big names like Google or Facebook have registered some names that can be easily mistyped for their portal. However, Twitter has not done this and this makes them susceptible to such attacks, causing them to have an extremely high Alexa rank spam sites. Listed below are typosquatting sites registered by attackers: ttwitter.com twwitter.com twiitter.com twittter.com twitterr.com twutter.com twiter.com Additionally, we also found other spam sites related to this campaign. Some of them have already been used in the campaign and have a high Alexa rank, whilst others may potentially be used in future. videorewardcentral.com videorewardsonline.com socialupdatepanel.com videorewardstoday.com videorewardsnow.com giveaway-winner.com videorewardspace.com video-reward.com videorewardspot.com video-rewardz.com Websense customers are protected from these threats by ACE, our Advanced Classification Engine .

Read more > 

Filed under: ,

no comments

A typosquat hostname list for Xmas

Posted: 08 Dec 2011 05:06 PM | Elad Sharf


A few weeks ago, we published a blog about typosquatting. This time, we're going to give an actual example of typosquat hosts found in the wild and show how typosquatting scams work. We'll take you through a typosquatting campaign that abuses tenth of known brands and includes thousands of registered typosquat hosts (a typosquat hive). After that, we'll offer a list that includes hundreds of typosquatting hosts from that hive, all of which can be found in the wild. The list is free to download for any of you who are into IT security -- so this Xmas can be a bit safer. In this blog we'll cover: - A typosquatting example: If you make the wrong typo, where will it take you, and how does it work? - A typosquat hive example from the wild - how does it work, which brands are targeted, and where will the typosquat take you? - Which countries the typos are coming from with this campaign. - Where the scam infrastructure is located. - A list of hundreds of hosts used for typosquatting found in the wild. The list is free to download. A typosquatting example: If you make the wrong typo, where does it take you? We've all made typing mistakes when typing a Web address in our browser. In better cases, we get nothing more than a 404 not found error. In worse cases, we might be redirected to a scam site or a malware/exploit site. Usually, in the case of typosquatting-based cyber crimes, the victim that mistakenly made the typo is redirected to a scam site that tries to take advantage of the victim's state of mind. For example, victims who thought they typed in the right Web address might not notice if they see a scam site with the look and behavior that they expect, and that can profit the scammer. Victims might see a site with the same color scheme and theme as the brand or site they intended to go to, hand-in-hand with false congratulations on being a random winner who will receive a prize for completing a short survey. The following video shows how it works: A "typosquat hive" example from the wild: How does it work? Typosquatting is illegal in the US. Nonetheless, a lot of typosquatting sites are hosted in the US. As an example, at the bottom of this blog, you'll find a list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals. How does this specific scam work? Please refer to the image below, and we'll take you step-by-step right through it. The typosquat hive (marked 1 in the diagram ) consists of many hostnames registered by the cybercriminals. (If you have a look through the list linked at the bottom of the blog, you'll find those names there.) The list consists of a lot of names that target very well known brands. The cybercriminals are interested in breadth -- they want to target as many well-known brands as possible. This gives their scam good exposure. The cybercriminals that are in control of the hive (the registered typosquat domains) have a few options for how to use the sites. They can set up their own scam infrastructure, like the premium rate phone numbers system we saw in the video above. Usually, the cybercriminals that own the hive partner with other cybercriminals that already have the scam infrastructure established (marked 2). The scam infrastructure is where the victim (marked 3) is ultimately led to separate from his or her money after making a typo in the browser. The scam infrastructure consists of Web servers, changing domain names, and the enticing scam content that victims see. The agreement between the cybercriminals that own the hive and the ones that own the network could be either fixed cost for the time the typosquat hive is used, or, more often, a "per traffic" agreement. The latter means the owner of the hive gets a cut based on the actual number of victims that fall for the scam. For example, a percentage from the victims that registered for a premium number text service that costs £3 a message. Once the agreement is set up, the owners of the hive can point the hosts they own to the name servers that are part of the infrastructure built by their "partner in scam" (marked 4) for as long as the agreement is on. The typosquat hive in our example targets mainly UK brands (list available for download at the end of the blog). Here are just a few examples from that list of registered typosquatting domains in the hive, including the brands they're targeting: johnlwis.com (targets the legitimate Web site johnlewis.com) arrgos.co.uk (targets the legitimate Web site argos .co.uk ) debnhams.co.uk (targets the legitimate Web site debenhams.com) As UK Web sites and brands are the main target, most of the requests coming to this typosquat hive originate from the UK (victims making easy typos). Please refer to the pie chart below to see the location distribution of users that end up at a typosquat host in this hive, as observed in the Threatseeker™ Network over one week. It's natural to see multiple countries, as UK residents roam and brands offer services and products that are available globally. The scam infrastructure is hosted in the US Typos that go to a host in the hive lead to a scam site. For example, when this blog post was created, typing in johnlews.com redirected any victim to the scam site surveystartweb.com as seen in the diagram below (click to enlarge). Much as in the scam featured in the video, victims are informed that they won a desirable product, and are asked to register to a premium rate number service (click on the second image to see an animation of the redirection in the browser). Animated GIF showing the redirection to the scam site after making the typo (click to open - the animation loops): In this example, surveystartweb.com is part of the scam infrastructure and...

Read more > 

Filed under: , ,

no comments

Typosquatting

Posted: 24 Oct 2011 08:42 PM | Anonymous


Do you often make mistakes when typing? Is the Backspace key your friend? Well, you are not alone! Most of us make typing errors once in a while, but what if those errors could cause data leakage? Typosquatting exploits common typing errors made when entering a Web address in a browser--typing “a” instead of “s”, for example, or “e” instead of “r”--resulting in URL hijacking, malware injection, or phishing. Popular social networking sites, like Facebook, are often targets of typosquatting. With over 800 million active users, it’s no surprise the social networking giant is a target of such exploits. Say you’re in a hurry to check out the latest update from your friends on facebook.com, but in your excitement, you enter faccenook.com instead. There could be several outcomes. If the Web site designers anticipated your clumsiness, you still get to the desired destination. Otherwise, you might get an error message saying that the page is unavailable. Or you could get a page that looks like facebook.com, but that actually redirects you to phishing or other potentially harmful sites, injects malware, infects your system with spyware, and ruins your day. After carefully studying the objectionable links generated by common typos for Facebook, we found that over 62% of links lead to bot networks, phishing, or malicious web sites. Websense Security Labs researchers investigated the top ranked domain (www.facebook.com) and generated common typos based on keyboard character distance, common repeats, and even omissions, anticipating common typos that result in fake or malicious pages. Websense software protects users, their data, and their systems with its unique backtracking algorithm to identify altered domain names. The Advanced Classification Engine (ACE) provides real-time content analysis to keep you safe no matter how bad a tyspist yu aree.

Read more > 

Filed under: , , ,

no comments