• Search Blog Archives

  • Recent Posts

  • Archives

  • Categories

  • Websense

  • Security Sites

Follow us: 
Like us on Facebook Follow us on Twitter Visit us on YouTube Follow us on LinkedIn
Browse by Tags



Can't Sleep? Let's Count a Typosquat Hive
Posted: 30 Jan 2013 07:27 AM

The Websense® ThreatSeeker® network has uncovered a typosquat hive hosting hundreds of hosts targeting well-known brands.  This hive constantly moves around to evade detection.  Numerous popular brands are being abused – can you spot the difference between these scam URLs and the real ones?

 

 

 

Upon further analysis we discovered a connection between those hosts:

 

  1. Most of them are hosted on the same IP address, 208.73.210.128.
  2. They lead to scam survey websites and spam websites.
  3. They attempt to circumvent detection and lie low by periodically shifting from serving threats to serving default parking pages without threats.

 

Let us take one of the example hosts to further illustrate how a victim can be taken from a typosquat in the hive to a scam site.  For example, typing in hxxp://youtibe.com/ redirects the user to a scam site hxxp://socialsurvey.chattycatty.com/. 

 

 

Multiple requests to the same host result in different landing pages including scam surveys, form filling, and spam sites. In one example (see the screenshots below) users are lured and redirected to a "Youtube" themed website to complete a survey which claims that upon completion, they will have the opportunity to receive one of the listed gifts:

 

 

 

After completing the "survey", the user is offered the option to sign up for a paid and automatically renewed monthly subscription service with an additional enticing gift at a low price. The user is then asked to enter their credit card details. The catch is in the "terms and conditions" section where evidently it's claimed that that the gift is accountable by a 3rd party and that no subscription refunds are allowed.

 

 

Fortunately Websense protects its users against such threats with Websense ACE (Advanced Classification Engine). If you have seen other typosquats, let us know in the comments.

 

Author: Samana Haider

Filed under: ,

Carl Leonard

no comments
The rise of a typosquatting army
Posted: 22 Jan 2012 03:30 AM

The week before we published a blog that discussed typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site. The Websense® ThreatSeeker® Network has discovered over 7,000 typosquatting sites within this single network.

 

 

These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site (which we showed you in this blog). After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed based on the their interests. An example of such advertisment is a free movie downloader as shown below. Currently, these spam advertisements are not spreading maliciously. However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks.

 


You'd surprised by the number of visitors who mistype popular domain names. These mistyped domains generate a huge amount of traffic (some sites even managed to reach the Alexa top 250 list). For the careless users who fill in the survey, the cyber-criminals obtained their sensitive data. All of this can be translated into profit. Based on online web site valuation tools such as worthofweb.com (as shown below), we expect that attackers are pulling in a substantial income from typosquatting campaigns.

 

 

Websense Security Labs will continue monitor these campaigns and Websense customers are protected from these threats via ACE, our Advanced Classification Engine.

Filed under: ,

uwang

no comments
Typosquatting social web gains top Alexa ranking
Posted: 11 Jan 2012 01:00 AM

Websense® ThreatSeeker® Network has detected fraudulent Web sites that have made it to the global top 250 high Alexa ranking list. These are amazing results for fraudulent Web sites, as some of them rank even better than genuine big name portals. In this campaign, the fraudulent sites pretend to be from YouTube, and they try to lure you in by saying you have been selected to complete a survey for a chance to win a gift such as an iPhone 4S. Survey scams were very common in the past year, and were usually spread within social networks like Facebook or Twitter. They often used hot topics to lure visitors. We have already blogged about these incidents, and customers are encouraged to educate themselves about these attacks so they do not to fall for this kind of technique. Here is the snapshot of the current campaign:

An interesting thing we found is that survey campaigns that spread in social networks are usually localized by area or language. This means that traffic for spam sites used in campaigns are limited to related countries or regions. However, video rewards survey campaigns can spread globally as they have a high Alexa rank almost in every country, and they have no language barrier. Additionally, the spam site server checks the IP addresses of visitors and shows the location information on the page to appear more authentic. One of the spam sites used in this campaign is video-rewardz.com, which at its peak, reached Alexa’s top 250 list. The spam site has a high Alexa rank dating from Dec 19th 2011. The spam site is still available now and has a lot of traffic.

How is it possible for spam sites to have so much traffic? After conducting some research, we found that the major source is from mistyping of the twitter.com Web site.  This type of attack is called typosquatting, and it is not new. We have blogged about this in the past; yet this campaign is popular because attackers get good results from this campaign. The attacker needs to register several typosquatting sites for Twitter and redirect the typosquat site to another site such as video-rewardz.com. This explains why it is global spam campaign, and why it can generate so much traffic. Twitter is very popular site and it’s easy for people to mistype this URL. 


To prevent such attacks, some big names like Google or Facebook have registered some names that can be easily mistyped for their portal. However, Twitter has not done this and this makes them susceptible to such attacks, causing them to have an extremely high Alexa rank spam sites.

Listed below are typosquatting sites registered by attackers:

  • ttwitter.com
  • twwitter.com
  • twiitter.com
  • twittter.com
  • twitterr.com
  • twutter.com
  • twiter.com

 

Additionally, we also found other spam sites related to this campaign. Some of them have already been used in the campaign and have a high Alexa rank, whilst others may potentially be used in future.

  • videorewardcentral.com
  • videorewardsonline.com
  • socialupdatepanel.com
  • videorewardstoday.com
  • videorewardsnow.com
  • giveaway-winner.com
  • videorewardspace.com
  • video-reward.com
  • videorewardspot.com
  • video-rewardz.com

 

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Filed under: ,

uwang

no comments
A typosquat hostname list for Xmas
Posted: 08 Dec 2011 05:06 PM

 

A few weeks ago, we published a blog about typosquatting. This time, we're going to give an actual example of typosquat hosts found in the wild and show how typosquatting scams work. We'll take you through a typosquatting campaign that abuses tenth of known brands and includes thousands of registered typosquat hosts (a typosquat hive). After that, we'll offer a list that includes hundreds of typosquatting hosts from that hive, all of which can be found in the wild. The list is free to download for any of you who are into IT security -- so this Xmas can be a bit safer.

 

In this blog we'll cover:

 

- A typosquatting example: If you make the wrong typo, where will it take you, and how does it work?

- A typosquat hive example from the wild - how does it work, which brands are targeted, and where will the typosquat take you?

- Which countries the typos are coming from with this campaign.

- Where the scam infrastructure is located. 

- A list of hundreds of hosts used for typosquatting found in the wild. The list is free to download.

 

A typosquatting example: If you make the wrong typo, where does it take you?

 

We've all made typing mistakes when typing a Web address in our browser. In better cases, we get nothing more than a 404 not found error. In worse cases, we might be redirected to a scam site or a malware/exploit site.

 

Usually, in the case of typosquatting-based cyber crimes, the victim that mistakenly made the typo is redirected to a scam site that tries to take advantage of the victim's state of mind. For example, victims who thought they typed in the right Web address might not notice if they see a scam site with the look and behavior that they expect, and that can profit the scammer. Victims might see a site with the same color scheme and theme as the brand or site they intended to go to, hand-in-hand with false congratulations on being a random winner who will receive a prize for completing a short survey. The following video shows how it works:

 

 

 

A "typosquat hive" example from the wild: How does it work?

 

Typosquatting is illegal in the US. Nonetheless, a lot of typosquatting sites are hosted in the US. As an example, at the bottom of this blog, you'll find a list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals.

 

How does this specific scam work? Please refer to the image below, and we'll take you step-by-step right through it. The typosquat hive (marked 1 in the diagram ) consists of many hostnames registered by the cybercriminals. (If you have a look through the list linked at the bottom of the blog, you'll find those names there.) The list consists of a lot of names that target very well known brands. The cybercriminals are interested in breadth -- they want to target as many well-known brands as possible. This gives their scam good exposure. The cybercriminals that are in control of the hive (the registered typosquat domains) have a few options for how to use the sites. They can set up their own scam infrastructure, like the premium rate phone numbers system we saw in the video above. Usually, the cybercriminals that own the hive partner with other cybercriminals that already have the scam infrastructure established (marked 2). The scam infrastructure is where the victim (marked 3) is ultimately led to separate from his or her money after making a typo in the browser. The scam infrastructure consists of Web servers, changing domain names, and the enticing scam content that victims see. 

 

The agreement between the cybercriminals that own the hive and the ones that own the network could be either fixed cost for the time the typosquat hive is used, or, more often, a "per traffic" agreement. The latter means the owner of the hive gets a cut based on the actual number of victims that fall for the scam. For example, a percentage from the victims that registered for a premium number text service that costs £3 a message. Once the agreement is set up, the owners of the hive can point the hosts they own to the name servers that are part of the infrastructure built by their "partner in scam" (marked 4) for as long as the agreement is on.

 

The typosquat hive in our example targets mainly UK brands (list available for download at the end of the blog). Here are just a few examples from that list of registered typosquatting domains in the hive, including the brands they're targeting:

 

johnlwis.com (targets the legitimate Web site johnlewis.com)

arrgos.co.uk (targets the legitimate Web site argos.co.uk)

debnhams.co.uk (targets the legitimate Web site debenhams.com)

 

As UK Web sites and brands are the main target, most of the requests coming to this typosquat hive originate from the UK (victims making easy typos). Please refer to the pie chart below to see the location distribution of users that end up at a typosquat host in this hive, as observed in the Threatseeker™ Network over one week. It's natural to see multiple countries, as UK residents roam and brands offer services and products that are available globally.

 

 

 

 

 

The scam infrastructure is hosted in the US

 

Typos that go to a host in the hive lead to a scam site. For example, when this blog post was created, typing in johnlews.com redirected any victim to the scam site surveystartweb.com as seen in the diagram below (click to enlarge). Much as in the scam featured in the video, victims are informed that they won a desirable product, and are asked to register to a premium rate number service (click on the second image to see an animation of the redirection in the browser).

 

 

Animated GIF showing the redirection to the scam site after making the typo (click to open - the animation loops):

 

 

 

In this example, surveystartweb.com is part of the scam infrastructure and ultimately redirects to promotions.djummer.com, where victims are likely to be separated from their money. The scam infrastructure consists of many hosts that hold basically the same information. In essence, different typos lead to different scam hosts and URLs that usually follow the same principal, as in this case where victims are led to a premium rate number service. Using the Threatseeker Network, it is possible to check how many unique scam URLs are identified as part of the same scam infrastructure. If you check the graph below, you can see that observing live data for a week yielded an average of 121 unique URLs per day.

 

The GeoIP location of the URLs within the scam infrastructure is mainly in the US, a fact we found astounding. Check out the pie chart below to see the GeoIP location distribution of all the hosts known to be part of the scam infrastructure, as observed by the Threatseeker Network over one week.

 

 

 

 

Some final words

 

It's important to note that good typosquat hosts are very valuable to their cybercriminal owners. There are two main reason for this:

 

1. A good combination of keys both likely to be a common typo and very similar to the legitimate, targeted site is rare. There are a limited number of proximate keyboard buttons that are likely to create a typo: for example, instead of the letter "P," it is easy to type nearby letters like "O."

 

2. Once a typosquat domain is spotted, it's blacklisted and lost forever.

 

For these reasons, it's not a surprise to see typosquat hosts that don't serve scams lying low for a time, coming to life and serving scams for a short while, and then going back to covert mode. Also, it's common for typosquat hosts to employ evasion tactics while they lie low; one method is to redirect any users or nosy researchers to the legitimate Web site to avoid any suspicion. Other tactics could involve blacklisting methods against probing users or researchers that try to poke around the hive.

 

It's important to remember that legitimate Web sites and the companies behind them sometimes employ a strategy of buying typosquat hosts that are similar to their site's name. This is a good strategy for successful Web sites, as those companies usually understand the dangers of typosquatting and how their brand name can be affected and abused. Kudos go to Amazon, which registered a good number of potential typosquat hosts, including aqmazon.com, amaxzon.com, amzon.com, and many more. These are all GOOD hosts registered by Amazon itself, leaving no chance for abuse as long as they remain registered to Amazon. 

 

We'd also like to add that other means can be used to redirect or lure victims to the scam infrastructure. For example, not long ago we also noticed that a spammy Facebook campaign titled "In Memory of Steve Giving Away 1000 iPad 2s" that propagated throughout Facebook and ultimately led victims to the same infrastructure. 

 

A list of hundreds of hosts used for typosquatting found in the wild and free to download.

 

Download the full list from here 3324.typo_list_.txt. Please exercise CAUTION as these domains aren't safe. We strongly advise that you not load them in a browser.

 

 

Filed under: , ,

Elad Sharf

no comments
Typosquatting
Posted: 24 Oct 2011 08:42 PM

Do you often make mistakes when typing? Is the Backspace key your friend? Well, you are not alone!
Most of us make typing errors once in a while, but what if those errors could cause data leakage? 

 

Typosquatting exploits common typing errors made when entering a Web address in a browser--typing “a” instead of “s”, for example, or “e” instead of “r”--resulting in URL hijacking, malware injection, or phishing. Popular social networking sites, like Facebook, are often targets of typosquatting. With over 800 million active users, it’s no surprise the social networking giant is a target of such exploits.

 

 


Say you’re in a hurry to check out the latest update from your friends on facebook.com, but in your excitement, you enter faccenook.com instead.  There could be several outcomes. If the Web site designers anticipated your clumsiness, you still get to the desired destination. Otherwise, you might get an error message saying that the page is unavailable.  Or you could get a page that looks like facebook.com, but that actually redirects you to phishing or other potentially harmful sites, injects malware, infects your system with spyware, and ruins your day.

After carefully studying the objectionable links generated by common typos for Facebook, we found that over 62% of links lead to bot networks, phishing, or malicious web sites. 

 

Websense Security Labs researchers investigated the top ranked domain (www.facebook.com) and generated common typos based on keyboard character distance, common repeats, and even omissions, anticipating common typos that result in fake or malicious pages. Websense software protects users, their data, and their systems with its unique backtracking algorithm to identify altered domain names. The Advanced Classification Engine (ACE) provides real-time content analysis to keep you safe no matter how bad a tyspist yu aree.

 

Filed under: , , ,

Devi

no comments

©2013 Websense, Inc. All Rights Reserved.