Proaktiv IT säkerhet
 

The importance of typing correctly

2011-09-16 [Malware discussion, Social engineering, Spreading mechanisms, Trends & predictions]

Introduction

One of our weaknesses that criminals are able to exploit is our affinity to misspell. This article will examine some of these, and in particular focus on one particular technique, which has received some attention lately.

A general statement: Computers do what they are told

A computer normally does exactly what it is instructed to do!

If you enter www.normal.com in your browser's address field to visit Norman's web site, the computer does not know that you intended to write www.norman.com.

In some instances, the applications attempt to be "smart" by trying to "correct" misspellings. One example is Google's search system, which suggests alternative variants if you search for unusual terms. Another is the spellchecking, which is available in some applications.

However, the general system functions in such a way that the computer does what a user or an application tell it to do.This may result in consequences that are funny as well as dangerous, as we shall see later.

Typosquatting

Typosquatting is derived from

  • Squatting, i.e. occupying an abandoned or unoccupied space or building that the squatter does not own, rent or otherwise have permission to use
    and
  • Typo, short for typographical error

Wikipedia tells that typosquatting or URL hijacking is

a form of cybersquatting which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser.

Wikipedia mentions four different types of user errors the typosquatters may exploit (with the domain example.com used to clarify):

  1. A common misspelling, or foreign language spelling, of the intended site: exemple.com
  2. A misspelling based on typing errors: xample.com or examlpe.com
  3. A differently phrased domain name: examples.com
  4. A different top-level domain: example.org

Although typosquatting is normally used for exploiting web addresses (URLs), we will in this article use it in a generic manner, and will include all types of names and addresses used on the Internet.

Malicious typosquatting

The idea behind typosquatting is usually to exploit users, by tricking them into believing that they have not made any typo.

Web address typosquatting

This is the most used type of typosquatting. Cybercriminals will register domain names, which resemble the names that are used by e.g. popular web sites, or web sites belonging to banks or to a company that is to be attacked (targeted).

The criminals will often set up web sites that are similar or identical to the real sites. The culprit may then either wait for user to misspell the correct name and by mistake enter the malicious site, or use phishing techniques to trick users into the malicious site.

Whatever technique used, the goal is to trick users to part with information that may be exploited - credit card information for example.

Doppelganger domain - typosquatting email

Earlier this month Godai Group published a paper, which described what was termed Doppelganger domain. This is a type of typosquatting that focuses on omitted characters, and said to be particularly useful for attacking the email system.

A Doppelganger domain is defined as

(...) a domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes.

Using norman.com as an example, if de.norman.com were the correct FQDN, a Dobbelganger domain would be denorman.com.

The researchers from Godai Group studied Fortune 500 companies and 30% turned out to be susceptible for the type of attack that was studied.

The attack system has two different methods, which can be utilized (or combined). Both methods presupposes that the attacker register a domain name corresponding to the definition above.

In a passive attack method the attacker will first set up an email server to receive all emails sent to that server (whether the user name exists or not). The attacker then has to wait for users to misspell and send emails to the her email server by mistake. She will hope that useful information will be obtained at some point in time.

The other method is more suited for targeted attack. The criminal will then impersonate someone and send emails to a specific person and persons - i.e. using social engineering techniques.

An even more sophisticated version of the targeted attack is also discussed - the Man-in-the-MailBox (MITMB) attack, where the attacker uses doppelganger domain for both sender and recipient, intercepts all email communication, and subsequently forwards the email to the correct email addresses.

The paper shows how the passive attack technique was used to collect 120 000 emails - 20 GB data - including user names and passwords as well as trade secrets.

We refer to the paper from Godai Group for more details about Doppelganger Domains.

Other types of typosquatting

Typosquatting may be used for a wide range of attacks.

In addition to the techniques mentioned above, one may also include the use of characters that look similar into this type of attacks. Consider for example the fact that the letter I (capital 'i' ) and the letter l (small 'L') looks identical in some font sets.

On Twitter we recently witnessed an intriguing exchange of tweets between a Twitter user and some of his followers. The interesting issue was that the Twitter user seemed to contradict himself and his views all the time, which caused quite a bit of confusion among the followers. It took quite some time before a clever person found out that there were two different accounts involved - one spelled with the capital letter I, and one spelled with the small letter l.

The general risk here is if someone uses this technique to impersonate you or your company. It may be used to damage your reputation considerably before you are even aware what is happening.

Another clever example of substituting one letter with a similar was discussed in Microsoft's Technet Blog item Can we believe our eyes? 10 August this year. In this case, the Cyrillic character looking like 'o' was used in an attack against computer's hosts file. The attack also involved changing the attribute of the functioning hosts file to hidden.

Protection techniques

It is not easy to offer specific advice that will cover all types of attacks using the kind of methods discussed in this article.

The obvious advice is to be conscious of the importance of spelling correctly.

Other good advice is to inform users in the organization about the attacks that use these mechanisms.

Organizations may to some extent increase their protection by purchasing domains that have the potential to be used for typosquatting.

One may also imagine that vendors of client software may come up with systems that mitigate this attack method. One example is that browser vendors can implement a warning system that triggers if a user attempts to access a computer using an address that resembles one that is used a certain number of times before.

References