The State of Typosquatting - 2007

The recently released "What’s In A Name: The State of Typo-Squatting 2007" is a very in-depth and well segmented study into the topic, you should consider going through :

Introduction
Typo- and Cyber-squatting on the rise
Key Findings
Methodology
Rankings by Category
Sample site: McAfee.com
The Economics of Typo-Squatting: Why it Works
What is driving the increase in typo-squatting
The decline in adult content on typo-squatters
Discussion of our methodology
Defining Typo-Squatting
Other Methods for Combating Typo-Squatting
Conclusions
Complete Results

Is it just me using bookmarks and only risking to fall victim into a pharming attack, compared to manually typing and mistyping an URL? My point is that coming across several articles emphasizing how important typing the right URLs is, I think they've missed an important point which is that typosquatting by itself isn't that big of a security threat, but in a combination of tactics it becomes such. There's no chance you will ever mistype an URL such as paypal-comlwebscrc-login-run.com, a typosquatted domain like the ones I covered in September, since these ones come in as phishing emails hosting a Rock Phish kit, namely they turn into threats when combined with other tactics. Blackhat SEO is another such tactic. The type of buy-cheap-iphones.com always aim to trick search engines into positioning them among the first 20 results, and they often succeed until a search engine figures out it's a blackhat SEO spam and removes it from the index.

Here's an example of such combination of tactics, use-iphone.com for instance was spammed according McAfee, the folks behind the study. What's was use-iphone.com all about? Icepack kit in action - use-iphone.com/ice-pack/index.php.

A Botnet of Infected Terrorists?

Redefining malware to minimize the negative public outbreak by renaming it to Remote Forensic Software, now that's a evil marketing department's positioning strategy in action. I've already discussed how inpractical the utopian central planning of a security industry is, and while you're limiting the access to the tools who may help someone unethically pen testing an internal asset, you're also limiting the possibility for the discovery of such vulnerable asset - basically a false feeling of security, you don't touch it, it doesn't move, until of course someone else outside your controlled environment comes across it, the way they will sooner or later since it's an open network, one you benefit from, but cannot fully control.

Australian law enforcement have been using spyware for a while, and Austria following Germany's interest into the concept is getting involved too:

"Germany is hiring software specialists to design "white-hat" viruses that could infiltrate terrorists' computers and help police detect upcoming attacks, an Interior Ministry spokeswoman in Berlin confirmed Saturday. The government is still drafting legislation to permit snooping via the internet under judicial control, but has decided there is no time to lose in developing the "remote forensic software." The ministry said the BKA federal police had been instructed to resume the development and hire two specialists."

Are cyber criminals or bureaucrats the industry's top performer? In November, 2008, we'll be discussing how come so much money were spend to develop the malware, given the lack of any ROI out of this idea during the entire period, whereas DIY malware tools are not just a commodity, but also freely available for a law enforcement to use. Moreover, emailing malware is so old-fashioned and noise generating, that even the average Internet users knows "not to click on those email attachments sent from unknown source". A far more pragmatic approach would be to embedd the malware on sites suspected of evangelizing terrorism, or radicalizing their audiences, by doing so you'll end up with a larger infected sample, and eventually someone, let's say 1 out of 10,000 infected will turn out to be a terrorist, by whatever definition you're referring to in the case. Even more pragmatic, by requesting a botnet on demand, and requiring the botnet master to tailor your purchase by providing you with infected hosts in Germany whose browser language, and default fonts used are Arabic, you will not just save money, but will increase the probability of coming across a stereotyped terrorist, by outsourcing the infecting stage to those who excell at it.

Excluding the sarcasm, it's your money that go for funding of such initiatives who basically "shoot into the dark" to see if they can hit someone. Even if they manage to infect someone, more staff will be required to monitor the collected data, which means more money will go into this, ending up with an entire department monitoring wishful thinking and thought crime. Geheime Staatspolizei anyone?

If you really want access to real-time early warning threat intell for possible threats, monitor the public cyber jihadist communities don't come up with new ones to use them as honeypots for cyber jihadists, identify local residents, evaluate their state of radicalization and attitudes towards standard terrorist ideas, prioritize, and take action if necessary.

Cartoon courtesy of Mahjjob.com

Mass Defacement by Turkish Hacktivists

At first it appeared that it was just the official site of Goa's DoIP, that's been defaced by Turkish defacers, but looking further the campaign gets much bigger than originally anticipated :

"The official website of the Goa government’s Department of Information and Publicity (DoIP) - goainformation.org - was hacked by a group of Turkish militants on Saturday. The hacker has not only defaced the website, replacing all information with the group’s propaganda material in Turkish language, but also posted some gory pictures of slain terrorists. The DoIP has now lodged a complaint with the Panjim Police and the Panjim crime branch is investigating the matter."

The campaign is aiming to send a PSYOPS signal to the rest of the world regarding the recent tensions between Turkey's military operations in northern Iraq against PKK, an action the U.S doesn't seem to enjoy at all. Some sample defaced sites are savymedia.com; itrit.com; sledderforever.com; pssoc.org; youthblood.org; prisonministry.com. The defacers are sending the following message :

"The United States of America who is feeding on and strengthening behind closed doors the universal terrorists, is the greatest terrorist country. pkk/kadek/hpg/kkk is the world's most bloody and brutal terrorism group. They killed approximately 35.000 innocent people without any cruel till now. All the nations and states must know which are supporting these bloody and brutal terrorism groups, supporting terrorism will brings suffer and deathness. We are always be a side of peace. but we have always some words to say these terrorists "which" wants to seperate us and kill innocent people"

Moreover, Turkish hacktivists from another group have also been active recently by defacing the Assyrian Academic Society, Assyrian actress and author Rosie Malek-Yonan's site, and International Campaign to Support the Christians of Iraq petition's site. Three other Turkish hacktivists are also currently defacing under the handles of NusreT, MUSTAFAGAZI, and Storm, using the same defacement templates. The first group is reachable at a closed forum turkmilliyetcileri.org, and the second at turkittifak.org. Apparently, these groups are all under the umbrella of the Turkish Republican Hackers group.

Large Scale MySpace Phishing Attack

In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month and continues to be. A Chinese phishing group have come up with legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their original .cn domains, and by doing so achieve its ultimate objective - establish trust through typosquatting, remain beneath the security vendors radar by comment spamming the URLs inside MySpace, and obtain the login details of everyone who got tricked.

Key points :

- all of the participating domains are using identical DNS servers, whereas their DNS records are set to change every 3 minutes

- each and every domain is using a different comment spam message, making it easy to assess the potential impact of each of them

- the URLs are not spammed like typical phishing emails, but comment spammed within MySpace by using legitimate accouts, presumably once that have already fallen victim into the campaign, and mostly to remain beneath the radar of security vendors if the URLs were spammed in the usual manner

- all of the URLs are the subdomains are currently active, and the login details get forwarded to a central location 319303.cn/login.php

This how the fake MySpace login looks like on the fake domains/subdomains :

(form action = "http://319303.cn/login.php" method = "post" name = "theForm" id = "theForm)

This is how the real MySpace login looks like :

(form action = "http://secure.myspace.com/index.cfm?fuseaction=login.process" method = "post" id = "LoginForm")

Sample MySpace phishing URLs from this campaign :

profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn

profile.myspace.com.index.fuseaction.id.370913.cn

profile.myspace.com.fuseaction.id.0ed37i8xdd.125723.cn

profile.myspace.com.fuseaction.id.Dx78x00iJe5.982728.cn

profile.myspace.com.fuseaction.user.id.28902334.arutncbt.cn

profile.myspace.com.fuseaction.id.0nd8di8xfd.125723.cn

profile.myspace.com.fuseaction.id.0ed37i8xdd.109820.cn

Ten sample Chinese domains participating in the phishing attack, returning the MySpace spoof at the main index and the subdomains :

378d38.cn

978bg33.cn

370913.cn

107882.cn

103238.cn

978nd03.cn

107882.cn

pcc2ekxz.cn

125723.cn

pckeez.cn

Assessing the comment messages used on ten phishing domains for internal comment spamming at MySpace :

370913.cn - "haha i cant believe we went to high school with this girl"

978bg33.cn - "sometimes i cannot believe the pics people put on their myspaces"

982728.cn - "I cannot believe this freaking whore would put pics like that on her myspace page.. how trashy.."

977y62.cn - "did you see what happened? OMG you gotta see Mike's profile."

125723.cn - "did you see what happened? OMG you gotta see Mike's profile."

pckeez.cn - "can you believe we went to highschool with this chick?"

pcc2ekxz.cn - "can't believe a 18 year old chick would put half-nude pics on myspace. whore alert."

arutncbt.cn - "wow her brother is gonna be so pissed when he sees the pictures she put on her myspace"

125723.cn - "Did you hear what happened Omg you gotta see the profile.. So sad!"

109820.cn - "sometimes i just cannot believe the pics that people put on their myspaces LMAO!"

The campaign is surprisingly well thought of. If they were spamming the phishing URLs, security vendors would have picked it up immediately and its lifetime would have been much shorter compared to its current one. The phishers aren't sending emails asking people to login to MySpace via profile.myspace.com.random_digits.cn for instance, instead they're spamming inside MySpace by posting comments prompting users to click further using the phrase "haha i cant believe we went to high school with this girl". It gets even more interesting, compared to the common logic of them having to register fake accounts and posting the comments by using them, in this case, the three sample comments posted on Nov 2 2007 11:22 AM; Nov 4 2007 1:02 PM ; Nov 5 2007 8:47 AM; Nov 5 2007 9:33 PM, are all posted by legitime users, well from legitimate users' accounts in this case. How huge is this? Over 378,000 results for the campaign under this phrase keeping in mind that people embed their MySpace profiles at their domains, and 128,000 instances of a sample phishing domain (370913.cn) at MySpace.com itself. This is for one of the phishing domains only.

Now if that's not enough to disturb you, each and every of the .cn domains are resolving to what looks like U.S based hosts only that will change every 3 minutes. Not necessarily as dynamic as previously discussed fast-flux networks, but these are worth keeping an eye on :

107882.cn

370913.cn

978bg33.cn

Here are some central DNS servers that all the .cn domains use :

ns4.6309a46.com

ns1.52352a0c60a9c29.com

ns3.926817a885d86e1.com

ns2.terimadisirida.net

I'll leave the data mining based on these patterns to you, what's important is that the URLs are still serving spoofed MySpace front pages, with the only downsize that they cannot sucessfully load MySpace's videos, and don't provide any SSL authentication, which I doubt have prevented lots of people from falling victims into it.

Does all the data lead us to conclude that this could be the most "creative phishing campaign of the year"? Let's have it offline first.

The "New Media" Malware Gang

Since Possibility Media's Malware Fiasco, I've been successfully tracking the group behind the malware embedded attack at each and every online publication of Possibility Media. Successfully tracking mostly because of their lack of interest in putting any kind of effort of making them harder to trace back, namely, maintaining a static web presence, but one with diversifying set of malware and exploits used. Possibility Media's main IFRAME used was 208.72.168.176/e-Sr1pt2210/index.php, and at 208.72.168.176 we have a great deal of parked domains in standby mode such as :

repairhddtech.com
granddslp.net
prevedltd.net
stepling.net
softoneveryday.com
samsntafox.com
himpax.com
grimpex.org
trakror.org
dpsmob.com
besotrix.net
gotizon.net
besttanya.com
carsent.com
heliosab.info
gipperlox.info
leader-invest.net
fiderfox.info
potec.net

However, the latest IPs and domains related to the group are dispersed on different netblocks and are actively serving malware through exploit URLs :

78.109.16.242/us3/index.php
x-victory.ru/forum/index.php (85.255.114.170)
asechka.cn/traff/out.php (78.109.18.154)
trafika.info/stools/index.php (203.223.159.92)

What's so special about this group? It's the connection with the Russian Business Network. As I've already pointed out, the malware attack behind Possibility Media's was using IPs rented on behalf of RBN customers from their old netblock, here are two such examples of RBN IPs used by this group as well :

81.95.149.236/us3/index.php
81.95.148.162/e202/

In case you also remember, some of this group's URLs were also used as communication vehicle with a downloader that was hosted on a RBN IP, that very same RBN IP that was behind Bank of India's main IFRAME. Now that's a mutually beneficial malicious ecosystem for both sides. Here are more comments on other ecosystems.

But of Course I'm Infected With Spyware

Remember those old school fake hard drive erasers where a status bar that's basically doing a directory listing is shown, and HDD activity is stimulated so that the end user gets the false feeling of witnessing the process? Fake anti spyware and anti virus software, like the ones courtesy of the now fast-moving RBN, have been using this tactic for a while, and adding an additional layer of social engineering tricks by obtaining the PCs details with simple javascript. The folks behind online-scan.com; spyware.online-scan.com; antivirus.online-scan.com own a far more deceptive domain name compared to RBN's ones. In fact, even an anti virus vendor could envy them for not picking it up earlier and integrating it in upcoming marketing campaign or service to come. SpywareSoftStop's statements :

"At present the Internet is stuffed with viruses of any kind. Every PC is at risk and most probably IS infected. Anti-viruses can detect viruses only, but spyware, installed surreptitiously on a PC without the user's informed consent, is modified each day and solely particularized software can help to detect and remove it. However, a spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. In some infections, the spyware is not even evident; moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Right now your system is going to be scanned and spyware, if any, will be detected."

The name servers preved.spywaresoftstop-support.com and medved.spywaresoftstop-support.com serve : spywaresoftstop.com; spywaresoftstop-cash.com; spywaresoftstop-support.com. The popup at online-scan.com that's now returning a 404 error for ldr.exe (downloadfilesldr.com/download/2/ldr.exe) will even appear if you try to close the window while your PC is "being scanned". What's ldr.exe? It's the default output of a DIY malware courtesy of Pinch.