A study of typosquatted domain names has found that the practice is reaching pandemic levels for the largest brands, but that there’s surprisingly little malware distribution going on.
The security company Sophos surveyed 2,249 domains that were one letter different to the .com sites of Facebook, Google, Twitter, Apple and Microsoft, and found that two thirds resolved.
Not all of those 1,502 sites were malicious typosquats; some were legitimate sites that just happened to have similarly spelled names (such as goole.com and witter.com) Sophos noted.
Apple was the most-squatted company, according to this method: resolving Microsoft typos were at 61%, Twitter at 74%, Facebook at 81%, Google at 83% and Apple at 86%.
Sophos concluded that “there is a significant typosquatting ecosystem around high-profile, often-typed domain names.”
But it did not find as much malware as it was expecting, with only one domain leading to a malware site, 0.07% of the total.
However, 2.7% of the URLs “fell into the loose category of cybercrime”, which “means they are, or have been, associated with hacking, phishing, online fraud or spamming”.
The report, which also fingers parking services from Demand Media, Sedo, Oversee and Bodis as the recipients of 37% of the typo traffic, contains much more data and is well worth a read.
Annoyingly, it appears that Sophos only surveyed .com domains, so the data doesn’t really tell us much about the impact of TLDs (such as .co) on the typosquatting problem.
The official registry web site for the Libyan top-level domain has been defaced by anti-Gadaffi crackers.
Nic.ly currently looks like this (click to enlarge):
The attack appears to be limited to the web server – as bit.ly domains are still resolving I assume the culprits have not managed to take control of the registry’s more important systems.
Libya famously cut itself off from the internet in March, shortly after the ongoing rebel uprising – which today arrived on the streets of Tripoli – kicked off.
The .ly domain also went completely dark in 2004 after a communication breakdown between the registry manager and IANA.
Forget phishing, forget cybersquatting, forget typosquatting, high-value domain name owners may have a whole new threat to worry about – “bit-squatting”.
This appears to be the conclusion of fascinating new research to be presented by Artem Dinaburg at the Black Hat and DEF CON hacker conferences in Las Vegas next week.
Defective internet hardware, it turns out, may be enabling a whole new category of typosquatting that could prove worrying for companies already prone to domain name abuse.
According to a summary of Dinaburg’s research, RAM chips can sometimes malfunction due to heat or radiation, resulting in “flipped bits”, where a 1 turns into a 0 or vice-versa.
Because the DNS uses ASCII encoding, a query containing a single flipped bit could actually send the user to a completely different domain name to the one they intended to visit.
To test the theory, Dinaburg appears to have registered the typo domain name mic2osoft.com. While it’s not visually confusing or a likely typo, in binary it is only one bit different to microsoft.com.
The ASCII binary code for the digit 2 is 00110010, which is only one bit different to the lower-case letter r, 01110010.
The binary for the string “microsoft” is:
and the binary encoding for “mic2osoft” is (with the single changed bit highlighted):
Therefore, if that one bit were to be accidentally flipped by a dodgy chip, the user could find themselves sending data to the bit-squatter’s domain rather than Microsoft’s official home.
I would assume that this is statistically only a concern for very high-traffic domains, and only if the bit-flipping malfunction is quite widespread.
But Dinaburg, who works for the defense contractor Raytheon, seems to think that it’s serious enough to pay attention to. He wrote:
To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates.
I hope to convince the audience that bit-squatting and other attacks enabled by bit-flip errors are practical, serious, and should be addressed by software and hardware vendors.
His conference presentations will also discuss possible hardware and software solutions.
For large companies particularly at risk of typosquatting, the research may also present a good reason to conduct a review of their trademark enforcement strategies.
I’m not going to be in Vegas this year, but I’m looking forward to reading more about Dinaburg’s findings.
The annual Black Hat and DEF CON conferences are frequently the venues where some of the most beautifully creative DNS hacks are first revealed, usually by Dan Kaminsky.
Kaminsky is not discussing DNS this year, judging by the agendas.
The conferences were founded by Jeff Moss, aka The Dark Tangent, who joined ICANN as its chief security officer earlier this year.
ICM Registry has signed up with security software outfit McAfee to provide automatic virus scanning for all web sites hosted at .xxx domain names.
Under the $8 million deal, “every .XXX domain will be scanned for vulnerabilities such as SQL injection, browser exploits and phishing sites, reputational analysis and malware”, ICM said in a press release.
The subscription, which is based on the McAfee Secure offering, will be included in the price of the domain, which is expected to start at around $75 at the cheapest registrars.
McAfee normally charges a lot more than that; ICM has basically negotiated a bulk discount for its customers.
There are two ways to take advantage of the deal.
First, webmasters can choose to put some code on their sites that displays the McAfee Secure logo, potentially increasing customer confidence and ergo sales.
McAfee reckons sales can go up by as much as 12% when sites use this “trust mark”, based on some split-testing it did a couple years ago (results may vary, it adds).
Second, because McAfee is going to automatically scan every .xxx domain every day, whether the registrant wants it or not, porn surfers will be able to use McAfee SiteAdvisor, a free browser plug-in, to verify that a .xxx site is, for want of a better word, clean.
Whether you like .xxx or not, you’ve got to admit that this probably counts as a rare example of “innovation” from a domain registry.
On the flipside, registrars that already offer such services as add-ons, such as Go Daddy, won’t get the up-sell if ICM is giving it to every registrant from the registry side.
But that doesn’t seem to have stopped any registrars from signing up to sell .xxx domains.
Oddly, the press release does not name McAfee as the service provider, but its brand is all over the ICM web site so embarrassment is probably not a factor.
McAfee currently has about 80,000 sites using the service, which could easily grow to 500,000 or more if ICM gets as many registrations as it expects to.
Noted white-hat hacker Jeff “Dark Tangent” Moss is to join ICANN as its new chief security officer.
Moss founded the Black Hat and Def Con hacker conferences (which I highly recommend), and was once a director of firewall vendor Secure Computing.
If you’re not familiar with security lingo, “hacker” in this context means he’s one of the good guys. He’s also one of a couple dozen members of the US Department of Homeland Security’s Advisory Council.
The ICANN press release announcing the appointment (pdf) is filled with plaudits from some of the industry’s top DNS security geeks.
Paul Vixie, chairman and chief scientist of the Internet Systems Consortium is quoted as saying:
This is a great hire for ICANN. Jeff’s been in the infosec community since the dawn of time and not only knows where the weak spots are but also how they got that way, and what needs to be done and by whom. He’s the ideal person to drive ICANN’s security agenda.
He’s also been named vice-president. He starts work at the ICANN Washington DC office tomorrow.