DetectingSpearPhishingAttacks
21
Detecting and Preventing Spear Phishing Attacks Using DNS Mike Saunders - @hardwaterhacker [email protected]
-
Upload
mike-saunders -
Category
Documents
-
view
544 -
download
0
Transcript of DetectingSpearPhishingAttacks
Detecting and Preventing Spear Phishing Attacks Using DNS
Mike Saunders - @hardwaterhacker [email protected]
About Mike
Pen tester with a defender background (purple team!)
17 years in IT
9 years security
The Problem: Typosquatting
What is it?
Intentionally misspelled domain names intended to imitate legitimate domain names
Why is it bad?
The Problem
Why is it bad?
Often difficult to easily spot
Users may be duped into visiting a malicious site
MotivationsFinancial
Advertising revenue on parked domains
Drive traffic to a competitor’s site
Malware delivery
Harvest email from misspelled domains
Phishing attacks
Types of Typosquatting
Repeated characters www.google.com www.gooogle.com
Omitted character www.amazon.com www.amzon.com
Charater swap www.defcon.org www.decfon.org
Character insertion www.derbycon.com www.derbycin.com
Missing dots www.microsoft.com wwwmicrosoft.com
Singular/plural www.apple.com www.apples.com
Vowel swapping www.fedex.com www.fadax.com
Types of Typosquatting
Homophones www.route.com www.root.com
Homoglyphs www.derbycon.com www.derbyc0n.com
Wrong TLD www.whitehouse.gov www.whitehouse.com
Misspelling www.arcticcat.com www.articat.com
Different country code www.evilcorp.com www.evilcorp.cm
Bit flipping www.facebook.com www.fccebook.com
Real-World Examples
Real-World Examples
Real-World Examples
Real-World Examples
Real-World Examples
Anthem BCBS
wellpoint.com targeted using we11point.com
Premera BCBS
premera.com targeted using prennera.com
More Real-World Examples
carefirst.com targeted with ‘l’ and ‘1’ for ‘i’.
More Real-World Examples
Available ToolsUrlCrazy
Andrew Horton - @urbanadventur3r
http://www.morningstarsecurity.com/research/urlcrazy
dnstwist
Marcin Ulikowski - @elceef
https://github.com/elceef/dnstwist
A Better Way
crazyparser
https://github.com/hardwaterhacker/crazyparser
Detect changes between iterations
Uses both urlcrazy and dnstwist output
Demo Time
Configuration files
Command line options
Output
Preventative MeasuresBlock in web proxy
Blackhole DNS
Increase monitoring
Proxy logs
email containing links to these domains
Client DNS queries
+ and -Will find some variations, like we11point.com
prennera.com not originally detected - dnstwist supported - 9/16
careflrst.com detected, caref1st.com wasn’t originally. dnstwist support added 9/16
+ and -
Will not detect things like service-paypal.com
Does not protect external users / customers
Unless you pursue domain seizure under WIPO UDRP or US Anticybersquatting Consumer Protection Act
https://www.icann.org/en/system/files/files/guidance-domain-seizures-07mar12-en.pdf
Questions?
https://github.com/hardwaterhacker/crazyparser
@hardwaterhacker
http://hardwatersec.blogspot.com
