Automate the search for clones of sites and one-day sites
Attackers, in order to infect users' computers, very often use methods aimed at deceiving users who type the address of their site in the browser’s line. For example, typosquatting (aka hijacking URL), that is, the use of user errors, which can be mistaken in writing a domain on the keyboard. For example, if the spelling of the cisco.ru domain is wrong and instead of the first letter “c”, type the letter “v” standing on the keyboard next to it, then we will not go to the Cisco website, but to the domain that is currently on sale.
And if, for example, you enter the domain “sbrrbank.ru” instead of “sberbank.ru” (confusing the e and r numbers next to each other), then we will get to such a resource.
Finally, the lack of knowledge of the Russian language and the use of Sberbank instead of Sberbank leads us to an online casino:
')
All this is quite harmless, but still unpleasant incidents that can end with nothing more than user dissatisfaction or a blow to the reputation of an organization whose brand is used to enrich other, lesser-known companies (for example, through advertising). But what to do if an attacker uses user errors to cause them harm by infecting their computers with malicious code hosted on a site with a similar name? For example, a well-known example is the long-term existence of the site goggle.com, which distributes malicious code and fake SpySheriff antivirus, or the domain yuube.com, which redirects users to a malicious site. In addition to the mistakes of the users themselves when typing from the keyboard, attackers can also count on the carelessness of users who will not immediately see the difference between vkontakte.ru and vkolakte.ru (a real example) in mailings or links to various Internet resources. But how to deal with them?
On the one hand, the fight against such domains is simple. All you need to do is to track the appearance of new domains on the Internet through domain registrars or whois service. But this is also the difficulty - the number of such new domains can be huge and they can appear daily (actually every minute). In manual mode, tracking such changes is quite difficult. For example, here’s what a regular search of domains looks like, containing a link to the popular and not yet prohibited in Russia social network Facebook:
There are several hundred such domains. And look, for example, at the domains that use “microsoft” in their name. There are not only many of them, but they are constantly being created (a screenshot was taken just on March 10).
It should be noted that the search is complicated by the fact that attackers can create domains that use different combinations of characters that are not usually used by companies whose domains are chosen as victims. For example, attackers can replace the letter “o” with the number “0”, the letter “A” with the number “4”, the capital “i” with the lowercase “L”, “s” with “5”, “z”, “es” or "2", etc. For the same Facebook, it looks like this:
Finally, an attacker can use character repetition. The same “facebook” can be replaced with “faceboook” and it can go unnoticed:
If we ignore the examples from Burzhuin and look at the Runet, then taking the most popular bank in Russia as an example, we get the following picture:
A large number of domains (in places that clearly raise questions) use the word sberbank as their basis. Interestingly, multiple studies show that users for some reason tend to trust such domains, considering that the domain in which the company name is mentioned (or a popular product / service) belongs to this company, and not to someone else. And therefore, the probability of clicking on such links is much higher than on links that do not use the names of the victim companies.
It is clear that Sberbank is not the only company that suffers from the attacks described. For example, in Runet, you can find domains associated with Cisco:
or with the site of the President of the Russian Federation:
At the same time, I deliberately in this article chose obviously malicious domains that are detected using the Cisco OpenDNS Investigate service, designed specifically to investigate such attacks. Passing 80 billion DNS requests through itself daily, Cisco OpenDNS services (Investigate for Investigation and Umbrella for Blocking) analyze a huge number of domains and their activity, classifying and placing into our databases, which can then be accessed using various tools. For example, the above screenshots were made using Cisco OpenDNS Investigate, in the interface of which, using a standard browser, you can investigate the domain of interest (as well as the IP address, autonomous system, or e-mail of the domain owner).
To automate this task and the ability to check domains of interest on the fly (for example, through firewalls, Internet access control systems, SIEMs, SOC, etc.), you can use the Investigate API developed by us. For example, the code below allows you to find the search string in domains created in the last 24 hours:
The search string can be created in advance and include all possible symbol combinations that may occur in the domains of interest to us. In the event that there are several brands that we want to monitor, then it is better to use a separate script that outputs a set of possible substitutions for a particular symbol:
Then we need only to monitor the Internet on a regular basis (for example, once a day) in search of new domains that appear using interesting brand names (companies, products, services, etc.). We automated this task as a barnd_watch script in Python, which can be found on GitHub . It is easy to work with him - it is enough just to indicate the line of interest to us:
If we want to exclude some domains from the search (if it is assumed that there will be a lot of them in the search results), then it’s enough to give the script a previously prepared file with exception domains:
In this simple way, Cisco OpenDNS helps to automate the process of searching for clone sites and other domains used by attackers to attack companies and their users. The advantage of the Cisco OpenDNS Investigate or Cisco OpenDNS Umbrella services is that they not only automate the search, but also, using classification algorithms, allows you to immediately conclude that a particular domain is harmful. Here's how, for example, it looks for a domain that uses the brand of Gazprombank:
Further, it is already possible to carry out relevant investigations using the same Cisco OpenDNS Investigate service, which will tell us who and when created this domain, where it is located, what other domains are located on the same IP address or in an autonomous system, as well as other related information ( distributed malicious code, other domains belonging to this owner, etc.). But about these features of Cisco OpenDNS Investigate another time.
In conclusion, I would like to note that this kind of attack is used not only to direct users to fake sites. By creating fake domains that are similar to the victim’s website, phishing emails can be sent on their behalf, increasing the likelihood of the user becoming infected. We even made a special video clip (actually several ) that demonstrates an attack based on this method of attacks, against which Cisco OpenDNS solutions work.
Shl. You can view and “feel” this solution at Cisco Connect, which will be held in Moscow on April 4-5, where we have a rich cybersecurity program planned.
And if, for example, you enter the domain “sbrrbank.ru” instead of “sberbank.ru” (confusing the e and r numbers next to each other), then we will get to such a resource.
Finally, the lack of knowledge of the Russian language and the use of Sberbank instead of Sberbank leads us to an online casino:
')
All this is quite harmless, but still unpleasant incidents that can end with nothing more than user dissatisfaction or a blow to the reputation of an organization whose brand is used to enrich other, lesser-known companies (for example, through advertising). But what to do if an attacker uses user errors to cause them harm by infecting their computers with malicious code hosted on a site with a similar name? For example, a well-known example is the long-term existence of the site goggle.com, which distributes malicious code and fake SpySheriff antivirus, or the domain yuube.com, which redirects users to a malicious site. In addition to the mistakes of the users themselves when typing from the keyboard, attackers can also count on the carelessness of users who will not immediately see the difference between vkontakte.ru and vkolakte.ru (a real example) in mailings or links to various Internet resources. But how to deal with them?
On the one hand, the fight against such domains is simple. All you need to do is to track the appearance of new domains on the Internet through domain registrars or whois service. But this is also the difficulty - the number of such new domains can be huge and they can appear daily (actually every minute). In manual mode, tracking such changes is quite difficult. For example, here’s what a regular search of domains looks like, containing a link to the popular and not yet prohibited in Russia social network Facebook:
There are several hundred such domains. And look, for example, at the domains that use “microsoft” in their name. There are not only many of them, but they are constantly being created (a screenshot was taken just on March 10).
It should be noted that the search is complicated by the fact that attackers can create domains that use different combinations of characters that are not usually used by companies whose domains are chosen as victims. For example, attackers can replace the letter “o” with the number “0”, the letter “A” with the number “4”, the capital “i” with the lowercase “L”, “s” with “5”, “z”, “es” or "2", etc. For the same Facebook, it looks like this:
Finally, an attacker can use character repetition. The same “facebook” can be replaced with “faceboook” and it can go unnoticed:
If we ignore the examples from Burzhuin and look at the Runet, then taking the most popular bank in Russia as an example, we get the following picture:
A large number of domains (in places that clearly raise questions) use the word sberbank as their basis. Interestingly, multiple studies show that users for some reason tend to trust such domains, considering that the domain in which the company name is mentioned (or a popular product / service) belongs to this company, and not to someone else. And therefore, the probability of clicking on such links is much higher than on links that do not use the names of the victim companies.
It is clear that Sberbank is not the only company that suffers from the attacks described. For example, in Runet, you can find domains associated with Cisco:
or with the site of the President of the Russian Federation:
At the same time, I deliberately in this article chose obviously malicious domains that are detected using the Cisco OpenDNS Investigate service, designed specifically to investigate such attacks. Passing 80 billion DNS requests through itself daily, Cisco OpenDNS services (Investigate for Investigation and Umbrella for Blocking) analyze a huge number of domains and their activity, classifying and placing into our databases, which can then be accessed using various tools. For example, the above screenshots were made using Cisco OpenDNS Investigate, in the interface of which, using a standard browser, you can investigate the domain of interest (as well as the IP address, autonomous system, or e-mail of the domain owner).
To automate this task and the ability to check domains of interest on the fly (for example, through firewalls, Internet access control systems, SIEMs, SOC, etc.), you can use the Investigate API developed by us. For example, the code below allows you to find the search string in domains created in the last 24 hours:
inv = investigate.Investigate('12345678-1234-1234-1234-1234567890ab') inv.search('searchregex', start=datetime.timedelta(days=1), limit=100, include_category=False) The search string can be created in advance and include all possible symbol combinations that may occur in the domains of interest to us. In the event that there are several brands that we want to monitor, then it is better to use a separate script that outputs a set of possible substitutions for a particular symbol:
self.word = word self.a=['a','4'] self.b=['b','8','6'] self.c=['c','k'] self.d=['d','0'] self.e=['e','3'] self.f=['f'] self.g=['g','6','9'] self.h=['h'] self.i=['i','!','1','|','l'] self.j=['j'] self.k=['k','x'] self.l=['l','1','7'] self.m=['m','nn'] self.n=['n'] self.o=['o','0'] self.p=['p','9','q'] self.q=['q','9'] self.r=['r'] self.s=['s','5','z','es','2'] self.t=['t','7','1'] self.u=['u','m'] self.v=['v'] self.w=['w','vv'] self.x=['x','ex'] self.y=['y','j'] self.z=['z','2'] self.zero=['0','o'] self.one=['1','l'] self.two=['two','2','z'] self.three=['e','3','three'] self.four=['4','four','for','fore','a'] self.five=['5','five','s'] self.six=['6','six','g'] self.seven=['7','seven','t','l'] self.eight=['8','eight','b'] self.nine=['9','nine','g'] self.alphabet={ 'a':self.a, 'b':self.b, 'c':self.c, 'd':self.d, 'e':self.e, 'f':self.f, 'g':self.g, 'h':self.h, 'i':self.i, 'j':self.j, 'k':self.k, 'l':self.l, 'm':self.m, 'n':self.n, 'o':self.o, 'p':self.p, 'q':self.q, 'r':self.r, 's':self.s, 't':self.t, 'u':self.u, 'v':self.v, 'w':self.w, 'x':self.x, 'y':self.y, 'z':self.z, '0':self.zero, '1':self.one,'2':self.two,'3':self.three,'4':self.four, '5':self.five,'6':self.six,'7':self.seven,'8':self.eight, '9':self.nine } def get_permutations(self, letter): try: permutations = self.alphabet[letter] except KeyError: permutations = letter regex = '[' for p in permutations[:-1]: regex += '{0}|'.format(p) regex += '{0}]'.format(permutations[-1]) return regex
Then we need only to monitor the Internet on a regular basis (for example, once a day) in search of new domains that appear using interesting brand names (companies, products, services, etc.). We automated this task as a barnd_watch script in Python, which can be found on GitHub . It is easy to work with him - it is enough just to indicate the line of interest to us:
If we want to exclude some domains from the search (if it is assumed that there will be a lot of them in the search results), then it’s enough to give the script a previously prepared file with exception domains:
In this simple way, Cisco OpenDNS helps to automate the process of searching for clone sites and other domains used by attackers to attack companies and their users. The advantage of the Cisco OpenDNS Investigate or Cisco OpenDNS Umbrella services is that they not only automate the search, but also, using classification algorithms, allows you to immediately conclude that a particular domain is harmful. Here's how, for example, it looks for a domain that uses the brand of Gazprombank:
Further, it is already possible to carry out relevant investigations using the same Cisco OpenDNS Investigate service, which will tell us who and when created this domain, where it is located, what other domains are located on the same IP address or in an autonomous system, as well as other related information ( distributed malicious code, other domains belonging to this owner, etc.). But about these features of Cisco OpenDNS Investigate another time.
In conclusion, I would like to note that this kind of attack is used not only to direct users to fake sites. By creating fake domains that are similar to the victim’s website, phishing emails can be sent on their behalf, increasing the likelihood of the user becoming infected. We even made a special video clip (actually several ) that demonstrates an attack based on this method of attacks, against which Cisco OpenDNS solutions work.
Shl. You can view and “feel” this solution at Cisco Connect, which will be held in Moscow on April 4-5, where we have a rich cybersecurity program planned.
Source: https://habr.com/ru/post/324878/
All Articles