Typo

Last week was recovery from RSA Conference, which was awesome. Cybercrime and Cloud were the main two themes, and I provided my Dark Cloud: Cybercriminals get Corporate Aware talk which draws upon both. I’m saying recovery, because during the conference one cannot be expected to respond to any emails, so the backlog is huge.

Anyway, I’m back and today would like to share with you a special interview with a special individual, Iain Swaine. I got to know Iain when he was an eCrime prevention manager in a large global bank, and we feel the same about many of the Cybercrime issues the industry is facing today. A couple of questions into the interview you’ll see why I used ‘Typo’ in the subject line. Oh, and Iain is founder of eCrime consultancy ensequrity (which is not a typo).

Q: Iain, you’re a veteran forensic researcher and cybercrime expert, having been in the forefront of the battle with the Dark Cloud as an eCrime specialist for a large global bank. What do you feel about the overall state of Cybercrime? Is the industry on track to mitigate the emerging threats?

I honestly think that we are only starting to see cybercrime move from attacks against online banking to the same technologies being used against corporations. Banks have been forced to innovate to keep up with evolving attacks to protect customers, but the same level of development has not happened within companies and I think we almost have a Maginot line happening of defences that can now be bypassed.

Q: What keeps you up at night these days (from an eCrime perspective of course)?

The sheer amount of eCrime activity that is happening under the radar - we all hear about phishing and Trojans but the attackers are innovating in ways we haven't discovered yet. A lot of the eCrime research is being done in a purely technical manner, with little considering being given to the financial aspect of it. No one yet knows how much money eCrime is making, with wildly speculative figures being used but it is certainly now into the hundreds of millions of dollars globally.

Q: You posted an interesting report in the APWG forum about advanced typophishing attacks. Lets first establish what typophishing is. Can you explain this Phishing variant?

It is a blending of several existing techniques in a clever way that has managed to stay under the radar for at least 9 months before it was spotted. It is an evolution of older phishing techniques where misspelling of domain names were used to make a phishing site look more credible. If you mistype the domain name of an attacked online bank the attackers will already have registered a lot of the most likely misspellings of it (typosquatting). These then redirect through a series of the misspelt domains (feeder domains) onto a mothership where the actual phishing pages are held. Unlike normal phishing of course no emails are ever sent, which makes spotting it much harder.

Q: What makes the new wave of typophishing different than traditional one?

Well, the clever thing about this (which allowed it to remain hidden) was that you literally have one chance to spot what is happening. The attackers have anti-analysis code as part of this redirecting system, so can detect if you have looked at the site before. If you revisit a second time they make you bypass the mothership domain and go directly to the legitimate online banking site. This makes taking all of the domains down much harder as ISP's and domain registrars see no fraudulent activity.

Q: Hey, that’s really interesting. Can you give an example?

Taking as an example onlinebank.com, the attackers will register about 15 of the most common variants of the domain name such as letters being swapped, keys next to the intended one being substituted, extra letters inserted, letters removed e.g. onlniebank.com, onlimebank.com, nlinebank.com, onllinebank.com. The domain name that most closely resembles the actual target will be used as the mothership.

On the first visit
onlniebank.com -> onlimebank.com -> nlinebank.com -> onllinebank.com (mothership) -> onlinebank.com (legitimate after capturing credentials)

On subsequent visits
onlniebank.com -> onlimebank.com -> nlinebank.com -> onlinebank.com (legitimate skipping mothership)

Q: Any other point of interest around this?

The thing that really concerned me was that during investigations not only were these attacks global, but that the attackers were also explicitly setting up mail records in DNS for these typosquatted domains. It shows how access to confidential data is also part of their strategy alongside capturing authentication credentials.

Q: What impact does this new trend have?

Taking the domains down is difficult, and you really have to obtain ownership of them as this group will try to get the domain registrar to unsuspend them by social engineering. It highlights the need for your brand monitoring and intellectual property teams to be tied into the people dealing with eCrime for a holistic approach.

What is interesting is that the attackers are going after smaller brands, often those used by high net worth individuals. Customers do not even realise that they have given away their credentials as they see nothing wrong as part of the user experience. They end up on the legitimate site, often with just a message saying incorrect password try again as a result of the phishing site.

Indeed. Typophishing, like DNS poisoning, local Pharming and SOE links leading to fake websites are more effective than traditional phishing in terms of capturing user credentials. Then of course you have Trojans that piggyback a real, rather than spoofed, website. Thanks, Iain, for the insightful explanation - and well done spotting this trend!