Practical waterholing through DNS typosquatting

How to hijack hundreds of HTTP connections for the modest price of $60 (VPS included)

Because not everyone has QUANTUM capabilities, a poor man’s gotta think about ways of getting inside a target network on the cheap, right?

Typosquatting has been known and abused since the 90’s, mostly for phishing, but is it still profitable for water-hole kind of attacks? Let’s find out!

How often did you type google.co instead of google.com? I hate it when this happens to me, but it’s fairly regular. And it happens everyday to thousands of people out there. So my main idea was to lookup for popular .com websites that has available .co domains and see how bad it can get : testing the scenario of a malicious typosquatted domain hosting an exploit kit. A poor man’s QUANTUM.

Example of an exploit kit infection through typosquatting

For example, the simple omission of a character could be abused with these country top-level domains:

.com -> .cm (TLD of Cameroon)

.com -> .co (TLD of Colombia)

.com -> .om (TLD of Oman)

.net -> .ne (TLD of Niger)

.net -> .et (TLD of Ethiopia)

…

You got the idea, there are plenty of domains we could use! For this experiment I’ll use the TLD of Colombia (.co).

Step one: finding popular domains

Let’s grab the top Alexa websites and look for available domains.

Getting the most popular websites is quite easy, here is how to get the top 2000 .com domains:

$ wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

$ unzip top-1m.csv.zip

$ cut -d”,” -f 2 top-1m.csv | grep “com$” | rev | cut -d”.” -f 1,2 | uniq | rev | head -n 2000 > top-2000.com.txt

I developed a small Python script to check for domain availability in bulk : 320 .co domains were available out of the top 2000 .com domains (16%). I picked 8 of them for my test, they looked like good candidates (most of the top were ad trackers that people don’t manually type in the address bar, so I removed them out). They all are within the 500th and 1000th most visited website of the world — which should gives us enough room to work with.

Step two: setting up the “watering hole” server

I bought myself a cheap VPS on CockBox for this test (got this sweet IP address geolocated in the Seychelles which is both cool and shady as fuck 😎). Setting up a webserver to host the page that will redirect victims is fairly easy (I just installed PHP/MySQL to run a Piwik analytics platform).

The idea is to make incoming visitors load an innocuous JavaScript code and redirect them gently to the intended .com website. Something like this works fine:

Step tree: profit! 🤑

So now we have all our domain names set up and a server waiting for new victims to come by, sweet!

Pros: it’s rather stealthy, not e-mail based and victims are most likely not going to see what’s happening.

Cons: random results + wait time.

Results and statistics

This experiment lasted 40 days and I got 5430 entries on my log file. Most were crawlers and bots, filtering that out I got 1765 page requests counting 916 unique IP addresses (approximately 23/day) landing on the watering hole server. Looking at the User-Agents, those were actual browsers — people manually typing the URL on the address bar and got the domain wrong, it works!

Sadly, only 392 unique visitors loaded my Piwik JavaScript code. I suspect I got this low result because most people have ad blockers/privacy plugins enabled. Which is kind of a good news, though had I used an actual exploit kit that would have been yet another story…

Interestingly, some “hijacked” domains are producing very local results. A typosquatted Iranian news website is giving a lot of connections coming from Iran, as expected (on the right we can see more than 50% of the traffic was coming from Iran).