|
Microsoft is among the top technology companies globally and so is in critical need of brand protection. The company name already figured in many phishing campaigns, including Microsoft Office 365 that has been abused several times in business email compromise (BEC) scams. Threat actors use domain names that contain the word “Microsoft” to make their emails and websites believable.
As such, it’s not only Microsoft that needs protection, but also other organizations whose employees could easily fall victim to Microsoft-themed typosquatting domains.
Monitoring Microsoft-themed domain name registrations using the Typosquatting Data Feed, we found 285 newly registered domains (NRDs) from 3 October 2019 to 4 May 2020. These domains were detected as soon as they appeared in the Domain Name System, although eight were reported in bulk on X-Force Early Warning on 29 April 2020. Some of the detected squatting domains are shown in the screenshot below.
Most of these domain names bear the marks of typosquatting, as they either:
However, Typosquatting Data Feed also detected less noticeable variations of typosquatting. Let us explain. Domain names can take the form of Punycode, which can be used in homograph attacks. Punycode is a standard representation of internationalized domain names (IDNs), which enables the use of non-Latin or Unicode characters.
But since the Domain Name System (DNS) can only support the American Standard Code for Information Interchange (ASCII), Punycode converts domain names with Unicode characters to those with the prefix “xn—” so that computer servers can understand. However, users would see the Unicode characters, some of which are very similar to the English alphabet.
In the case of Microsoft, below are the Punycode domain names that the Typosquatting Data Feed should soon be able to detect, along with their conversions.
As you can see, these domains can easily mislead people into thinking they are legitimate Microsoft domains.
Domain intelligence can give security teams more in-depth insights into the typosquatting domains. For instance, running the domains through Bulk WHOIS Lookup would reveal that most of their registrants are from the U.S. (137 domain names). Three of those registered in the U.S. are under Microsoft Corporation and have the same WHOIS registration details as the legitimate microsoft[.]com.
On the other hand, some Microsoft-inspired domains are registered in China, Canada, Morocco, Russia, Lithuania, France, and Slovakia. The rest of the domain name registration countries were redacted for privacy or left blank.
Since IBM X-Force Exchange reported that the IP address and Autonomous System Number (ASN) of the detected domains are located in Russia, we focused on a domain registered in the said country—microsoft-windows[.]online.
Using DNS Lookup, we found that the domain resolved to the IP address 194[.]58[.]112[.]174 and used the nameserver ns1[.]reg[.]ru. Now, security teams can dive deeper using these details. Running the IP address on Reverse IP/DNS Lookup would help them decide whether to enforce IP-level or URL blocking. More than 300 domain names use the same IP address, which indicates it’s shared and other domains on the address might end up being victim of overblocking.
Running the nameserver on Reverse NS API returned 3,817 domain names that share the same nameserver.
Organizations can keep monitoring the nameserver and associated domains for the utmost security. They can also track their nameservers using Reverse NS API to avoid DNS-based attacks.
Typosquatting is one of these threats affecting big brands like Microsoft. With the help of Reverse IP/DNS Lookup and Reverse NS API, the domains detected by the Typosquatting Data Feed can be given more context including Punycode domains that are particularly tricky to identify.
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix
Sponsored byVerisign
Sponsored byIPv4.Global