This Week’s Recap

Happy Sunday. You may have realized that last week there wasn’t a security roundup :O. This was intentional, after taking my GSEC exam I decided to take the week off and get some real life stuff out of the way.

1/17/2022

1/18/2022

1/19/2022

1/20/2022

1/21/2022

  1. There are a bunch of domains that seem to have been registered using bitsquatting techniques.
  2. The domains seemed to all all registered at a domain in panama which is a pretty big red flag. Panama and Switzerland are notorious for not responding to legal requests which is great, but is concerning when it involves someone buying a bunch of domains related to your name.
  3. The domains (mostly) seem to be on the same 81.17.0.0/16 subnet which makes me think these were all spun up on a cloud provider (more on this in a minute)
  4. Running one of the domains through dnsdumpster you can see some interesting information about the domain. The first is that there are DNS records set up (Which means someone didn’t just buy the domains, they went through the effort of setting up DNS records.)

  1. The DNS records point to a non-existent email provider. I’m not even sure what this means. According to the MX records, the mail provider is h-email/.net which doesn’t even have a valid website. Running the URL through virustotal comes back clean, however, when running the domain name through Alienvault it appears that the domain IS malicious but has been whitelisted? Not totally sure what this means but you can see that lots of other sketchy sites are calling back to h-email.net. Most of the sites also look like they’re victims of typo squatting to.

Additionally, Alienvault shows many Trojans are associated with this domain.

  1. Next, all of the domains seem to be running on an AWS EC2 Compute resource which is a quick and cheap way to spin up a server. These servers seem to be running a service on both port 80 (the standard web port) and port 8080 (An alternative web port). It is taking everything I have in me to NOT do some deeper investigations but that’s typically not kosher :).

7. Now time for some further digging by visiting the site.

IMPORTANT DO NOT DO THIS UNLESS YOU KNOW WHAT YOU ARE DOING. At the VERY least, make sure you’re in a sandboxed environment that doesn’t have access to any other machines in your network, make sure you’re using a VPN, or possibly TOR. This is the LEAST you should do. It is never a good idea to visit an obviously malicious website.

With that disclaimer out of the way, I fired TAILS Linux on my trusty Thinkpad x220, installed a VPN, and burp suite community. Remember tails doesn’t have persistent storage (Unless you configure it to).

After firing up burp, and looking through all the requests via burp’s intercept feature you could see that the domain I visited was doing all kinds of sketchy things. The first and most notable is tons of redirects to sites like facebook, paypal, twitter, etc. Just from looking at the behavior, it looks like they’re trying to steal session cookies? Without looking into it more, its hard to tell but that would be my guess.

  1. Finally, you can see by doing a simple whois lookup that all of these domains were registered August 16th 2021. (Just showing one screenshot here for brevity)

So what does all of this mean?

Well, its not super clear what the goal of this is. One thing is obvious though, someone is trying to typosquat my domain. When I first saw this I thought it was strange that this is similar to a technique I teach in Practical Phishing Assessments. I thought it could have been someone who has taken the course thinking it was somehow ok to use my domain, however, after looking at it deeper, there are a few things that make me realize this is not the case. 1. There is no reason to practice your phishing skills with multiple variations of one domain. This is expensive and redundant. 2. Although the infrastructure seems to be hosted on an EC2 instance, none of the other indicators I can see have anything to do with phishing. After visiting the site in VM (behind a VPN), it seems that the site is trying to steal session cookies for common sites like paypal, facebook, twitter, steam, etc. I’m currently trying to get these domains taken down but its easier said than done. If this has happened to you let me know! I would love to hear about your experience with it.

1/22/2022

1/23/2022

Have any questions

Happy new year! Do you have any questions? Feel free to reach out to me on twitter. See you next Sunday. :)