House of Cards Season 4 debuted on Netflix this past weekend, much to the joy of millions of fans, including many Endgamers. One particular Endgamer made an innocent, but potentially damaging mistake. He mistyped the domain “www.netflix.com” as “netflix.om” in his browser, accidentally dropping the “c” in “.com”. He did not get a DNS resolution error, which would have indicated the domain he typed doesn’t exist. Instead, due to the registration of “netflix.om” by a malicious actor, the domain resolved successfully. His browser was immediately redirected several times, and eventually landed on a “Flash Updater” page with all the usual annoying (and to an untrained user, terrifying) scareware pop-ups. Luckily, the Endgamer recognized danger and retreated swiftly, avoiding harm.
This led to many questions about this particular flavor of typosquatting effort. Was this an isolated case or was it only a sample of a more prevalent and dangerous campaign? Not only is it a potentially common error on an extremely popular site, but our hypothesis was that it is unlikely limited to only Netflix. Our Malware Research and Threat Intelligence team dug deeper. We wanted to find out how many other huge Internet properties are actively being targeted with .om typosquatting as well as how many .om sites corresponding to popular properties are unregistered and thus vulnerable. Finally, we wanted to know how easy is it to get a .om domain. We were aware of abuse of other country code Top Level Domains (ccTLDs) including .co and .cm, but weren’t aware of .om abuse.
Our research revealed that there is at least one major .om typosquatting campaign targeting many of the world’s largest organizations. It has already targeted over 300 well-known organizations, including Netflix, and given the spike in activity in February, is likely to only attempt to expand its reach in March. While the typosquatting campaign currently is a relatively unsophisticated effort, this kind of opportunistic behavior is typical of typosquatting and watering hole campaigns. Our research also indicates that .om domains associated with the vast majority of major brands may be unregistered. It does not appear that companies are widely including the .om in their typosquatting mitigation strategies. We strongly recommend doing so.
What is typosquatting and why is it dangerous?
Typosquatting is a well-known security problem. In a typosquatting campaign, a malicious actor will target one or more well-known websites or brands and register domains very similar to the legitimate domain. Techniques often include doubling characters (“googgle.com”), adjacent keys (“googlw.com”), and letter swapping (“googel.com”). Typosquatting easily solves one of the biggest hurdles for these bad actors: delivery of the malicious content. In typosquatting, users just show up.
If the bad actor does his job well, a significant number of users mistype the intended domain in the expected way, and those unfortunate enough to hit “Enter” will unintentionally head down a dark road on the web. In some cases, effects can be relatively mild, such as: the user is redirected to objectionable material; the user is presented items for purchase from storefronts of questionable repute; or the user sees content that unfavorably portrays the intended brand or site. Effects can also be much worse. The malicious actor can spoof a real site to harvest login credentials, place backdoors on a system, install ransomware, or really anything else of his choosing.
Typosquatting and TLDs
Our discovery of the malicious netflix.om led us to focus our research on typosquatting via registrations of domains using alternate TLDs. As of March 9, there are 1247 TLDs on the Internet according to the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit organization responsible for handling the overall Internet namespace. This includes commonly seen TLDs like .com, .org, and .gov that are familiar to most Internet users. There are 251 ccTLDs representing nearly every country on Earth (many countries may have more than one ccTLD). Beyond this, since 2013, ICANN began approving hundreds of new TLDs such as .guru, .tech, .florist, and many more. This is a huge set of alternate TLDs which could be abused.
The most interesting set of TLDs for typosquatters are those that are likely to be mistyped. We have seen some research on typosquatting of .co and .cm, the ccTLDs for Colombia and Cameroon, respectively. Similarly, as we discovered with the Netflix example, the ccTLD assigned to the country of Oman, .om, is a prime candidate. Simply drop the “c” in “.com” and you’re there. An alternative method we also considered is flipping the “c” and the “.”. For example, “google.com” becomes “googlec.om”.
How many .om’s are registered and possibly malicious?
We began our research of .om abuse by attempting to determine how many .om domains are associated with popular sites, who is registering these domains, and what is hosted at those sites. To do this, we went through the 5,000 most popular domains globally and attempted to resolve whether the brand had an associated <brand>.om or <brand>c.om. We discovered 334 domains that meet this criteria and are currently pointing to active sites. There may be others that are registered, but are currently down or are in the process of being purchased. We contacted the most heavily clustered ISPs and shared information pertaining to the malicious domains before publishing.
Our next step was looking at registration information via WHOIS services. We wanted to know if there were blocks of domains with the same registration information and timing of registration, and whether any appeared to have contact information associated with the legitimate property. During our research, we discovered that only fifteen of the .om domains were managed by the rightful owner or a brand protection organization. The entire list of these 15 domains can be found at the end of this post. ccTLDs can be challenging to analyze because WHOIS service can be quite restrictive in access to the registrant data. Malicious actors are aware of these limitations and therefore often use such ccTLDs to hinder attribution. The .om ccTLD allowed for some data access. Interestingly, we were able to identify several actors who registered the majority of these domains in clusters as listed in the table below (295 out of the total 334). The entire list of suspicious domains can be found here.
It is worth noting that we have no reason to believe that these identities are associated with the malicious campaign. Registrant names can be easily spoofed, can be an alias, or could be filled in as an artifact of the registration process; for example, an identity associated with domain approval. Attempting any attribution of this typosquatting campaign is beyond the scope of this research.
We then sought to understand whether there were any interesting patterns in registrations. Given the clustering in registrants, we expected to see those identities clustering in terms of time of registration. This could imply a fully scoped malicious campaign wherein the malicious infrastructure was staged at a give time. As the following graph demonstrates, we saw spikes. The Feb 2016 spike, for example, is due in part to a large number of Ahmed Al Amri registrations on February 25th. It is possible that this could be a result of a batch of domains being approved at that time (see the section on registering a domain for information on a waiting period).
We next determined where .om domains are being hosted. As with registration information, we noted clustering here as well. The 334 .om sites related to well-known Internet properties are hosted on 15 different hosting providers. As a sampling, 111 of the domains (including netflix.om) are pointing at IPs associated with Tiggee LLC, a US-based hosting provider. Casablanca, a Czech hosting provider, and Choopa LLC, a hosting provider in New Jersey, account for other large chunks. Unsurprisingly, many point to the same IP address within a given provider. For example, the 111 domains on Tiggee point to only four IP addresses hosted at that provider and from there, a series of redirections take place. On top of the previous evidence, this tight clustering in where the domains are hosted gives us very clear evidence of typosquatted .om domains being grouped.
We wanted to see what software stack is running on the servers hosting .om sites. We used Shodan to do this. Due to our focus on netflix.om, we looked most closely at the servers on Tiggee. Very unsurprisingly, the software stack on these servers was uniform. Many of the machines serving up these domains have severe unpatched vulnerabilities, including some which could provide arbitrary remote access. That is, these hosts could easily be exploited by other actors to serve up alternate (possibly worse) malicious content than what’s currently being served.
Having convinced ourselves that there is at least one typosquatting campaign underway, we wanted to identify how much traffic the malicious sites receive. In other words, how common is the targeted typo? To answer this question, we looked at our sources of passive DNS data. Passive DNS provides an analyst with information about DNS activity. We see that the actors behind this typosquatting attack have been quite successful. There are at least thousands of queries per day to the malicious .om domains from different recursive DNS resolvers across the world. This is the lower bound on the amount of activity, given caching and the limited scope of passive DNS sensors we have access to. The footprint is global, as displayed in the diagram below.
It is worth restating a point from above. The vast majority of .om domains associated with brands in the top 5,000 do not currently resolve to active sites. We don’t have access to the .om zone file to know for sure whether this means they aren’t registered, but we’d assume that a significant chunk probably are not registered. Most active .om sites associated with popular brands appear to be part of malicious campaigns. It’s concerning to us that typosquatters could scoop up many more popular domain names in the .om ccTLD, exponentially increasing the impact.
In our experience, typosquatting for the purpose of content delivery is mostly the realm of cyber criminals and questionable ad networks. APTs have been seen copying domains for visual similarity to hide C2 and exfil, for example, the we11point.com domain being used as infrastructure in the Anthem attack. We could see typosquatting being increasingly used in a similar fashion as targeting watering holes by determined adversaries to gain access. The 2013 attack on a popular iOS developer site that led to the compromise of Facebook, Apple, and many others is a good example of the potential implications of watering holes. It could be possible for a ‘.om’ domain being bought and used to catch a small number of mistakes over time from targeted organizations, enabling an actor to drop backdoors into a targeted network.
What happens when a user visits one of these sites?
Having understood the scope of this problem, we wanted to understand what takes place when a user visits one of these malicious .om sites. We also wanted to look at the content being served across the the different domains in an attempt to solidify our understanding of how activity is grouped within campaigns.
As was the case with the original netflix.om domain we initially encountered, a majority of the other typosquatted domains appeared to exhibit the telltale signs and behavior of adware redirection sites. Accessing one of these sites tends to lead the user’s browser to a few different web pages in a very short period of time, with the ultimate destination having content that may not even be relevant to the URI accessed in the first place. The redirections are in place for a few different reasons:
- The original URI can be made to appear somewhat legitimate, obscuring the path users will be forced to go down upon access.
- The malicious actors can redirect the users to targeted platform-specific and / or location-specific content that may entice a naïve user to continue their journey further down the rabbit hole.
- The actors can change the destination web pages in an instant by modifying one or more of the redirect pages, thus allowing for easy pivoting to new pages or servers much like an incredibly frustrating game of Whack-A-Mole.
- Tracking cookies can be generated along the way to the ultimate destination and placed within the user’s browser cache to surreptitiously monitor their behavior and provide further means for the actors to monetize a user’s unfortunate trip to their site.
Regardless of the relevance of the content, the destination web page will almost assuredly be riddled with advertisements, surveys to complete for free electronics, or scareware tactics to entice users to download and execute an anti-virus suite that leads to further headaches and intrusive advertising. The goal of these pages is simply to generate as much advertising revenue as possible for the bad actors while trying to keep naïve users engaged and / or scared in order to keep them clicking more links and prolonging their sessions.
We quickly discovered that there was a limited set of redirection techniques and adware content that were consistently served up by the malicious .om domains. Due to the similarities involved (if not exact matches) in the HTML and JavaScript that was collected, we were able to divide the domains into distinct categories according to the different hosting providers. The content served at domains hosted at the same provider usually stayed within a small set (one or two) of redirection techniques or adware content. The maximum number of redirection techniques we saw on any host was five.
After completing the scraping and tallying up the various techniques and adware content, there was one grouping of data in particular that stuck out. The .om domains hosted at Tiggee and Casablanca served up the same or similar content in several instances, which provides evidence that one actor is likely operating on those two providers.
The following demonstrates some of the redirects on a couple of the .om sites.
Targeting of Mac users with malware
The redirect / adware pages hosted at the typosquatted domains were very annoying and possibly alarming to users, but we did not note any malware being dropped or any prompts to install malware, in contrast to the Endgamer’s experience over the weekend. We theorized that sites may be performing operating system and/or user agent detection. Based off of the user’s configuration, the sites would serve advertisements or adware catered to his or her platform. This is a common tactic for malicious actors.
We switched from using a Windows virtual machine with varying browser configurations and instead moved to using a OS X virtual machine with Firefox. Upon doing this, we were able to reach the same page seen by the Endgamer earlier in the week, capture malware, and perform our analysis.
When clicked, the “Download” and “Install” buttons call a JavaScript function to initiate the download and produce a popup within the browser:
javascript:downloadEXEWithName('
hxxp://ttb.newmysoftb[.]com/
download/request/561257515f1c1ec447000000/
LVw2a59i',%20'LVw2a59i',%20'FlashPlayer.exe')
Despite the name, the downloadEXEWithName function does not result in a Windows executable being downloaded. The function builds a unique URI for downloading the adware:
hxxp://ttb.newmysoftb[.]com/download/ request/561257515f1c1ec447000000/ LVw2a59i?__tc=1457627771.679&lpsl=a8604c33f478be1581e95cfe73ed6147&expire=1457713110&slp=www.getfiledow.com&source=netflix.om&c=0.0069&fileName=FlashPlayer
When this second URI is accessed, it will initiate another redirect to a OS X DMG file hosted at an Amazon AWS S3 bucket:
hxxps://s3.amazonaws[.]com/hm-ftp/prod/ 1000012/80801124/162/installer/ default/AdobeFlashPlayer.dmg ?postbackURL=http://platform1.admobe.com/p/ic.php&postbackData=s|YXAZoZX...
The download was then determined to be Adware Genieo, a common OS X malware / adware variant. Genieo typically infiltrates the user’s system by posing as an Adobe Flash update and drops a OS X DMG container, as was the case in our experience. Genieo then entrenches itself on the host by installing itself as an extension on various supported browsers (Chrome, Firefox, Safari).
The variant in this case appears to function similarly to standard Genieo variants in that it installs browser hijacking extensions in Chrome, Firefox, and Safari:
The Firefox extension will attempt to alter the browser homepage to hxxp://www.hmining[.]mobi/homepage, while the Safari extension contains hardcoded references to the S3 bucket from which the original DMG was downloaded: hxxp://s3.amazonaws[.]com/hm-ftp/prod/%@/offers/%04d/%@. As is typical with Genieo variants and other browser hijacking adware, the extensions contain extensive capabilities for modifying the configuration of each of the respective browsers in order to provide targeted advertising and generate ad revenue for the adware developers and distributors, much to chagrin of their unfortunate victims.
Because it’s a fairly well researched piece of malware, we will not go further in-depth here. For more information on Genieo, please see: http://www.thesafemac.com/genieo-adware-downloaded-through-fake-flash-updates .
Buying a .om domain
As detailed above, the majority of .om domains for top Internet sites are probably unregistered, and only a small number appear to be controlled by the legitimate brand. In investigating the .om ccTLD, we found conflicting information about authorized usage of the .om ccTLD. Some sources indicate that this ccTLD is used by “Omani Government and official parties,” while other sources indicate that .om is open for all to register and has no auxiliary requirements. Obviously some very questionable .om domains are in the wild. We decided to register a domain and see what would happen.
We identified several websites that claimed to sell .om domains. We chose one, which offered a domain for $269 per year. We registered with obviously bogus information (similar to “John Smith”, “123 1st St”, “(111)-111-1111”) and made the purchase. The only identity verification requirement was clicking a verification link sent to a legitimate email address, which had no relation to the domain being acquired. We were informed that we now owned the domain, but were subject to a two month waiting period. It was not specified what would occur during this two month period. But wait! The website went on to offer what seemed to be an expedited process for an additional $335. The same company even offered to assist with establishing a “new official business” in Oman.
We chose to initially register without any add-ons and reach out later to request the expedited process. Within an hour of requesting expedited service, a representative from the registrar contacted us. At this point, the representative asked us for proof that we were associated with the brand in question. He was extremely helpful and willing to support us, but with our information being so obviously bogus, we hit a snag. It did appear that there was some concern towards proving that we’re real, at least in this case. As a test, we registered a second .om domain with legitimate looking contact details and asked to expedite it at the time of initial purchase. As of this writing, we have not received any inquiries but the second expedited purchase remains in process. We don’t know why we haven’t received the same questions about documentation but assume that it’s because on the surface the information looks much more legitimate.
This leaves some open questions. We did experience a verification step in the expedited process. We do not know whether the same verification would have been requested during the two month waiting period had we not expedited. As we detailed, hundreds of malicious domains clearly not associated with the targeted brand have recently been registered. It is highly unlikely that purchasers had proof of ownership. Bottom line, we do not know how all of these domains were approved for registration, but .om is clearly not just for official Omani government use. In fact, as we demonstrated, for a reasonable price you too can own a .om domain.
Conclusion
Based on our research, this has much broader implications and relevance for a variety of organizations, not just Netflix. It may not be well known that .om domains are available for purchase. The vast majority of .om registered domains are malicious, according to our research, and they are receiving a non-trivial amount of traffic. Equally concerning, many popular sites remain unregistered and therefore vulnerable.
Most large companies already have a typosquatting mitigation strategy. Companies identify domains, register, and control likely domains their customers may accidentally enter. It’s relatively easy to identify and purchase candidate domains using tools such as Domain Tools’ Domain Typo Finder. We recommend that companies prioritize adding .om registration to protect their reputation, and block known-malicious .om domains to protect their enterprise.
The effects in this case were relatively mild, with the installation of common adware the worst case scenario for an unfortunate user. But, that does not mean this attack vector should be taken lightly. The malicious actors could have just as easily taken more malicious actions such as installing ransomware, unwittingly including victims in a botnet, or hosting additional malware on victims. Furthermore, typosquatting techniques could be used by more persistent and patient adversaries to gain remote access to targeted victims.
Companies - especially high profile companies - should expand their typosquatting mitigation strategies to additionally focus on TLDs if they aren’t already. As we have seen, the .om typosquatting impacts many high profile companies whose customers are now vulnerable to the same deception that our colleague discovered when attempting to binge watch this season’s House of Cards.
Update 3/16/16: Since the initial publication, a large percentage of the .om websites have been updated to serve only ad content instead of serving adware/malware links to Mac users. The campaign remains concerning, as the identified sites remain active and and could be switched back to serving more malicious content at any time. The reasons for this change are unknown.
Update 3/25/16: Of the 319 malicious .om domains we originally reported on 11 March, 292 have been deleted or had their DNS records removed. Updates to the "whois" server indicate that the domain status was revoked by the registrar due to "Violating the terms of registration as per the registry-registrar agreement". The original, complete list of domains that appeared suspect can be found here. The updated list of domains that still remain active since publishing our research can be found here.
List of 15 .om domains that appear legitimate
nextdirect.om
hotwire.om
vmall.om
tripadvisor.om
hyatt.om
entrepreneur.om
bbc.om
icloud.om
marriott.om
twitter.om
lego.om
panasonic.om
tv.om
papajohns.om
pizzahut.om