I’ve been monitoring placeholder and typo squatting domains for few months now, and I’ve read a write-up on ISC diary on “Is there an epidemic of typo squatting?”. There are a few conclusions that I can make and share:
- Most of typo squatting domains are parked on two /32 network, and by default, they are serving placeholder on the main page
- The page (content) is detected by McAfee as JS/Redirector.ar or JS/Blacole-Redirect
- There are a lot of domains (typo squatting some famous big websites) have been bought/rent, and used in Scam (win an iPad, win a voucher) activities.
- Beside of Scam activities as in No 3, I’ve also seen domains that have been used in serving malicious content/redirection.
- Speaking about item no 4, one interesting point to share is, after serving the malicious content/redirection for some time (mostly 1 or 2 weeks), the domain will be pointed back to the placeholder server and serving the placeholder again
- Item 4, and 5 also applicable for Phishing activities
- In the last couple of days (or week), they’ve started to ‘hide’ themself behind CloudFlare IPs.
- Today (or maybe it happened in the weekend), a few IPs have changed their default interface (of the placeholder) into some plain page with something like “what are you looking for?” message.
Seeing something similar or totally different? Feel free to share your points in the comment section.