In response to ISC Diary’s “an epidemic of typo squatting”

I’ve been monitoring placeholder and typo squatting domains for few months now, and I’ve read a write-up on ISC diary on “Is there an epidemic of typo squatting?”. There are a few conclusions that I can make and share:

  1. Most of typo squatting domains are parked on two /32 network, and by default, they are serving placeholder on the main page
  2. The page (content) is detected by McAfee asĀ JS/Redirector.ar or JS/Blacole-Redirect
  3. There are a lot of domains (typo squatting some famous big websites) have been bought/rent, and used in Scam (win an iPad, win a voucher) activities.
  4. Beside of Scam activities as in No 3, I’ve also seen domains that have been used in serving malicious content/redirection.
  5. Speaking about item no 4, one interesting point to share is, after serving the malicious content/redirection for some time (mostly 1 or 2 weeks), the domain will be pointed back to the placeholder server and serving the placeholder again
  6. Item 4, and 5 also applicable for Phishing activities
  7. In the last couple of days (or week), they’ve started to ‘hide’ themself behind CloudFlare IPs.
  8. Today (or maybe itĀ happened in the weekend), a few IPs have changed their default interface (of the placeholder) into some plain page with something like “what are you looking for?” message.

Seeing something similar or totally different? Feel free to share your points in the comment section.

Thanks

One Response to In response to ISC Diary’s “an epidemic of typo squatting”

  1. With McAfee we also see in the last two month a lot of detections of JS/Redirector.ar where the name of the detected file is a typo squatting of a regulare web page. The detection can be reproduced by visiting the web page with the typo squatting. Unfortunatelly VirusTotal.com doesn’t detect the site as infected. Before the JS/Redirector.ar detections the JS/Blacole-Redirect variants were very popular tha last year.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Go to top