In response to ISC Diary’s “an epidemic of typo squatting”
Posted: May 13th, 2013 | Author: xanda | Filed under: IT Related | Tags: placeholder, typo squatting | 1 Comment »I’ve been monitoring placeholder and typo squatting domains for few months now, and I’ve read a write-up on ISC diary on “Is there an epidemic of typo squatting?”. There are a few conclusions that I can make and share:
- Most of typo squatting domains are parked on two /24 network, and by default, they are serving placeholder on the main page
- The page (content) is detected by McAfee as JS/Redirector.ar or JS/Blacole-Redirect
- There are a lot of domains (typo squatting some famous big websites) have been bought/rent, and used in Scam (win an iPad, win a voucher) activities.
- Beside of Scam activities as in No 3, I’ve also seen domains that have been used in serving malicious content/redirection.
- Speaking about item no 4, one interesting point to share is, after serving the malicious content/redirection for some time (mostly 1 or 2 weeks), the domain will be pointed back to the placeholder server and serving the placeholder again
- Item 4, and 5 also applicable for Phishing activities
- In the last couple of days (or week), they’ve started to ‘hide’ themself behind CloudFlare IPs.
- Today (or maybe it happened in the weekend), a few IPs have changed their default interface (of the placeholder) into some plain page with something like “what are you looking for?” message.
Seeing something similar or totally different? Feel free to share your points in the comment section.
Thanks
With McAfee we also see in the last two month a lot of detections of JS/Redirector.ar where the name of the detected file is a typo squatting of a regulare web page. The detection can be reproduced by visiting the web page with the typo squatting. Unfortunatelly VirusTotal.com doesn’t detect the site as infected. Before the JS/Redirector.ar detections the JS/Blacole-Redirect variants were very popular tha last year.