Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Help us make this site better and participate in our user survey.
Last Daily Podcast (Mon, May 22nd):Typosquatting (again);

Latest Diaries

Typosquatting: Awareness and Hunting

Published: 2017-05-20
Last Updated: 2017-05-20 06:01:52 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Typosquatting has been used for years to lure victims… You receive an email or visit an URL with a domain name which looks like the official one. Typosquatting is the art of swapping, replacing, adding or omitting some letters to make a domain looking like the official one. The problem is that the human brain will correct automatically what you see and you think that you visit the right site. I remember that the oldest example of typosquatting that I saw was “”. Be honest, at the first time, you read "" right? This domain was registered in 1997 but it has been taken back by Microsoft for a while. Longer is your domain name, more you have available combinations of letters to generate fake domains. Sometimes it's difficult to detect rogue domains due to the font used to display them. An “l” looks like a “1” or a “0” looks like an “O”.

Yesterday, I found a nice phishing email related to DHL (the worldwide courier company). The message was classic: DHL claims that somebody passed by your home and nobody was present. But this time, it was not a simple phishing page trying to collect credentials, there was a link to a ZIP file. The archive contained a malicious HTA file that downloaded a PE file[1] and executed it. Let’s put the malware aside and focus on the domain name that was used: (with a double “L”).

A quick check reveals that this domain is hopefully owned by DHL (not “DHL Express” but the “Deutsche Post DHL” who owns the courier company:

Domain Name:
Registry Domain ID: 123181256_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2016-09-23T04:00:10-0700
Creation Date: 2004-06-22T00:00:00-0700
Registrar Registration Expiration Date: 2017-06-22T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (
Domain Status: clientTransferProhibited (
Domain Status: clientDeleteProhibited (
Registry Registrant ID:
Registrant Name: Deutsche Post AG
Registrant Organization: Deutsche Post AG
Registrant Street: Charles-de-Gaulle-Strasse 20
Registrant City: Bonn
Registrant State/Province: -
Registrant Postal Code: 53113
Registrant Country: DE
Registrant Phone: +49.22818296701
Registrant Phone Ext:
Registrant Fax: +49.22818296798
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:Admin Name: Domain Administrator
Admin Organization: Deutsche Post AG
Admin Street: Charles-de-Gaulle-Strasse 20
Admin City: Bon
Admin State/Province: -
Admin Postal Code: 53113
Admin Country: DE
Admin Phone: +49.22818296701Admin Phone Ext:
Admin Fax: +49.22818296798
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name: Technical Administrator
Tech Organization: DHL
Tech Street: 8701 East Hartford Drive
Tech City: Scottsdale
Tech State/Province: AZ
Tech Postal Code: 85255
Tech Country: US
Tech Phone: +1.4089616666
Tech Phone Ext:
Tech Fax: -
Tech Fax Ext:
Tech Email:
Name Server:
Name Server:
DNSSEC: unsigned

The zone "" is also hosted on the DHL name servers. That’s a good point that DHL registered potentially malicious domains but... if you do this, don’t only park the domain, go further and really use it! It's not because the domain has been registered by the official company that bad guys cannot abuse it to send spoofed emails.

First point: "" or "" do not resolve to an IP address. If you register such domains, create a website and make them point to it and log who’s visiting the “fake” page. You can display an awareness message or just redirect to the official site. This will also prevent your customers to land on a potentially malicious site and improve their experience with you.

The second point is related to the MX records. No MX records were defined for the "" domain. Like with the web traffic, build a spam trap to collect all messages that are sent to * By doing this, you will capture traffic potentially interesting and you will be able to detect if the domain is used in a campaign (ex: you will catch all the “non-delivery receipts” in the spam trap.

Finally, add an SPF[2] record for the domain. This will reduce the amount of spam and phishing campaigns. 

To conclude, registering domain names derived from your company's name is the first step but don't just park them and use them for hunting and awareness!

A quick reminder about the tool dnstwist[3] which is helpful to generate lists of a rogue domains (from an offensive as well as defensive point of view). Here is an example based on

# docker run -it --rm jrottenberg/dnstwist --ssdeep --mxcheck --geoip
      _           _            _     _
  __| |_ __  ___| |___      _(_)___| |_
 / _` | '_ \/ __| __\ \ /\ / / / __| __|
| (_| | | | \__ \ |_ \ V  V /| \__ \ |_
 \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.01}

Fetching content from: ... 200 OK (396.3 Kbytes)
Processing 56 domain variants ................ 48 hits (85%)

Original* States SSDEEP:100%
Bitsquatting      -
Bitsquatting      -
Bitsquatting States
Bitsquatting States MX:localhost
Bitsquatting Kong
Bitsquatting States
Bitsquatting States
Bitsquatting States
Homoglyph States
Homoglyph States
Homoglyph States
Homoglyph States
Homoglyph States
Homoglyph Islands
Hyphenation States 2400:cb00:2048:1::6818:7c86
Hyphenation States MX:localhost
Insertion States
Insertion     -
Insertion States
Insertion States
Insertion States
Insertion States
Insertion States
Insertion States
Insertion     -
Omission States
Omission States
Repetition Kong
Repetition     -
Repetition States
Replacement States
Replacement States
Replacement States
Replacement      -
Replacement States
Replacement States
Replacement States
Replacement States
Replacement States
Subdomain     -
Subdomain     -
Transposition States
Various States


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

My Little CVE Bot
May 18th 2017
4 days ago by Xme (2 comments)

Wait What? We don?t have to change passwords every 90 days?
May 17th 2017
4 days ago by Richard (1 comment)

WannaCry? Do your own data analysis.
May 16th 2017
5 days ago by Russ McRee (2 comments)

WannaCry/WannaCrypt Ransomware Summary
May 15th 2017
6 days ago by Johannes (4 comments)

View All Diaries →

Latest Discussions

What bot is that?
created May 5th 2017
2 weeks ago by Visi (2 replies)

Curious Phishing Email
created Apr 27th 2017
3 weeks ago by Rich (0 replies)

Preventing outside sources accessing the local network via open ports on a networked printer.
created Mar 28th 2017
1 month ago by mrectek (2 replies)

Very High DNS traffic
created Mar 26th 2017
1 month ago by Anonymous (0 replies)

Abnormal DNS Volumes
created Mar 26th 2017
1 month ago by Anonymous (3 replies)

View All Forums →

Latest News

View All News →

Top Diaries

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
2 weeks ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
1 week ago by Xme (9 comments)

Malspam with password-protected Word documents
Mar 21st 2017
2 months ago by Brad (13 comments) DDoS Attack
Oct 21st 2016
6 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
3 months ago by Johannes (7 comments)