Going Phishing for CopyCats
If you’re in charge of a domain that others visit on a regular basis, you want to ensure that users continue to trust that domain, after all, your domain is an extension of your brand, which is your business. So you want to keep phishers and attackers from creating fakes and copies of it to lure your customers away or tarnish your brand with false information.
One way this happens is through typo-squatting. This funny-sounding term is how attackers register domain names. For example, if an attacker wants to subvert users going to www.google.com, they may try to register a domain name that is (a) similar-looking at first glance, or (b) may commonly occur as a human error typo, so one of the following may be registered:
- gooogle.com
- g00gle.com
- goog1e.com
Large companies usually purchase products or services labeled as “brand protection” to review these similar domains and attempt to determine if they are spoofs of their brand, or malicious in nature.
There are however more cost-effective solutions that can be automated in a short period of time that can produce similar results.
The Open Source product we’ll be using for this here is a GitHub project called DNSTwist. You can get to the project here
There are different methods to install, but I’ve found the most stable one to be using the Docker containerization platform.
You can also try before you buy, by clicking on the hosted site version https://dnstwist.it
Putting the pieces together
The way I implement this is to script out the dnstwist command against the domain you are targeting, redirecting that output to a CSV file. The command can take some time to run, but the files are then passed to a second script that compares the output against the a list of known entries I’ve already compiled and checked out.
The results of that comparison are then sent to me via email.
An example of the docker script to scan an example domain:
docker run elceef/dnstwist -w -b -r example.dom > /tmp/ex.dom.csv
The switch options here are as follows:
- w - Performs WhoIS lookup on the domain
- b - Determines any HTTP/SMTP service banners
- r - Shows only registered domain names
An example of the comparison operation is as follows:
cat /tmp/*.csv | grep -avf list.txt > /tmp/domcompout.txt
This is a simple set of commands and there very well may be an easier way to perform these actions, but here is a breakdown of them:
- cat /tmp/*.csv - Read all CSV files in the /tmp directory
- | grep -avf list.txt - Feed the data from CSV into the grep command to (a) ensure the file is processed as text (v) perform an inverse-match, and (f) perform the inverse-match against the entries in the list.txt file.
/tmp/domcompout.txt - Redirect output of the command to domcompout.txt file.
The last portion of the original script is to email the results of the domcompout.txt file to me, so I can see if there were any new entries:
mailx -s “Domain Check” -a /tmp/domcompout.txt my@emailaddress.dom
This is a standard mail client you can use from the CLI.
Something that’s not included here is the original work I did to create the “list.txt” file. This was manual, and involved running dnstwist as mentioned above to create the CSV file, and reviewing manually. Any additional results found are also reviewed manually. So how are these results reviewed?
Reviewing Copycat Results
This is fairly simple. First of all there is no law saying that you can’t register a domain similar to another. In fact most registrars require proof of phishing or other malicious actions before they will even consider taking a domain down (you’re talking about their customer, and you are no one in particular to them after all).
So a bit of research is required on your part by manually visiting the website and possibly doing passive reconnaissance using online tools like Shodan, or URLScan. Remember, passive recon is fine, but once you start actively trying to determine any issues, weaknesses, or vulnerabilities, you could be breaking laws so keep it passive.
Most of the time your results will be innocuous and you can add the domain to your “list.txt” file, but if you happen to see one that is a direct copy of your site or product, or looks to be another site where phishing or scams may be occurring, contact the registrar at the very least (most have a contact in their WhoIS info that you can reach out to, or better yet, on their website just for abuse).