Hunting that evil typosquatter

We are continuing our URL investigations, S1 episode 2. If you missed the first episode, you can go and read the blog post Splunking 1 million URLs first.

One of the well known security problems is typo squatting. What would happen if someone registers www.yahoo.om? Knowing this is one of the most popular website, there is a high chance a small percentage would type this instead of the legitimate www.yahoo.com

.om is the ccTLD for the country of Oman

I encourage you to read a thorough analysis on this problem from Endgame “What does Oman, the House of Cards, and Typosquatting Have in Common? The .om Domain and the Dangers of Typosquatting”. They even published a list on pastebin, which as of today looks like this:

ctrip.om
dangdang.om
directv.om
douban.om
drugstore.om
dubizzle.om
eastmoney.om
enterprise.om
etao.om
fiverr.om
htc.om
huffingtonpost.om
nbc.om
one.om
qqc.om
qvc.om
si.om
sogou.om
tuniu.om
usaa.om
weatherc.om
weiboc.om
y8.om
yatra.om

As a Splunk user, it is great to know the impact of those domains in your network.

While some bash users like to say “Go away or I will replace you with a very small shell script”, at Splunk we like to say “I will find you with a very small Splunk search!”.

First of all, let’s create a CSV from this list. It will look like this:

typodomain, typotype
ctrip.om, typo squatting
...

Then, in Splunk, go to Settings/Lookups to add a Lookup table file. Tune Permissions properly afterwards and lets get started!

We make sure the CSV works properly first:

typolookup

Now we can apply the lookup to our data. We happen to have bluecoat proxy data, to which we apply the URL schema on the fly as seen in the first post:

sourcetype="bluecoat*" | lookup webfaup url

To which we run our subsearch, so matching events will appear:

| inputlookup typosquatting.csv | rename typodomain as url_domain | fields + url_domain

Now we can combine both:

sourcetype="bluecoat*" | lookup webfaup url | search [| inputlookup typosquatting.csv | rename typodomain as url_domain | fields + url_domain]

And we can check if one of the domains did match that request:

searchtypo

 

Voilà, this is how one can catch with no pain, a small Splunk search, from external knowledge intelligence gathered on a pastebin of something you would rather be aware of if this happens in your organization.