WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Typosquatting. It’s a phrase most of us know in the security realm and think we’ve got our hands and minds firmly wrapped around. For example, my employer’s domain is digitalshadows.com, and a typosquat could be digitashadows.com or even digitalshdows.com. That typosquat could be used for a variety of things, like phishing, brand impersonation, or even reputational damage.
If you want to learn more about typosquatting and domain squatting, check out our in depth blog post: Domain Squatting: The Phisher-man’s Friend
What about something more malicious? Maybe delivering malware or some shady software to a potential customer who’s just trying to get information about the company and its offerings. The point is, there’s a wide range between what a typosquat actually is and what it can look like.
What’s something else on everyone’s minds at the moment? In the United States, it’s the upcoming presidential election of 2020. As of 20 September, there are 19 Democratic candidates and 4 Republicans, including President Donald Trump. Politics aside, Photon Research Team thought it would be interesting to use this pool of candidates as a backdrop for research into typosquatted domains; following the 2016 presidential election, it was a fair bet we would find some interesting tidbits using our SearchLight™ platform.
Altogether, we detected over 550 typosquats for the 34 candidate- and election-related domains we gathered from open-source research. Not every single one was something interesting; most of the time the typosquatted domain was simply parked and not hosting content. Still, there were some worthwhile areas to dig into deeper.
Alex and I recorded a video as well walking through the findings. Check it out here.
For the purposes of this research, we decided to classify the different types of typosquats we detected into three distinct categories, which are replete with examples:
The following chart shows the breakdown of relevant typosquatted sites we uncovered, by category.
Figure 1: Breakdown of relevant typosquatted sites uncovered by category
The most interesting pieces of this political puzzle we found resided in the domains we classified as redirects, or sites that were redirecting to some other domain that wasn’t originally typed into the address bar. Redirects happen all the time for legitimate reasons (even as a way to combat typosquatting). For instance, faceboo.com redirects to facebook.com. Facebook’s security team likely knows that those quick typists out there trying to see all the latest updates from their friends may make a mistake when putting the URL into the address bar.
But what would happen if faceboo.com redirected to a competitor, like Twitter or TikTok? Or, what if it redirected to a hate site devoted to doxing Facebook employees? These are brand perception nightmares that corporations should be readily prepared for. Redirection can also be used as a way to mask the true nature of the server until it is due to be used. One of the main things we found were typosquats for presidential campaigns redirecting to their political opponent’s websites.
Figure 2: Examples of redirect typosquats detected around the 2020 US Presidential election
The four examples pictured above represent the spread of various instances of typosquatting that we detected. For starters, winrde.com is the mistyped WinRed.com, a technology platform developed mainly for Republican candidate supporters that allows easy donations to specific candidates. Currently, it redirects to ActBlue, the main fundraising site for the Democrats. You can see how a company standing in the same shoes could potentially lose out on an e-commerce purchase or a business deal simply because they typed in the wrong URL address.
Tulsi2020.co and elizibethwarren.com redirect to marianne2020.com and donaldjtrump.com, respectively, and donaldtrump.digital redirects to hillaryclinton.com. Without calling out one candidate or one party over another for these typosquats, it’s clear that the political battles are not taking place just on the debate stage or in the media but expanding to the cyber realm, as well.
Redirection can come in all different kinds of flavors, including the shady kind. We detected six typosquatted domains around the 2020 U.S. election redirecting to various “file converter” or “secure browsing” Google Chrome extensions:
Figure 3: Examples of typosquatted domains redirecting to “file converter” or “secure browsing” Google Chrome extensions
If a user were to install the extensions, the permissions granted to the extensions seem unreasonably high. Using the free Google Chrome extension analyzer CRXcavator, we took a deeper look into these five items. Three of the five extensions were given access to the chrome.cookies API, which lets the extensions do exactly what it sounds like: have access to your browser’s cookies. If an attacker were to have access to your browser’s cookies, they could conduct a session hijacking attack using the unique information contained within the saved cookies to effectively impersonate the browser, and in turn, you.
Additionally, two of them could access web traffic within the browser in real time via the chrome.webRequest API. Readers should take this chance to recognize the amount of access some Chrome extensions have to their browser data. Malware has been found frequently in the extensions web store and if nothing else, you should make sure you’re only using extensions you need.
In researching redirects, we came across an interesting site, dailytravelposh[.]info. The site is simply hosting a login page that wasn’t all that exciting but redirected to two of our suspected typosquat domains: kamalaharriss[.]info and berniesanderst[.]info. Since there were only two instances, this discovery was more of an outlier, similar to the Chrome Extensions, but we investigated further.
In total, 66 domains were being hosted on 50.63.164.243, all registered under the privacy protection service WhoisGuard, Inc. with a Panama address (a point we’ll explore later on). As of October 3rd, the domains being hosted on that IP address (listed in full at the end of this post) weren’t hosting any content and only redirecting to the .info TLD. The following are some of the more political-sounding domains, all registered within the past 40 days (since 3 Oct 2019).
Earlier this year, dailytravelposh[.]com (note the different top-level domain (TLD)) was being hosted on an IP address that was hosting several typosquatted pages for technology-related domains. If we look to the past to tell us about the future, we can reasonably conclude that it’s possible these domains could begin hosting typosquatted content at some point in the future.
This conclusion is based on previous activity of other domains hosted on dailytravelposh[.]com’s IP address, and a similar situation being presented by dailytravelposh[.]info. Although we can’t say for certain that typosquats will start to be hosted on these domains (nothing in the threat intelligence field is for certain), voters in the 2020 US presidential election could be duped by one of these sites in the coming months.
We detected four typosquatted domains that weren’t really doing much, from what we saw. The first two (pictured below on the left) are pretty easy to spot as “misconfigured” sites. Typically, you don’t want your website to be showing the index page because a) nobody will know what to do with it and b) it could unintentionally show various asset files (public or hidden) being stored on the site.
The two domains pictured on the right are actually hosting some content. Now, these could be legitimate sites but we’re inclined to think otherwise. Berniesandersofficial[.]com is filled with placeholder text that almost certainly wasn’t set up by Bernie Sanders’ official tech team. The “Donate” and social media links on the site redirected to the actual donation pages and social media pages for the candidate, as well, so really this just looks like a project that never got finished.
The same goes for betoorourke[.]me―though it doesn’t appear to be something owned and operated by Beto O’Rourke’s campaign, it doesn’t look to be malicious in nature, either. If we had to guess, this is owned by a fan of the candidate looking to spread his message by selling some buttons―Go Democracy!
Figure 4: Four typosquatted domains (non-malicious) around the 2020 U.S. Presidential election
Now we’re going to get into something a little more along the lines of brand damage; these typosquats fall into the non-malicious category. The more egregious of the sites we saw were hosting content directly making fun of the respective candidates (see the figure below). Regardless of what your politics are, acknowledge the parallels in these websites with what a company could face: Replace Donald Trump or Bill de Blasio with any company CEO or high-ranking executive and you’ve got something affecting your brand and potentially costing you money.
Figure 5: Brand damaging typosquat examples in the 2020 U.S. Presidential election
We know that people can register websites and host content that isn’t favorable to a CEO (or presidential candidate, in this example), but there’s also a kinder side to typosquats. One typosquat (or TLD squat, if we want to be specific) was for a site pertaining to candidate Kamala Harris (kamalaharris[.]fr). The .fr TLD is typically used for French websites, but in this case, it was being used to advocate for Kamala Harris. It almost certainly isn’t official and run by Harris’s campaign, but it’s not harming the brand (as of now).
Figure 6: Typosquat detected example (non-malicious)
If you want more evidence that the Internet is sometimes an okay place, a typosquat detected with Elizabeth Warren’s name (eliabethwarren[.]com) actually tells the visitor that they made a typo in their address bar AND shares a picture of a kitty!
Figure 7: Typosquat detected example (non-malicious)
The site also alluded to future sharing of political opinions―whether they would be for or against Warren, we don’t know. The potential is there for the person that runs the website to speak out against the candidate or for her. Regardless, if every typosquat resulted in the picture of a cat, the Internet world would be a much better place.
A natural step during our research was to try to determine any patterns or links among the owners of these domains, the IP addresses they’re being hosted on, registration dates, etc. Even just a few years ago, WHOIS records were an essential tool in the online investigator’s toolbox. However, a lot can change in a couple years, with the biggest delta being the introduction of the EU’s General Data Protection Regulation (GDPR).
Before GDPR was even firmly in place and discussions around the act were still swirling around, websites began updating their data and privacy policies to be in line when that day would come. This included ICANN, the regulatory arm responsible for coordinating domain name and IP address allocations, essentially monitoring Internet domain registrations and WHOIS data at large. So many discussions were taking place before May 2018…would there be a new system to access WHOIS data? Who would be able to get access? After all, there are legitimate needs from law-enforcement bodies, brand-enforcement officials, and consumer protection agencies who rely on that data to conduct their normal daily work.
Then May 2018 came and no real resolutions were in place, as highlighted in the article “The End of the Road: ICANN, Whois, and Regulation”. The resulting process has been one of requesting specific information from the individual registrars, which has proved challenging, to say the least. According to the article, statistics from June 2018 to June 2019 indicate that brand-protection providers have had only 4% to 14% of requests actioned successfully.
Furthermore, one of the providers had lawfully submitted information requests ignored (no response or action) at a rate of almost 50%. It would seem GDPR has forced registrars to take on more responsibility that they don’t seem to be handling very efficiently or effectively.
I know what you’re thinking: “Photon team, this blog started as an election piece and now you’re talking about GDPR, ICANN, WHOIS data…where ya goin’ with this?” Well, dear reader, if you’ve been following us for any period of time now, you’ll know we like to provide you with some concrete advice on the issues we present.
Understanding the challenges that providers and vendors face can help internal teams plan for potential issues that might arise. Because, as those stats above show, even if you submit a takedown request, even if you can see phishing or some other fraud activity taking place on a typosquatted domain, registrars simply may not pay attention to your request.
The cyber security community needs to come together to combat this issue. We need to continue facilitating discussions between ICANN, domain registrars, law-enforcement and brand protection agencies, and anyone trying to fight the good fight against typosquatted domains.
What can we do right now, though?
We’ve also got several more options in our Practical Guide to Digital Risk, created specifically with the busy security practitioner in mind.
For regular Internet users or voters, it can be extremely difficult to tell the difference between a well-crafted phishing page from a legitimate one. If you think a website looks phishy, don’t be afraid to ask your spouse, friend, or coworker if something seems legitimate before you make a donation or sign up for a newsletter; a second set of eyes can be an easy way to spot telltale signs you may have missed!
Corroborate the legitimacy of the page by looking at the candidate’s social media networks. Typically, candidates will share their official domains in their biography sections or highlighted within their feed―if you’re looking to make a donation to one of the campaigns, try looking there first for information. We don’t recommend visiting linked websites sent via unsolicited emails, as this is a common tactic of threat actors employing phishing pages.
To learn more about typosquat and phishing protection, check out our Phishing Protection resources center page here.
Whoever your candidate is, go vote in 2020 and be safe when browsing online.
This research was brought to you by the Photon Research Team and Digital Shadows approves this message.
Misconfigured or illegitimate
tulsy2020[.]com
tulsie2020[.]com
berniesnaders[.]com
betoorourke[.]me
Non-malicious
elizabethwarren[.]cf
yang2020[.]io
berniesanders[.]de
berniesanders[.]news
eliabethwarren[.]com
corybooker[.]tk
elizabethwarrent[.]com
brniesanders[.]com
kamalaharris[.]fr
t0msteyer[.]com
billdebiasio[.]com
donladjtrump[.]com
elizabethwarren[.]me
Redirects
donaldjtrunp[.]com
billdeblasio[.]live
tulsi2020[.]co
donaldtrump[.]digital
winrde[.]com
wnired[.]com
joeobiden[.]com
elizibethwarren[.]com
elizabethwaren[.]com
joebiden[.]ca
wonred[.]com
winred[.]republican
coryboker[.]com
betoorourk[.]com
donaldjttump[.]com
jowalsh[.]org
berniesandars[.]com
elizabethwarran[.]com
stevebulock[.]com
tlusi2020[.]com
stevebullock[.]info
wiinred[.]com
kamalaharriss[.]info
berniesanderst[.]info
tuls2020[.]com
betoorourke[.]news
joebinden[.]info
joebide[.]info
actbue[.]com
yung2020[.]com
joebidin[.]info
kamelaharris[.]org
donaldtrump[.]cloud
donaldtrump[.]credit
donaldtrump[.]vet
betoorourke[.]world
Other suspicious domains
Dailytravelposh[.]info
Convertfilenow[.]com
Convertpdftoword[.]co
Thesilentsearch[.]com
Thesecuredweb[.]com
Convertpdfpro[.]com
Domains hosted on 50.63.164.243
allsideslevel[.]info
applicationref[.]info
armsrunning[.]info
astronautscame[.]info
bamboogallery[.]co[.]ug
biggergap[.]info
bigtechco[.]info
billionpairs[.]info
breakfasts[.]info
brinkofrecession[.]info
campsdemand[.]info
carbonmaps[.]info
chinamulls[.]info
cleareconomy[.]info
contractvote[.]info
dailytravelposh[.]info
digjustice[.]info
doriansimple[.]info
enclosedcmb[.]info
everyonetell[.]info
fossilreveals[.]info
generalstates[.]info
homeseeing[.]info
indexingissue[.]info
industriesdid[.]info
instituteplay[.]info
jessicombs[.]info
junoreveals[.]info
knowncontrol[.]info
locksdown[.]info
mapellimozzi[.]info
medicaldebt[.]info
mooreshow[.]info
mountaffirm[.]info
mymonarchs[.]info
mystreamingfree[.]info
nearseaplace[.]info
nextrecessions[.]info
oregoncoasts[.]info
othercommit[.]info
overpaidresults[.]info
peacetalking[.]info
polociprotest[.]info
prospectdata[.]info
publicoffices[.]info
recievesoff[.]info
riceandbeans[.]info
rulingparty[.]info
sensitivepor[.]info
sessioncomm[.]info
spacextree[.]info
survivalrisks[.]info
tardigradess[.]info
tinyrobins[.]info
tripteams[.]info
tropicalstorm[.]info
uberbelt[.]info
unearthedclam[.]info
valueplunge[.]info
volcanicrock[.]info
watermoon[.]info
whiplashing[.]info
workbalances[.]info
zeropointenergy[.]info
CRXcavator links
https://crxcavator.io/report/opahibnipmkjincplepgjiiinbfmppmh/1.0.5
https://crxcavator.io/report/bicecdnkmdjpaiccohmpdbjjinpoldij/1.0.1
https://crxcavator.io/report/leanandmnjclkgmddjpdofhlophihaol/1.0.0.2
https://crxcavator.io/report/chbpnonhcgdbcpicacolalkgjlcjkbbd/1.0.4
https://crxcavator.io/report/lbeekfefglldjjenkaekhnogoplpmfin/1.0.0