Spotting suspicious domain names with dnstwist
After seeing DNSTwist mentioned in
a twitter thread recently I’ve been having far more fun than appropriate
using it to investigate domain name typo squatting. Typo squatting is
when you mistype a domain name or URL and someone has registered a very
similar domain in order to capture that traffic and often do
unpleasant things with it. A benign example of this is
GutHib, a common typo for GitHub that just helps
people along with a subtle indication of the error. If you’re going to
delve into this dnstwist is an awesome command line tool that accepts
a domain name and permutes it in a number of ways, replacing characters
with Unicode equivalents, transposing letters to mimic common typos,
adding dots, or just replacing letters in ways that would fool a
casual glance and then reporting which of them exist in the wilds of
the internet.
I started testing the tool against a few of my own domain names. Despite my content being rehosted in an annoying number of places (according to some Google searches) it came as no surprise that my domains are too low value to typo squat so the results were underwhelming:
$ docker run elceef/dnstwist unixdaemon.net
... snip ...
Processing 6734 permutations ·······
2 hits (0%) The only hit other than the original one is a valid site with a similar name. In a way it’s a nice problem not to have. After a running this against a few other domains I own I experimented with some of the other options, including running the given domain name, with no permutations, against a large number of top level domains (TLDs).
$ docker run elceef/dnstwist --tld dictionaries/common_tlds.dict unixdaemon.net
... snip ...
Processing 7099 permutations ···· 8 hitsHappy in the knowledge my personal sites were not impacted by typo squatting or alternative TLD fakery I decided to run the tool against an old employers ecommerce domain and the answers got a little more interesting. Without listing the domain name there were a lot more hits. Most of them seemingly brand protection overreach that eventually points back to a “Corporate Domain Name Management for Brands” company. There were however a few that looked less defensive and more fraudulent. After looking at a few in a cheap VPS I decided to see if I could make the output light up like a Christmas tree by checking against a high value target.
$ docker run elceef/dnstwist ${payment_provider}.com
... snip ...
Processing 1523 permutations ····· 221 hits (14%)
... snip ...
replacement pagpal.com ...SNIPPED...
replacement paypwl.com ...SNIPPED...
replacement pzypal.com ...SNIPPED...
replacement paspal.com ...SNIPPED...
replacement paylal.com ...SNIPPED...
replacement payoal.com ...SNIPPED...
replacement pa7pal.com ...SNIPPED...
replacement paypzl.com ...SNIPPED...
replacement paypyl.com ...SNIPPED...
replacement maypal.com ...SNIPPED...
replacement paapal.com ...SNIPPED...
replacement patpal.com ...SNIPPED...
replacement paypak.com ...SNIPPED...
replacement paupal.com ...SNIPPED...
replacement laypal.com ...SNIPPED...
replacement paypap.com ...SNIPPED...
replacement paymal.com ...SNIPPED...
replacement psypal.com ...SNIPPED...
replacement pwypal.com ...SNIPPED...
replacement paypao.com ...SNIPPED...
replacement p2ypal.com ...SNIPPED...
replacement pa6pal.com ...SNIPPED...
replacement paypsl.com ...SNIPPED...
... snip ...I’m sure some of those are amazing sites with no relation to a well
known payment provider but you can sympathise with how many people must
typo their way to them by accident. To help whittle down the false
positives dnstwist also provides the --ssdeep option. This fetches
the original page and downloads and compares each further result against
it in a fuzzy way, outputting a percentage match score based on how
similar the HTML is to the original site. The higher the score the more
worth a humans time the domain name is.
docker run elceef/dnstwist https://www.${domainname}.com/signin --ssdeep --registered --format json
... snip ...
{
"dns-a": [
"xx.xx.xx.xx"
],
"domain-name": "${domainname}",
"fuzzer": "transposition",
"ssdeep-score": 70
}
... snip ...I managed to kill more time than I’d expected looking in this area and
trying a few example domain name so it was remarkably easy to pull and
run the fully self contained docker image. If you just want to have a
cursory look, and that’s how we all start this kind of investigation,
you can use the online dnstwist phishing domain
scanner