Cisco Umbrella

Enterprise network security

Threats

Attack Prediction: Malicious gTLD Squatting May Be The Next Big Threat

By OpenDNS Security Research

Late last year, ICANN began expanding the generic Top-Level Domains (gTLDs). In addition to the standard .COM, .ORG, and .NET TLDs, over 1,300 new names could become available in the next few years. These new  gTLDs and internationalized domain names (IDNs) are awesome ideas if you think about the creativity sparked around the names one can possibly register.

Some examples include .SINGLES (2013-08-28) and .SEXY (2013-09-11). Right before last holiday season, .CHRISTMAS (11-21-2013) was made available for use. We are seeing more interesting ones coming out such as .RICH (2013-11-21) and .MEME (01-30-2014). .WTF became available on 03-07-2014.  The full effective list and registration can be found at ICANN or Mozilla Public Suffix list.

204 new gTLD names were released between Oct 23, 2013 and April 04, 2014. DomainTools provides some excellent charts on the proliferation of the gTLDs.

Daily Growth of New gTLD registrations

Security concerns and other risks around these new gTLDs have been extensively discussed as the new gTLD act rolls out. Unfortunately, the primary concern has focussed on traditional domain squatting for monetization purposes – and not on gTLD squatting for malicious purposes. According to a February 27, 2014 article published in Forbes by Daniel Fisher:

[Domain squatters] might profit by snapping up domain names that happen to belong to well-known consumer brands. With the cost of dislodging a cybersquatter starting at a few hundred dollars and quickly escalating past $10,000 – with no possibility of imposing those costs back on the loser without engaging in even more expensive litigation — brand owners might find it easier to pay them to go away.

With so many new gTLDs, perhaps it’s a good time to do a bit of data extraction and analysis here at OpenDNS. Using an hour time slice, on two different days, across all of OpenDNS’ 22 data centers we discovered some interesting usage statistics.

Security Risk #1. Name Collisions

Internal network entities are often named with a set of unofficial gTLDs that are not yet available for registration in the public domain name space, such as .CORP, .HOME, .SITE, .GLOBAL, .LOCALHOST, or .LOCAL. Attackers may register hostnames that purposefully collide with these internal names in an effort to see the traffic that is only supposed to be visible on the internal network. A good practice against such attacks is to use internal DNS resolvers and declare them as authoritative for internal TLDs.

.LOCAL, among a number of other gTLDs, are in the ICANN reserved gTLD and are immune to the collision problem.  The following is the list of reserved gTLDs:

AFRINIC  IANA-SERVERS  NRO   ALAC  ICANN  RFC-EDITOR   APNIC  IESG  RIPE  ARIN
IETF  ROOT-SERVERS  ASO  INTERNIC  RSSAC  CCNSO  INVALID  SSAC  EXAMPLE  IRTF
TEST  GAC  ISTF  TLD  GNSO  LACNIC  WHOIS  GTLD-SERVERS  LOCAL  WWW  IAB
LOCALHOST  IANA  NIC

.CORP, .HOME, .SITE aren’t yet in the public gTLD pool. However, .NETWORK is a different story. We’re seeing hundreds of thousands requests to .HOME.NETWORK,  largely due to routers’ WIFI lookup queries. None of the 3000 hostnames on .NETWORK are currently resolving, but we’ll probably see name collisions as soon as the attackers figure out how useful squatting on this particular gTLD can be.

 Some examples of the .HOME.NETWORK gTLDs that we are currently seeing include:
  • tracker.openbittorrent.com.home.network
  • localhost.home.network
  • internalcheck.apple.com.home.network
  • us.launcher.battle.net.home.network
  • api.openweathermap.org.home.network
  • us.patch.battle.net.home.network
  • tracker.istole.it.home.network
  • windows.home.network
  • newuser.home.network
  • desktop.home.network
  • isatap.home.network
  • master.home.network
  • http.home.network
  • nas.home.network

As you can see, it would be quite easy for an attacker to register a number of commonly (and actively used) hostnames that a user’s computer might try to access outside of its home network. In fact, this ‘leakage’ is happening all over the world. Based on a quick query of yet-to-be-public gTLDs on April 5, 2014 we discovered 1,808 unique hosts leaking gTLD hostnames. A geographic distribution of these hosts can be seen below.

The following chart shows the top 30 new gTLDs ranked by the number of unique hostnames queried.

Security Risk #2. Phishing, Spamming, Typosquatting

Phishing, spamming and typo squatting can take advantage of the much larger name space. In addition, some of these gTLDs like .BUSINESS, .ENTERPRISE or .WORK delivering a trustworthy business name will allow free or much cheaper name association compared to registering on .COM or .NET. For instance, facebookgame.directory is seen on the same IP (184.168.221.96) as  www.coresfacebook.net, which is a known spam site.

Some of other example names (not necessarily malicious) seen in OpenDNS traffic are:

 api.facebook.com.blue.
 api.facebook.com.business.
 api.facebook.com.life.
 b-api.facebook.com.internet.blue.
 graph.facebook.com.business.
 graph.facebook.com.casa.
 orcart.facebook.com.business.
 orcart.facebook.com.casa.
 orcart.facebook.com.life.
 puntlandpost.facebook.com.home.network.
 vh89cm7thwnvq1qc.www.facebook.com.network.
 www.facebook.com.hi.link.

Another interesting domain that we found was: api.opendns.com.work.

Security Risk #3: Are Designated Registrars for New gTLDs Easier to Compromise?

There used to be only a handful root servers managing gTLDs and, historically speaking, these servers have been fairly secure and reliable. The new registrants of these gTLDs, however, could potentially be more easily compromised than their well-established peers. The same can be said of any new online service provider rushing to get operational too quickly. The gTLD names we’re seeing are allocated across roughly 200 registrars and the following chart shows the top 10, ranked by the number of unique names served.

Security Risk #4. Too Little Information

Generic Whois databases are not yet giving whois information on these domains and Google is not yet indexing these domains. The names appear to be in a huge Internet ‘fog’ that the world cannot yet peer into – a great scenario that attackers can take advantage of.  There is nothing we can find around these names except the traffic patterns we’re seeing at OpenDNS and the IP addresses some of them resolve to. Roughly 12% of names on the new gTLD now resolving a valid IPs.

When evaluating the IP addresses we’re seeing, there are a good number associated with known malicious sites. One example of this is where fruit.directory is hosted – 72.52.4.90. We have observed this IP address hosting more than 170 malicious domains over the past week.

OpenDNS Labs will continue to monitor and report on the usage of these new DNS names. Some final notes to consider:

  • The defenders have yet to catch up with deriving methods for evaluating the security risks of these new TLDs,
  • Many reputation based system are rendered useless with so little known about them. For example, we have established reputation indicators around existing TLDs such as .RU, .KZ. Those TLDs have a statistically larger ratio of bad domains vs. benign ones.
  • Algorithmic detection methods need to pick up an entirely new spectrum of heuristics and indicators to correctly classify them.
  • Samples from these new name spaces must be collected and analyzed before they can be used to derive machine learning models to classify the names in the new TLD space.

That’s all for now. Look for future research on the proliferation of these in-the-wild gTLDs including how OpenDNS classifies the domains and has observed their use.

Photo Credit: Skley via Compfight cc