Blocking Future Attacks

In this post I'd like to show you how you can harness the power of the website dnstwister.report, to proactively block websites that might become malicious in the future. This would be another good exercise for college students learning about IT Security.

A recent shared article covered a malicious actor who used lookalike domains to perform a Man-In-The-Middle attack against two organizations by spoofing each of their domains and sending/replying to emails respectively. According to the article there was a million dollar loss.

The article highlighted the necessity for knowing your partner company domains. I would think that most companies are not going to spend much time with this, they're probably paying for a "web filtering" or software/service that does it for them. But how accurate are they and how would do you find lookalike domains for your partners?

I need an example and I was watching TV recently and a Xarelto commercial came on. I thought to myself, now there's a domain that's going to be misspelled. It's the perfect example for this post.

So what's the real Xarelto.com website? I Googled it and found this site that looked promising.

Interesting enough, when clicked, it redirected me to www.xarelto-us.com.

Has anyone purchased www.xarelto-usa.com?

Nope, ...$12.99, but I digress.

So what is DNSTwister.Report... it's a site that will take a domain, find out how many similar domains there are to it, then tell you if any of those similar domains resolve. As you can see below xarelto.com, has (258) similar domains and (13) of them resolve.

The first one that peeked my interest was xarlto.com - very similar in that it's just missing an (e). Off to find out what's there...

Ok, so it's a "Parked Domain", and as the "ribbon" states, you can "click here" to "buy now".

So what? Well for starters, organizations that block domains that are "Newly Registered" won't be blocking this domain because it's been around for awhile.

Then there's the problem of it being mis-categorized. Below you can see that Paloalto filters categorize this site as "Society", you may not be blocking that category.

Webroot BrightCloud categorized the site a "Legal".

...And Norton "Safe Web" categorized it as "Untested", although that one might be blocked.

There were others like Cisco and McAfee that got it right.

So what's the take away? Reviewing your top vendor/partner domains and making sure your filtering software has them categorized correctly might save you down the road. I'd rather have to unblock a site that was incorrectly or previously categorized as "Parked Domain", than have to deal with cleaning up a mess from a site that was incorrectly categorized as "Legal" and turned out to be "Malicious".

I'm always interested in your thoughts, please leave comments.