How do you monitor your DNS server hijacking and fomenting typosquatting ?


How do you monitor your DNS server hijacking and fomenting typosquatting ?

by webmestre

The Domain Name System (DNS) is one of the foundations of the internet, DNS is a directory of names that match with IP numbers. Most people outside of networking probably don’t realize they use it every day to do their jobs, check their email or access to they are web banking system.

However this system may be victim of attacks, from typo squatting leading to spear phishing to hijacking leading to man in the middleattacks and misconfigurations leading to deny of services. Even hijackingthe whole DNS servers, as seen recently in attacks such DNSpionage, is an indirect way to attack your assets.

Excellium offers a comprehensive service for monitoring the DeepWebfor your domains or any given keyword. This service is called EyeDeep and is operated by the CSIRT of Excellium services.

This service:

• Permits the monitoring of the DNS owned by the client;
• Will survey the potential creation of typosquatting DNS domain;
• Permits to validate the security and configuration of the externalDNS.

Why EyeTLD ?

EyeTLD is a service created to address two issues. The first problematic is the management and monitoring ofowned DNS domains. In many organizations, several domains are created or deleted, some are created only for marketing purposes and few other are heavily used and therefore vital for the organization.

After years, our experiences shows that in many organizations some misconfiguration appears. Some domains arenot maintained, not renewed and mistakes occurs.

EyeTLD will gives you a continuous overview and a tangible reporting of your own external domains configuration. The second goal is the defense against phishing for both your clients and your users. What is important tounderstand is that regularly news shows many examples of attacks using the mail vector.

For an attacker, there are three steps to perform a phishing attack on an organization: find victims, send emails with an evil payload or link, and find some tricks to convince the victim to execute the payload. Using a lookalikedomains in certainly one of the most used trick to fool a user and comfort him to click on a link or enter credentials or banking information’s. Ruse used to fool users are multiples. However, by continuously scrubbing potentiallynew lookalike domains, EyeTLD may help you to find out these domains during the attack preparation.


Excellium will perform the following activities:

Continuous scan of legitimate DNS domain:
– Detection of parameters changes:
– Start of Authority modification;
– Name server modifications (Host or IP).

Active scan for registration of lookalike domains:
– Triage of parking domains;
– Early notification of new clone domains;
– Monthly report of legitimate domains configuration;
– Monthly report of duplicate domains.

Server takedown of offending domains:
– Only after manual verification and approval of the customer.

Activity Details

Scan of legitimate domains

Based on the list of domain provided by the client, Excellium EyeTLD engine scan DNS record todetect any modification. With this monitoring, Excellium notifies the client in order to detect anyillegitimate changes on a domain managed by him. This can detect, for example the takeover of an un-renewed domain.

Active scan for lookalike domains

Base on the list of domains provided by the client, Excellium uses a wide range of efficient fuzzingalgorithms to generate a list of more than 1 000 lookalike domains for each domain. The following table present some examples of generated domains from “excellium-services.com”.

In the last line, the technique used replace a Latin character with a lookalike Cyrillic one. Here theletter “e” is the Cyrillic letter “Ye”. As shown, it can be difficult to distinguish a normal character from ahomographic equivalent. Those DNS domains could easily be used by an attacker to create a phishingpage. These domain name encoding using Unicode characters is named “punycode”. It is allowed asdomain names by RFC 5891 since March 2003.

Excellium will scan continuously these domains to detect and prevent phishing campaign, brandjackingby a typosquatters. Newly registered domain or modification will be detected and the client will benotify by email.


Excellium will provide a monthly reporting. This reporting will includes:

• Report of the existing domains configuration and status;
• Report of active lookalike domain.

Excellium will provide alerts through email on newly created domains. These domains will be manually reviewed in order to ensure they’re potential harmful. This action will be used to avoid false positive. These emails will be sent 24/7.