Take care when typing a domain name into a browser address bar, because it’s far too easy to fat-finger a key and wind up somewhere you don’t want to go. For example, if you try to visit some of the most popular destinations on the Web but omit the “o” in .com (and type .cm instead), there’s a good chance your browser will be bombarded with malware alerts and other misleading messages — potentially even causing your computer to lock up completely. As it happens, many of these domains appear tied to a marketing company whose CEO is a convicted felon and once self-proclaimed “Spam King.”
Matthew Chambers is a security professional and researcher in Atlanta. Earlier this month Chambers penned a post on his personal blog detailing what he found after several users he looks after accidentally mistyped different domains — such as espn[dot]cm.
Chambers said the user who visited that domain told him that after typing in espn.com he quickly had his computer screen filled with alerts about malware and countless other pop-ups. Security logs for that user’s system revealed the user had actually typed espn[dot]cm, but when Chambers reviewed the source code at that Web page he found an innocuous placeholder content page instead.
“One thing we notice is that any links generated off these domains tend to only work one time, if you try to revisit it’s a 404,” Chambers wrote, referring to the standard 404 message displayed in the browser when a Web page is not found. “The file is deleted to prevent researchers from trying to grab it, or automatic scanners from downloading it. Also, some of the exploit code on these sites will randomly vaporize, and they will have no code on them, but were just being weaponized in campaigns. It could be the user agent, or some other factor, but they definitely go dormant for periods of time.”
Espn[dot]cm is one of more than a thousand so-called “typosquatting” domains hosted on the same Internet address (85.25.199.30), including aetna[dot]cm, aol[dot]cm, box[dot]cm, chase[dot]cm, citicards[dot]cm, costco[dot]cm, facebook[dot]cm, geico[dot]cm, hulu[dot]cm, itunes[dot]cm, pnc[dot]cm, slate[dot]cm, suntrust[dot]cm, turbotax[dot]cm, and walmart[dot]cm. I’ve compiled a partial list of the most popular typosquatting domains that are part of this network here (PDF).
KrebsOnSecurity sought to dig a bit deeper into Chambers’ findings, researching some of the domain registration records tied to the list of dot-cm typosquatting domains. Helpfully, all of the domains currently redirect visitors to just one of two landing pages — either antistrophebail[dot]com or chillcardiac[dot]com.
For the moment, if one visits either of these domains directly via a desktop Web browser (I’d advise against this) chances are the site will display a message saying, “Sorry, we currently have no promotions available right now.” Browsing some of them with a mobile device sometimes leads to a page urging the visitor to complete a “short survey” in exchange for “a chance to get an gift [sic] cards, coupons and other amazing deals!”
Those antistrophebail and chillcardiac domains — as well as 1,500+ others — were registered to the email address: ryanteraksxe1@yahoo.com. A Web search on that address doesn’t tell us much, but entering it at Yahoo‘s “forgot password” page lists a partially obfuscated address to which Yahoo can send an account key that may be used to reset the password for the account. That address is k*****ng@mediabreakaway[dot]com.
The full email address is kmanning@mediabreakaway[dot]com. According to the “leadership” page at mediabreakaway[dot]com, the email address ryanteraksxe1@yahoo.com almost certainly belongs to one Kacy Manning, who is listed as the “Manager of Special Projects” at Colorado based marketing firm Media Breakaway LLC.
Media Breakaway is headed by Scott Richter, a convicted felon who’s been successfully sued for spamming by some of the biggest media companies over the years.
In 2003, New York’s attorney general sued Richter and his former company OptInRealBig[dot]com after an investigation by Microsoft found his company was the source of hundreds of millions of spam emails daily touting dubious products and services. OptInRealBig later declared bankruptcy in the face of a $500 million judgment against the company. At the time, anti-spam group Spamhaus listed Richter as the world’s third most prolific spammer worldwide. For more on how Richter views his business, check out this hilarious interview that Richter gave to the The Daily Show in 2004.
In 2006, Richter paid $7 million to Microsoft in a settlement arising out of a lawsuit alleging illegal spamming.
In 2007, Richter and Media Breakaway were sued by social networking site MySpace; a year later, an arbitration firm awarded MySpace $6 million in damages and attorneys fees.
In 2013, the Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit firm which oversees the domain name registration industry, terminated the registrar agreement for Dynamic Dolphin, a domain name registrar of which Richter was the CEO.
According to the contracts that ICANN requires all registrars to sign, registrars may not have anyone as an officer of the company who has been convicted of a criminal offense involving financial activities. While Richter’s spam offenses all involve civil matters, KrebsOnSecurity discovered several years ago that Richter had actually pleaded guilty in 2003 to a felony grand larceny charge.
Richter, then 32, was busted for conspiring to deal in stolen goods, including a Bobcat, a generator, laptop computers, cigarettes and tools. He later pleaded guilty to one felony count of grand larceny, and was ordered to pay nearly $38,000 in restitution to cover costs linked to the case.
Neither Richter nor Media Breakaway responded to requests for comment on this story.
Chambers said it appears Media Breakaway is selling advertising space to unscrupulous actors who are pushing potentially unwanted programs (PUPs) or adware over the network.
“You end up coming out of the funnel into an advertiser’s payload site, and Media Breakaway is the publisher that routes those ‘parked/typosquatting’ sites as a gateway,” Chambers said. “Research on the IP under VirusTotal Communicating Files shows files like this one (42/66 engines) reporting to the IP address that hosts all these sites, and it goes back to at least March 2015. That file SETUPINST.EXE has detection primarily as LiveSoftAction, GetNow, ElDorado, and Multitoolbar. I think it’s just pushing out [content] for sketchy advertisers.”
It’s remarkable that so many huge corporate brand names aren’t doing more to police their trademarks and to prevent would-be visitors from falling victim to such blatant typosquatting traps.
Under the Uniform Domain-Name Dispute-Resolution Policy (UDRP), trademark holders can lodge typosquatting complaints with the World Intellectual Property Organization (WIPO). The complainant can wrest control over a disputed domain name, but first needs to show that the registered domain name is identical or “confusingly similar” to their trademark, that the registrant has no legitimate interest in the domain name, and that the domain name is being used in bad faith.
Everyone makes typ0s from time to time, which is why it’s a good idea to avoid directly navigating to Web sites you frequent. Instead, bookmark the sites you visit most, particularly those that store your personal and financial information, or that require a login for access.
Oh, and if your security or antivirus software allows you to block all Web sites in a given top-level domain, it might not be a bad idea to block anything coming out of dot-cm (the country code top-level domain for Cameroon): A report published in December 2009 by McAfee found that .cm was the riskiest domain in the world, with 36.7% of the sites posing a security risk to PCs.
Brian,
How did you decipher kmanning@yahoo.com from the obfuscated data?
Did you already know that Media Breakaway was involved, and so just had to follow up with an investigation of their employees?
It wasn’t really that hard to deduce:
http://www.mediabreakaway.com/leadership.php
I think Svaid might have missed this part:
“A Web search on that address doesn’t tell us much, but entering it at Yahoo‘s “forgot password” page lists a partially obfuscated address to which Yahoo can send an account key that may be used to reset the password for the account. That address is k*****ng@mediabreakaway[dot]com.”
That tells us that the person who registered the ryanteraksxe1 address used an email address at mediabreakaway.com as their recovery email for that account. Kacy Manning is listed as an employee on Mediabreakaway’s site, with the address kmanning@yahoo.com
Brian, I had the same question – the paragraph you quoted somehow doesn’t render in the main article text. I have a screen cap if you’re interested in digging in.
I’ve even highlighted the area in the story in this image
https://krebsonsecurity.com/wp-content/uploads/2018/03/missingsentence.png
85.25.199.30/logs/
It’s amazing how many problems a semmingly innocent typographical error can cause. Apparently spamming pays well if this person was sued for that much money and just keeps on rolling. Amazing and baffling!
With uMatrix, you can block ccTLDs – see the first entry here:
https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uMatrix
ABP-compatible syntax is included for other blockers
One area of concern is that the Quad9, the free & secure DNS service (9.9.9.9), is still letting those pass through.
@Brian: can you make them aware of this? They might listen to you!
I’ve found Quad9 DNS to be overrated. When I last checked it didn’t even block the one-letter-over-on-the-keyboard method of typosquatting – youtuve[dot]com.
I’m just starting trying to test the dns phishing and malware blocking services, and my [very preliminary and unscientific; do not rely on] results are disappointing for all. Out of 7 tests of bad sites (still refining the testing code), Opendns blocked 3, Norton and Quad9 blocked 2, Comodo 1, and Greenteam 0.
mikrotik makes blocking TLDs pretty straightforward. using DNS, just direct the banned list to a trap of your choice like 127.0.0.1, and then use regexp to glom the banned TLDs into one neat package:
\.(cm|bg|ne|om|xyz|pw|cf|ml|ga|gdn|xin|win|click|faith|webcam|)$
another poster said s/he implemented it via L7 filtering. not sure how that person’s router handles that, but traffic may be slowed to a crawl if that’s implementing it via packet-filtering. DNS is cleaner and faster.
I think Chambers’ infostruction.com expired this weekend.
Never forget
http://www.cc.com/video-clips/tbb136/the-daily-show-with-jon-stewart-email-trouble
10 years ago all .cm domains used to redirect to ppc ads:
http://money.cnn.com/magazines/business2/business2_archive/2007/06/01/100050989/
Apart from .cm (Cameroon), perhaps it would be wise to be careful with .co (Colombia) and .om (Oman) as well. At least .co is open for anyone to register, while the other two formally requires local presence.
Brian, the UDRP isn’t applicable to .cm. The enforcement process is much more onerous.