My next class:

.COM.COM Used For Malicious Typo Squatting

Published: 2015-08-10. Last Updated: 2015-08-10 18:47:01 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Today, our reader Jeff noted how domains ending in ".com.com" are being redirected to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous "com.com" domain name was sold by CNET to known typo squatter dsparking.com [1]. Apparently, dsparking.com paid $1.5 million for this particular domain.  Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazon's cloud.

All .com.com hostnames appear to resolve to 54.201.82.69, also hosted by Amazon (amazon.com.com is also directed to the same IP, but right now results in more of a "Parked" page, not the fake anti-malware as other domains)

The content you receive varies. For example, on my first hit from my Mac to facebook.com.com , I received the following page:

And of course the fake scan it runs claims that I have a virus :)

As a "solution", I was offered the well known scam-app "Mackeeper"

Probably best to block DNS lookups for any .com.com domains. The IP address is likely going to change soon, but I don't think there is any valid content at any ".com.com" host name. 

The Whitehat article does speak to the danger of e-mail going to these systems. A MX record is configured, but the mail server didn't accept any connections from me (maybe it is overloaded?).

Amazon EC2 abuse was notified.

[1] https://blog.whitehatsec.com/why-com-com-should-scare-you/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
4 comment(s)
My next class:

Comments

One way to mitigate this problem on a per-user basis might be to disable the "helpful" feature most browsers have built-in of automatically adding .com to any domain name entered by the user which doesn't resolve as typed. I don't know if any of the Big Four are clever enough to recognize an existing .com TLD (this is one of the first misfeatures I turn off in a new browser install), but if they aren't, they would become part of the problem here.

I understand why the browser makers do this, but it's about as good an idea as Site Finder was. (Remember Site Finder, back in 2003? It's how Network Solutions got themselves on my permanent shit-list.)

A second way, though useful only for someone running their own DNS server or cacheing resolver, would be to declare that it's authoritative for com.com, and respond to any such internally-originating queries either with localhost or some convenient dead-end system -- or even a monitored honeypot, if you have one handy.
Does anyone know how to disable this feature in Internet Explorer 10 and 11?
I too would be interested in an answer to anon's question, as well as how to control this behavior in Chrome, Safari, Opera, and (if possible, which I doubt) the mobile browsers.

I should note that this setting is deliberately hidden in Firefox, so you need to use about:config to change it. Look for the string "fixup", and change the boolean setting that enables this behavior to "false".
IIRC, Internet Explorer and Chrome (at least) no longer use the autocomplete method to try and expand the server name of a URL.

For IE, the option has been obsolete since IE7 ( https://msdn.microsoft.com/en-us/library/ms536345(v=vs.85).aspx ).

Diary Archives