Air Serbia domen typosquatting - Printable Version +- Bezbedan Balkan (https://bezbedanbalkan.net) +-- Forum: Bezbednost privatnih resursa (https://bezbedanbalkan.net/forum-12.html) +--- Forum: Phishing / Scam / Spam kampanje (https://bezbedanbalkan.net/forum-16.html) +--- Thread: Air Serbia domen typosquatting (/thread-846.html) |
Air Serbia domen typosquatting - milos_rs - 09-29-2023 Naleteo sam prateći izdate sertifikate za moj "patika scam" projekat na par domena kao što su npr. aairserbia.com i alrserbia.com i video da prikazuju oglase ili redirektuju na neke treće reklamne sajtove. Uradio sam onda šta je verovatno uradio i napadač, koristio typosquatting generator i napravio spisak potencijalnih domena za airserbia.com, posle čega sam napisao skripticu da prođe kroz ceo spisak i izbaci whois/dns informacije onih koji su registrovani: Code: arserbia.com | Creation Date: Mar 14, 2023 20:30:51 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.148 Ima i nekih starijih koju su istekli i vode na "buy this domain" stranice : Code: irserbia.com | Creation Date: Aug 29, 2022 07:13:24 | Registrar: Cloud Yuqu LLC | Host DNS A record: 103.120.80.157 Očigledno je da je "napadač" jedan te isti za sve domene koji su pri GoDaddy-u, datumi registracije su veoma slični kod svih, i IP adresa na koji odlaze takođe. Zanimljiv mi je i provajder kod kojeg je web hosting, privatelayer[.]com, primaju razne kriptovalute, nemaju zvaničnu adresu ni ime firme na sajtu, IP adrese su registrovane na entitet u Panami, poznata off-shore destinacija. Daljim guglanjem sam našao da se ovaj provajder reklamira kao offshore i bulletproof hosting, što me na kraju nije ni čudilo jer mi je to bila sumnja od početka. Cene su naravno paprene jer ako hoćeš da se sakriješ od vlasti, to mora i da se plati. Ima raznih domena na koje se redirektuje sa ovih gore typosquattovanih, ali nisam išao u dubinsku analizu. uBlock origin blokira sve ove domene na koje redirektuju uz upozorenje da su Badware risks - "For sites documented to put users at risk of installing adware/crapware/malware, having login credentials stolen, etc. The purpose is to at least ensure a user is warned of the risks ahead." RE: Air Serbia domen typosquatting - 13k 53c - 09-30-2023 Cao Milose, ja sam imao slicnu ideju i kreirao web aplikaciju sto za nekih slicnih typosquatting domejne, provjerava slicnost sa originalnoh domejna, i ako je domejn registrovan, proverava slicnost html kontenta tog typosquatting domejn sa html kontenta originalnoh domejna. Web aplikacija je private na github, al ako ima zainteresirane ljudi sto hoce da je unapredimo, mogu da je stavim public. Inace koristim Python + Django. Pozdrav. RE: Air Serbia domen typosquatting - 1van - 09-30-2023 Ja predlažem da objaviš skript, sigurno će biti od koristi. RE: Air Serbia domen typosquatting - milos_rs - 10-11-2023 pazite ovo, naletim u pretrazi na airserbia.com.com (da, dva puta com) i ne mogu da verujem, com.com je registrovan 1995. godine, verovatno je promenio dosta vlasnika usput, i prodat za neke verovatno velike pare u nekom trenutku nekim malicioznim marketarima ili kome već Bukvalno mnogi poznati domeni koje možete zamisliti postoje u com.com varijanti, i u slučajevima koje sam pogledao (kao npr za airserbia) redirektuje na neke marketing stranice ili šta već. Pogledajte šta ih je: https://crt.sh/?q=com.com Po istoriji sertifikata ovaj domen ima ovakvu upotrebu kao što je sada od oko 09-2022 ali i pre toga je služio za neke sumnjive namere kome ovo prijaviti i kako ovakav neki domen uopšte može da postoji i funkcioniše na ovaj način ko zna koliko dugo Pogledao sam malo bolje, DNS vodi ka MYTRAFFICMANAGEMENT.COM koji vodi ka https://giantpanda.com/ koji nudi usluge za domain monetization: Quote:We are a middleware service between the domain owner and parking companies such as Parking Crew and Smartname. You point your domains to our NS's, we optimize the keyword settings on them, and forward the traffic on to our parking company partners. Imaju gomilu servera zakupljenih kod Linode i izgleda da svi nude sve sajtove koji su parkirani kod njih : Code: com.com has address 45.33.18.44 Odličan uvid generalno u cybersquatting: Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers a ovo bi spadalo pod "Domain Parking": Quote:A common and easy way to monetize user traffic is to use a parking service by pointing the squatting domain’s IP address or NS record to the parking service’s servers to generate profit based on how many users land on the site and click the advertisements. In some cases, parking services also redirect users to scam and phishing pages. Ok ne znam da li ima nešto nelegalno oko monetizacije domena, verovatno ne. Ali ovde koriste tuđ trademark za to kod ovog com.com domena i to nešto ne verujem da je dozvoljeno RE: Air Serbia domen typosquatting - Aleksandar.Ristić - 10-12-2023 Hvala za ovaj insight! Po ovome, potpuno je legit blokirati domen *.com.com, jer meni deluje da je ceo business model ovih likova bas typosquatting i slicne ujdurme. RE: Air Serbia domen typosquatting - milos_rs - 03-09-2024 Praveći novi patika scam update naleteh na ove... airserbiac.com | Creation Date: May 16, 2023 19:27:56 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150 airserbias.com | Creation Date: May 03, 2023 22:54:12 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149 auirserbia.com | Creation Date: Apr 06, 2023 20:53:01 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149 amrserbia.com | Creation Date: Apr 06, 2023 20:48:45 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147 airserbiap.com | Creation Date: Apr 06, 2023 20:45:07 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.198 airyserbia.com | Creation Date: Apr 06, 2023 20:49:38 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196 aitserbia.com | Creation Date: Apr 06, 2023 20:47:45 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.146 airserbiav.com | Creation Date: Apr 06, 2023 20:56:00 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149 akrserbia.com | Creation Date: Apr 06, 2023 20:47:56 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150 airserbiaz.com | Creation Date: Apr 04, 2023 20:20:09 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150 aairserbia.com | Creation Date: Mar 21, 2023 20:24:04 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150 airserbiah.com | Creation Date: Mar 21, 2023 20:24:34 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147 airserbiaq.com | Creation Date: Mar 14, 2023 20:32:16 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196 akirserbia.com | Creation Date: Mar 14, 2023 20:30:49 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.146 aiorserbia.com | Creation Date: Mar 14, 2023 20:31:27 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147 airserbiao.com | Creation Date: May 08, 2023 19:28:07 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149 airserbiai.com | Creation Date: Apr 04, 2023 20:15:46 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147 ahrserbia.com | Creation Date: Apr 06, 2023 20:50:08 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150 airserbiam.com | Creation Date: Apr 06, 2023 20:51:57 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150 |