Bezbedan Balkan Bezbednost privatnih resursa Phishing / Scam / Spam kampanje v
Air Serbia domen typosquatting

Threaded Mode
Air Serbia domen typosquatting
milos_rs Online
Super Moderator
******
Posts: 413
Threads: 107
Joined: Sep 2022
Reputation: 293
#1
09-29-2023, 12:39 PM
Naleteo sam prateći izdate sertifikate za moj "patika scam" projekat na par domena kao što su npr. aairserbia.com i alrserbia.com i video da prikazuju oglase ili redirektuju na neke treće reklamne sajtove. Uradio sam onda šta je verovatno uradio i napadač, koristio typosquatting generator i napravio spisak potencijalnih domena za airserbia.com, posle čega sam napisao skripticu da prođe kroz ceo spisak i izbaci whois/dns informacije onih koji su registrovani:

Code:
arserbia.com | Creation Date: Mar 14, 2023 20:30:51 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.148
aiserbia.com | Creation Date: Oct 09, 2017 09:50:09 | Registrar: GoDaddy.com, LLC | Host DNS A record: 212.129.3.5
airsrbia.com | Creation Date: Mar 01, 2021 19:38:04 | Registrar: GoDaddy.com, LLC | Host DNS A record: 77.247.179.86
airsebia.com | Creation Date: Jul 19, 2021 22:01:31 | Registrar: NameCheap, Inc. | Host DNS A record: 103.224.182.244
airserbi.com | Creation Date: May 23, 2023 19:36:17 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149
ajrserbia.com | Creation Date: May 03, 2023 22:55:45 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.195
akrserbia.com | Creation Date: Apr 06, 2023 20:47:56 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150
alrserbia.com | Creation Date: Apr 06, 2023 20:51:58 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147
aorserbia.com | Creation Date: Mar 14, 2023 20:32:14 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.148
aitserbia.com | Creation Date: Apr 06, 2023 20:47:45 | Registrar: GoDaddy.com, LLC | Host DNS A record: 192.187.111.222
airderbia.com | Creation Date: Mar 14, 2023 20:32:10 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.148
airsergia.com | Creation Date: May 08, 2023 19:27:43 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.146
airservia.com | Creation Date: Apr 06, 2023 20:44:19 | Registrar: GoDaddy.com, LLC | Host DNS A record: 212.32.237.101
airserbka.com | Creation Date: Mar 14, 2023 20:29:32 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.146
airserbis.com | Creation Date: Mar 14, 2023 20:28:55 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196
airserbiw.com | Creation Date: Apr 06, 2023 20:43:41 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.146
ariserbia.com | Creation Date: Jun 12, 2023 20:06:53 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150
airesrbia.com | Creation Date: May 08, 2023 19:27:31 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.197
airsebria.com | Creation Date: Apr 06, 2023 20:48:34 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196
aairserbia.com | Creation Date: Mar 21, 2023 20:24:04 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.195
aiirserbia.com | Creation Date: Apr 14, 2023 21:01:43 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.148
airrserbia.com | Creation Date: May 29, 2023 13:35:17 | Registrar: COSMOTOWN, INC. | Host DNS A record: 198.58.118.167
airserrbia.com | Creation Date: Apr 06, 2023 20:44:03 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.148
airserbbia.com | Creation Date: Apr 06, 2023 20:53:26 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196
airserbiia.com | Creation Date: Apr 06, 2023 20:53:25 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.148
airserbiaa.com | Creation Date: Apr 14, 2023 21:03:07 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150
auirserbia.com | Creation Date: Apr 06, 2023 20:53:01 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147
aiurserbia.com | Creation Date: Apr 14, 2023 21:01:32 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147
akirserbia.com | Creation Date: Mar 14, 2023 20:30:49 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.197
aoirserbia.com | Creation Date: Apr 06, 2023 20:46:29 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147
aiorserbia.com | Creation Date: Mar 14, 2023 20:31:27 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196
airserdbia.com | Creation Date: Mar 21, 2023 20:23:23 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147
airsergbia.com | Creation Date: Apr 06, 2023 20:48:57 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147
airservbia.com | Creation Date: Apr 04, 2023 20:17:39 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150
airserbvia.com | Creation Date: Apr 06, 2023 20:50:31 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196
airserbija.com | Creation Date: Dec 12, 2016 02:49:57 | Registrar: eNom, LLC | Host DNS A record: 173.239.5.6
airserbkia.com | Creation Date: May 08, 2023 19:27:18 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.197
airserbika.com | Creation Date: Apr 14, 2023 21:01:36 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.198
airserboia.com | Creation Date: Apr 12, 2023 19:37:30 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.146
airserbiaz.com | Creation Date: Apr 04, 2023 20:20:09 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150
airserbiax.com | Creation Date: May 03, 2023 22:51:22 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.194
airserbias.com | Creation Date: May 03, 2023 22:54:12 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.197
airserbiaq.com | Creation Date: Mar 14, 2023 20:32:16 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149

Ima i nekih starijih koju su istekli i vode na "buy this domain" stranice :

Code:
irserbia.com | Creation Date: Aug 29, 2022 07:13:24 | Registrar: Cloud Yuqu LLC | Host DNS A record: 103.120.80.157
airserboa.com | Creation Date: Sep 12, 2022 21:27:07 | Registrar: ABOVE.COM PTY LTD. | Host DNS A record: 103.224.182.242
airseriba.com | Creation Date: Aug 29, 2022 09:51:47 | Registrar: Chengdu west dimension digital technology Co., LTD | Host DNS A record: 103.120.80.155


Očigledno je da je "napadač" jedan te isti za sve domene koji su pri GoDaddy-u, datumi registracije su veoma slični kod svih, i IP adresa na koji odlaze takođe.

Zanimljiv mi je i provajder kod kojeg je web hosting, privatelayer[.]com, primaju razne kriptovalute, nemaju zvaničnu adresu ni ime firme na sajtu, IP adrese su registrovane na entitet u Panami, poznata off-shore destinacija. Daljim guglanjem sam našao da se ovaj provajder reklamira kao offshore i bulletproof hosting, što me na kraju nije ni čudilo jer mi je to bila sumnja od početka. Cene su naravno paprene jer ako hoćeš da se sakriješ od vlasti, to mora i da se plati.

Ima raznih domena na koje se redirektuje sa ovih gore typosquattovanih, ali nisam išao u dubinsku analizu. uBlock origin blokira sve ove domene na koje redirektuju uz upozorenje da su Badware risks - "For sites documented to put users at risk of installing adware/crapware/malware, having login credentials stolen, etc.  The purpose is to at least ensure a user is warned of the risks ahead."
Find
Reply
13k 53c Offline
Junior Member
**
Posts: 1
Threads: 0
Joined: Sep 2023
Reputation: 1
#2
09-30-2023, 11:27 AM (This post was last modified: 09-30-2023, 11:30 AM by 13k 53c.)
Cao Milose,

ja sam imao slicnu ideju i kreirao web aplikaciju sto za nekih slicnih typosquatting domejne, provjerava slicnost sa originalnoh domejna, i ako je domejn registrovan, proverava slicnost html kontenta tog typosquatting domejn sa html kontenta originalnoh domejna.

Web aplikacija je private na github, al ako ima zainteresirane ljudi sto hoce da je unapredimo, mogu da je stavim public. Inace koristim Python + Django.

Pozdrav.
Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation: 126
#3
09-30-2023, 01:45 PM
Ja predlažem da objaviš skript, sigurno će biti od koristi.
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
milos_rs Online
Super Moderator
******
Posts: 413
Threads: 107
Joined: Sep 2022
Reputation: 293
#4
10-11-2023, 08:04 PM (This post was last modified: 10-11-2023, 08:43 PM by milos_rs.)
pazite ovo, naletim u pretrazi na airserbia.com.com (da, dva puta com)

i ne mogu da verujem, com.com je registrovan 1995. godine, verovatno je promenio dosta vlasnika usput, i prodat za neke verovatno velike pare u nekom trenutku nekim malicioznim marketarima ili kome već

Bukvalno mnogi poznati domeni koje možete zamisliti postoje u com.com varijanti, i u slučajevima koje sam pogledao (kao npr za airserbia) redirektuje na neke marketing stranice ili šta već.

Pogledajte šta ih je: https://crt.sh/?q=com.com

Po istoriji sertifikata ovaj domen ima ovakvu upotrebu kao što je sada od oko 09-2022 ali i pre toga je služio za neke sumnjive namere

kome ovo prijaviti i kako ovakav neki domen uopšte može da postoji i funkcioniše na ovaj način ko zna koliko dugo

Pogledao sam malo bolje, DNS vodi ka MYTRAFFICMANAGEMENT.COM koji vodi ka https://giantpanda.com/ koji nudi usluge za domain monetization:

Quote:We are a middleware service between the domain owner and parking companies such as Parking Crew and Smartname. You point your domains to our NS's, we optimize the keyword settings on them, and forward the traffic on to our parking company partners.

Imaju gomilu servera zakupljenih kod Linode i izgleda da svi nude sve sajtove koji su parkirani kod njih :

Code:
com.com has address 45.33.18.44
com.com has address 45.56.79.23
com.com has address 45.33.23.183
com.com has address 173.255.194.134
com.com has address 72.14.178.174
com.com has address 45.79.19.196
com.com has address 45.33.2.79
com.com has address 72.14.185.43
com.com has address 198.58.118.167
com.com has address 45.33.20.235
com.com has address 96.126.123.244
com.com has address 45.33.30.197

Odličan uvid generalno u cybersquatting: Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers a ovo bi spadalo pod "Domain Parking":

Quote:A common and easy way to monetize user traffic is to use a parking service by pointing the squatting domain’s IP address or NS record to the parking service’s servers to generate profit based on how many users land on the site and click the advertisements. In some cases, parking services also redirect users to scam and phishing pages.

Ok ne znam da li ima nešto nelegalno oko monetizacije domena, verovatno ne. Ali ovde koriste tuđ trademark za to kod ovog com.com domena i to nešto ne verujem da je dozvoljeno
Find
Reply
Aleksandar.Ristić Offline
Junior Member
**
Posts: 15
Threads: 5
Joined: Jan 2023
Reputation: 18
#5
10-12-2023, 09:12 AM
Hvala za ovaj insight! Po ovome, potpuno je legit blokirati domen *.com.com, jer meni deluje da je ceo business model ovih likova bas typosquatting i slicne ujdurme.
--
Leka (web)
Find
Reply
milos_rs Online
Super Moderator
******
Posts: 413
Threads: 107
Joined: Sep 2022
Reputation: 293
#6
03-09-2024, 09:07 PM
Praveći novi patika scam update naleteh na ove...

airserbiac.com | Creation Date: May 16, 2023 19:27:56 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150  
airserbias.com | Creation Date: May 03, 2023 22:54:12 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149  
auirserbia.com | Creation Date: Apr 06, 2023 20:53:01 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149  
amrserbia.com | Creation Date: Apr 06, 2023 20:48:45 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147  
airserbiap.com | Creation Date: Apr 06, 2023 20:45:07 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.198  
airyserbia.com | Creation Date: Apr 06, 2023 20:49:38 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196  
aitserbia.com | Creation Date: Apr 06, 2023 20:47:45 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.146  
airserbiav.com | Creation Date: Apr 06, 2023 20:56:00 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149  
akrserbia.com | Creation Date: Apr 06, 2023 20:47:56 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150  
airserbiaz.com | Creation Date: Apr 04, 2023 20:20:09 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150  
aairserbia.com | Creation Date: Mar 21, 2023 20:24:04 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150  
airserbiah.com | Creation Date: Mar 21, 2023 20:24:34 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147  
airserbiaq.com | Creation Date: Mar 14, 2023 20:32:16 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.18.196  
akirserbia.com | Creation Date: Mar 14, 2023 20:30:49 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.146  
aiorserbia.com | Creation Date: Mar 14, 2023 20:31:27 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147  
airserbiao.com | Creation Date: May 08, 2023 19:28:07 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.149  
airserbiai.com | Creation Date: Apr 04, 2023 20:15:46 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.147  
ahrserbia.com | Creation Date: Apr 06, 2023 20:50:08 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150  
airserbiam.com | Creation Date: Apr 06, 2023 20:51:57 | Registrar: GoDaddy.com, LLC | Host DNS A record: 81.17.29.150
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)