At S4xJapan, we presented a small internal research project on DNS squatting. The topic has been refreshed in my mind because of a recent Cylance report on Japanese critical infrastructure being breached by watering hole attacks (see their SPEAR team report on the topic here).
I really got interested in DNS squatting after this talk by Artem Dinaburg at defcon 19. It is a really good presentation, and shows how a person can unintentionally visit the wrong website, due to bit-flip errors that can occur with no human mistake required.
Of course, most squatting occurs because of typos. Yours truly is famous for typo’ing a lot while slamming website domains into my browser search bar.
There is a nice tool, called dnstwist, which provides a quick and automatic way of searching for common typing mistakes: bit squats, typos with transpositions, as well as more malicious squats like homoglyphs, which are commonly used in phishing attacks.
For the S4 talk, we looked at 11 major ICS vendors’ domains. Of these, there were over 400 squat domains, and over 20 of the squat domains were hosting malicious content.