Spotting suspicious domain names with dnstwist

After seeing DNSTwist mentioned in a twitter thread recently I’ve been having far more fun than appropriate using it to investigate domain name typo squatting. Typo squatting is when you mistype a domain name or URL and someone has registered a very similar domain in order to capture that traffic and often do unpleasant things with it. A benign example of this is GutHib, a common typo for GitHub that just helps people along with a subtle indication of the error. If you’re going to delve into this dnstwist is an awesome command line tool that accepts a domain name and permutes it in a number of ways, replacing characters with Unicode equivalents, transposing letters to mimic common typos, adding dots, or just replacing letters in ways that would fool a casual glance and then reporting which of them exist in the wilds of the internet.

I started testing the tool against a few of my own domain names. Despite my content being rehosted in an annoying number of places (according to some Google searches) it came as no surprise that my domains are too low value to typo squat so the results were underwhelming:

$ docker run elceef/dnstwist unixdaemon.net

... snip ...

Processing 6734 permutations ·······
2 hits (0%) 

The only hit other than the original one is a valid site with a similar name. In a way it’s a nice problem not to have. After a running this against a few other domains I own I experimented with some of the other options, including running the given domain name, with no permutations, against a large number of top level domains (TLDs).

$ docker run elceef/dnstwist --tld dictionaries/common_tlds.dict unixdaemon.net
... snip ...
Processing 7099 permutations ···· 8 hits

Happy in the knowledge my personal sites were not impacted by typo squatting or alternative TLD fakery I decided to run the tool against an old employers ecommerce domain and the answers got a little more interesting. Without listing the domain name there were a lot more hits. Most of them seemingly brand protection overreach that eventually points back to a “Corporate Domain Name Management for Brands” company. There were however a few that looked less defensive and more fraudulent. After looking at a few in a cheap VPS I decided to see if I could make the output light up like a Christmas tree by checking against a high value target.

$ docker run elceef/dnstwist ${payment_provider}.com
... snip ...
Processing 1523 permutations ····· 221 hits (14%)

... snip ...
replacement    pagpal.com    ...SNIPPED...
replacement    paypwl.com    ...SNIPPED...
replacement    pzypal.com    ...SNIPPED...
replacement    paspal.com    ...SNIPPED...
replacement    paylal.com    ...SNIPPED...
replacement    payoal.com    ...SNIPPED...
replacement    pa7pal.com    ...SNIPPED...
replacement    paypzl.com    ...SNIPPED...
replacement    paypyl.com    ...SNIPPED...
replacement    maypal.com    ...SNIPPED...
replacement    paapal.com    ...SNIPPED...
replacement    patpal.com    ...SNIPPED...
replacement    paypak.com    ...SNIPPED...
replacement    paupal.com    ...SNIPPED...
replacement    laypal.com    ...SNIPPED...
replacement    paypap.com    ...SNIPPED...
replacement    paymal.com    ...SNIPPED...
replacement    psypal.com    ...SNIPPED...
replacement    pwypal.com    ...SNIPPED...
replacement    paypao.com    ...SNIPPED...
replacement    p2ypal.com    ...SNIPPED...
replacement    pa6pal.com    ...SNIPPED...
replacement    paypsl.com    ...SNIPPED...
... snip ...

I’m sure some of those are amazing sites with no relation to a well known payment provider but you can sympathise with how many people must typo their way to them by accident. To help whittle down the false positives dnstwist also provides the --ssdeep option. This fetches the original page and downloads and compares each further result against it in a fuzzy way, outputting a percentage match score based on how similar the HTML is to the original site. The higher the score the more worth a humans time the domain name is.

docker run elceef/dnstwist https://www.${domainname}.com/signin --ssdeep --registered --format json
... snip ...
  {
    "dns-a": [
      "xx.xx.xx.xx"
    ],
    "domain-name": "${domainname}",
    "fuzzer": "transposition",
    "ssdeep-score": 70
  }
... snip ...

I managed to kill more time than I’d expected looking in this area and trying a few example domain name so it was remarkably easy to pull and run the fully self contained docker image. If you just want to have a cursory look, and that’s how we all start this kind of investigation, you can use the online dnstwist phishing domain scanner