 This thing on hello there. Hi. Good morning afternoon or evening wherever you're at and Welcome to the virtual recon village at Defcon 29. Thanks very much for listening. I'm glad you're here I'm gonna start off with a disclaimer first off. That's most important My opinions are not my employers. What you're gonna hear are personal opinions I'm not going to lie to you all I ask is that you please help me not get fired or sued because I happen to love my job I also love not getting sued. Thank you for that I want to start off with a quick shout out first to Defcon 402 That's the local Omaha metropolitan area Defcon group. They heard the beta version of this talk They didn't throw a lot of stuff at me. Very supportive. Thank you for that I want to say thanks again to the apsec village and sky talks both of whom Took a chance on me as a first-time village speaker at DC 27 and of course Biggest thank you to recon village for accepting this talk and for letting me take part and you know I really appreciate being part of your tradition traditions are important Traditional traditions and internet traditions like Wednesdays They're important and it's gonna be a recurring topic that we talk about here But first I want to go back to winter a winter of 2020 and 2021. It's a bleak harsh winter Especially harsh if you live in Iowa like I do it's located conveniently in the middle smack dab of the contiguous United States And it gets very cold. Nobody wants to go outside and do anything For some reason the Red Army choir sings but anyway setting that aside, I'm at work and I'm down in my office in storage B and I am taking the pandemic seriously and doing my duty so I am wearing a mask and It's probably listening to my favorite kind of music at the same time too But anyway, I'm at my computer and I'm doing some of the mission critical work that my employer requires of me So as I'm reading emails, I notice that I get one email that is it's addressed to me And it's copying a number of other people one of the addresses it copies doesn't have the right domain name So my domain name are our official one ends in dot gov. I work at a county government But in this case the email was also addressed to somebody at the same exact name except it ended in dot org easy mistake to make The question is though, where does that email go? I was curious, you know, who got that dot org email? It's easy enough to check. I went and looked up MX records turns out nobody owned that dot org domain and for about eight dollars I or anyone else on the internet could buy that domain name and You know, suddenly once you owned the domain and you set up the DNS and you can decide where the email goes and where web traffic goes and that sort of thing You're a hacker now you can start receiving emails. You weren't supposed to be privy to and that's something we're gonna talk about So how does somebody type a dot org instead of a dot gov? I mean, we're a county government or a government entity You'd expect dot gov is what people think but that's not always the case and again The answer is because a tradition because because across the United States local government cities and counties for years and years have Have used dot orgs and comms and dot us domains Instead of dot gov's and it's only recently that local governments have started to move more into the dot gov domain space I remember a time before the web was invented when dot us was actually a pretty big deal for public institutions and a lot of people were using it You know Americans are stubborn. They didn't standardize in it on it like they did in the UK or in Germany and places like that Anyway, that means that local government entities are using all sorts of different domains comms. Nets dot orgs. US domains and That makes it tough to know which is the the real deal But then there's the dot gov top level domains a special top level domain Available only to government entities in the United States How do you get one of these and why would somebody not use one? Well Getting one you have to apply to the federal government to get to get your dot gov domain and a couple years ago I guess it was a little bit too easy to do because Brian Krebs ran an article. There was a fellow who Was able to get a dot gov domain and all he had to do was download the logos from a town in Rhode Island Put them on letterhead and say I'm the mayor give me a dot gov and it it worked out. So that wasn't good I Don't recommend that by the way I just want to be clear that foraging documents and you know getting a dot gov domain We're not supposed to that's fraud or forgery. That's illegal stuff. Don't do crime stay in school kids but Back then the dot gov registry was run by GSA if you've ever if you've ever worked for with or in The US federal government you probably had dealings with with GSA and they had a whole bunch of different rules And they did do work to try to verify those domains, but obviously some slipped through Nowadays the dot gov registry is run under CISA. It was moved over. It was kind of part of the fallout from the 2016 2020 elections and Now it's free to get a dot gov domain. It's free for local governments to register those it used to be a $400 a year fee That doesn't seem like very much And it's not if you're in the federal government But if you were a you know town of 500 or a thousand people or something a $400 expenditure is actually a pretty big expenditure It's free now. They they want you to go to it In part for election security, but also just to make it clear that you are a government entity And so local governments are moving in droves to dot gov domains and there are good reasons for doing that The dot gov domain carries a certain cache a when you see it You know it's got to be a government entity because no one else should be able to get one It's trusted more whether that's the right way to do it or not employees and citizens trust it And yet there are still a lot of governments out there that use Dotcoms dot Nets dot orgs and dot US domains and Why do they do that again? It's tradition. It's as old as Star Wars themed weddings The tradition I mean look at Multnomah County in Oregon. They've been using a dot US domain for 20 years So their citizens and employees know to go there. That's the place they go to Syracuse in New York that city has a dot net domain a little bit unusual But they've been using it for a number of years as well We're gonna talk about using look-alike domains and specifically using impersonations of dot gov domains and dot us and that organ whatever local governments are using because it's It's dangerous and also because you know it works And so those of you who are red teamers for a living you you probably are hearing this and you think this isn't super Advanced and you are right. It's not but it is effective And it's a form of typo squatting. So I'm sure everyone knows what type of squatting is you type Facebook wrong or Gmail wrong You end up at the wrong site. I hope you don't get you know loaded down malware when that happens There's a term cyber squatting that's used now to cover typo squatting and other types of Look-alike domains and things like that. It sounds cooler because it has the word cyber in it Plus when you put it in your title it doubles your pay, so that's good We're gonna talk a little bit about doppelganger domains And so they're look-alike domains imposter domains that are missing a dot pretty easy to do an easy mistake for somebody to make But we can also, you know, that's doppelgangers of German term We can also go back to Greek because there's some lovely things you can do to set up look-alike domains Using techniques like homophones. Those are words that are spelled differently, but sound the same you can trick users that way Everyone loves Unicode. I'm sure you do and dealing with Yeah, dealing with that Unicode offers a whole bunch of different alphabets and there are alphabets like Cyrillic that have letters that look similar to the Latin ones But aren't the same and they make lovely lovely imposter domains Bit squatting this one you may have read there's a paper out recently on this and some amazing stuff and basically every now and again a Computer accidentally changes a one to a zero apparently it's done by space rays and possibly aliens are behind it whatever it is It's really really cool We don't need any of that. We have very simple very Simple attacks to do just by substituting dot org or com for dot gov And once you can get something to go to your look-alike domain, you control what their experience is you control What website they go to for real and you control where email goes? So That's all we need all we need to do is rely on Human nature and human nature says that somebody is going to who's been used to typing org for 20 years is going to keep typing Dot org even when a government switches to dot gov Why do I care about this? Why am I? Talking to you about this today. Well, I've worked in county government for about 20 years and you know when I started actually had a lot more hair and probably a little bit more sanity and I'm still going strong, but I care about the security of our local governments And I started out in our county's IT department. I spent 15 years there During the last eight years. I dirt by day. I was a mild-mannered IT professional and by night I fought crime as a reserve deputy in our sheriff's office and I started doing digital forensics that way And and I I guess I don't really have a CV slide But my favorite accomplishment is that I think I am federally considered a porn expert because I was at a federal trial once testifying and the defense attorney came up and I was ready to To it was ready to examine me and in his line of questioning he started off deputy Kava You're an expert in pornography And there was this pause and it was empty and so I just said thank you and Stenographer typed it down it went into the transcript and now I think federally. I am recognized as a porn expert. So there's that I I've been on the I've been on our state's internet crimes against children task force since 2009 and so when I explained it to students I tell them that you know We go after bad guys in the internet who go after kids. So we're the good guys Marty for those of you of a certain age I Am a hacker and I carry a badge and I don't think those things are mutually exclusive In fact, I think we need more of that I think we need more people who subscribe to the hacker at those who who believe in transparency Who believe in privacy who believe in you know judging people by who they are not by you know Who their parents were where they came from what they look like and we need more of that in law enforcement And I want to just so you've got something hopeful hopeful message to come out of this I want to let you know that there are literally dozens of us out there and we are infiltrating law enforcement all over the United States and elsewhere. So I'm hoping that we can affect some sort of change but my job and I work in a sheriff's office is Investigating cyber crime and and that can mean you know looking into Facebook counts that means Doing forensic examination. So I also, you know, we'll dump cell phones. I look at computers that sort of thing I do all those and then I also have a cyber security role and I've had that kind of role ever since my days in IT We have at the local government level the same kind of challenges that you have at any organization we have a domain to protect and we want to do that and That also means looking out for her, you know actual domain names So I work for a place called Potawatomi County. There'll be a spelling test later on so don't worry about it for now But nobody our citizens can hardly spell it and so we don't use that name spelled out We for years and years about almost 20 years used pot County comm with two T's is our as our domain name When I was in IT, I registered the one T variant just to make sure that nobody could grab that away from us Before it was cool before it was free. We switched over to a dot gov domain and back then I didn't think I didn't think to register the comm or org that go along with that So I missed out on an opportunity there which brings me back to this email this email. That's going nowhere It's going to a dot org that doesn't exist. I started looking into it And then I thought well, I wonder where else in the state of Iowa This could be happening because I you know work with other counties and so on there are 98 other counties in the state of Iowa and it turns out a lot of them had This potential vulnerability they had domains available that were very similar to their real domain And as I looked at those You know, I got to thinking state of Iowa is not very big. It's not not a very populous place They're got to be bigger fish in the sea. There's got to be you know bigger targets out there and where do you find them? well, thankfully the some total of human knowledge is now out on the internet under wikipedia.org so You can find them there. There's a list of cities and counties listed by Their populations and so if you want to find the most populous ones the best biggest targets to look at That's one way to do it And that led to an experiment that led to some research I decided I want to find out what other counties are out there What other cities are out there that could fall victim to this sort of thing and what can we do about it? Like all of life's hardest problems, this one was solved with pearl And I wrote some pearl code To go out to wikipedia scrape that list of most populous counties and cities And then go a level deeper and find the websites for them out of the individual articles There's probably an api for it, but I was too lazy to learn it. So I just did it with regex's Put that into a database did some dns queries did some who is queries figured out which of those domains are available Made a nice list of targets And I didn't do anything super fancy. There's no You know raised from space involved here if they had a gov I looked at the comm and or that were similar if they had a dot us same thing and As I was doing this, I thought why limit ourselves to to the united states I mean every other country has governments to and What about the uk? We've got our special relationship with them. They should like us They haven't invaded us in 207 years that things were going really well. I thought it was about time to shake things up So I looked at gov dot uk to see what else was available for them That's their equivalent to our gov domain yada yada yada I ended up with 42 look-alike domains that looked like local governments from here and abroad and basically if they had a gov I looked for the similar comms or orgs if they had a dot us I looked for doppelganger opportunities We in my county and this is that's how you spell it Have one of these official co dot county name dot state dot us domains And those are rife for For doppelganger attacks to drop that dot out of there. So look to some of those And gov dot uk as I mentioned, it's their equivalent to our dot gov And people will miss that last dot before the gov. And so I registered a couple of those And this isn't something limited just to you know, the uk and the us There are domains that are parked or domains that are available for countries all over the world And one interesting thing that came out of this was I found out that the uk actually has a safety net in place to pretend To prevent this sort of thing from happening something we don't have in the us They have read they have a registrar with regulations that say that you cannot register a domain If you're going to use it for phishing or illegal stuff I mean, it's it's a good idea and they didn't actually let me register the domain at first They said this looks hinky and they Set me an astrogram by email and asked what that guy was up to I told him doing some research I promise I'm not doing anything bad if you can't give me the domain no big deal um The appeal went up. I assumed at the highest levels of government and uh, it went through I was able to actually register the domains. I wanted so somehow I got away with it Just barely and so no international incident there Good thing. Let's get back to the experiment So The goal is the experiment. We're going to do something good We're going to try to take some of these domains out of circulation so that an attacker can't use them We're also going to try to increase awareness. That's actually part of what this talk is about Uh I've got these 42 look-alike domains ready to go So I set them up to redirect their web traffic to the real site that they're that they look like To the actual government sites just as a 302 it doesn't say that you know our lookalike is the actual site We just redirect in the real one Also started bouncing emails. So I set up mx record and anybody who emails one of these look-alike domains They immediately get a bounce message back So we're looking at the email for research purposes to figure out, you know, how bad this problem could be But we're also telling them this is not the right address and usually after the second or third try they figure that out um There at no point did we do anything to try to entice people to use these look-alike domains So at no point was I taking a domain and putting it out there on google or whatever and saying this is the official one Anything that came in was unsolicited And I decided to take, you know, I used the prime directive and decided not to interfere with anything that happened here Obviously if I saw an email that said, you know, somebody was in immediate danger I would have taken action right away, but that never came up. Thankfully. So no problem This sounds kind of sleazy people, you know registering domains that look like someone else's domain. There ought to be a law, right? And it turns out there is since 1999. There's the anti-cyber squatting consumer protection act and it's it's not criminals You're not going to go to jail for it But it gives companies a way to sue if somebody tries to water down their trademark by registering something or just You know squats on one of their names We're not going to run a follow that because we are not going after at first off anything in private private sector You know private industry, but second our motivations are good. We're not doing anything wrong Here's the intent. We want to deny the best real estate to the baddies We want to balance emails to make it obvious to anyone who sends an email that they got the wrong address So they fix their stuff And then we want to at the end of this and this is actually in progress now Give these domains away to the the potential victims that could use them So if uh, you know, if there was a county somewhere and one of their domains is one of these 42 where there's a lookalike Wanted to give them the domain and i've done that now with seven or eight counties so far The beauty of this kind of attack of this these lookalike domains There's a lot going for it first off. It's difficult to detect There are companies you can pay to go look for these things or you can buy feeds, you know newly registered domains But it's it's kind of tricky and you gotta remember that uh, there are 3000 counties in the united states You know give or take and some of them don't even have it departments They've got an auditors clerk or whatever that's doing their stuff And so they aren't going to be able to keep an eye out for this It can be very silent if you're just passively accepting email and accepting web traffic Nobody may even you know see that this is happening You can also do uh meddling with the traffic you can demand in the middle attack if somebody is visiting The wrong website you can proxy them to the right one inject some javascript or whatever you want to do There's dangerous stuff that can happen There's a ton of intel that you can get on this if you're a red teamer or an actual attacker If you are watching the email traffic if you end up in one of these email chains where you're cc'd You can you can jump right into it you could reply and it's going to have the right thread idea It's going to look right or you can sit back and just collect the data You can build a beautiful dossier on somebody that you are after a target because you're gonna you're going to see Their actual email signature. You can get phone numbers. You're going to know who they're talking to what business they're doing I mean there's tons of intel there and you can use all that for phishing And you'll even know, you know What the best topics are and you may know what a banner is going to look like if you're going to hit one of those external email banners The lifespan on this thing could be indefinite because if you're not outright breaking the law or it can't be proven that you are Then you can just sit there silently with that domain for years and years and there may not be anything somebody can do So 42 domains they're set up First few days already there were results and I want to share those with you Instant results that one of the very first emails that I saw come across was from a lawyer And it had a disclaimer at the end that said email is not secure A little bit of an understatement And then there were the secure emails So you've seen the zix emails in office 365 and vertru those were coming in and how do you Authenticate yourself you click the link and say I own this email. They send you a code and you're in the email So not very secure in that case Then there were the zoom invites Zoom invite after zoom in fight. There were just so many of them You're probably I know you everybody zoomed out after 2020 2021 here, but um Anyway, there were a ton of those if you wanted to bomb a meeting wouldn't be too hard to do Um invoices financial information Sometimes there's financial information on the documents that were coming across Sometimes it's just a useful invoice again. If you wanted to send a false invoice to someone, you know exactly what it should look like And who it should go to Uh people citizens are sending in their paperwork. They're sending in their vehicle registration and stuff like that Trying to get to the department of motor vehicles And some of they were just weird off the you know off the wall stuff you wouldn't have expected like, um Notifications about new toxicology reports from autopsies that just started pouring in because they were automated Uh, oh and and a coupon for subway. So there's that Is anybody doing this it was a question that comes up if you're looking at the stuff You're thinking wow an attacker could actually do this. Who who's actually doing this? Well, I've got an example and I don't have to go very far because it's actually our county seat Constable of siowa is the seat of pottawatomie county. It's where I live. It's where I work and uh, they have a website It's a dot gov. They've been on a dot gov for a number of years But somebody else has the dot com Who has the dot com and why do they have it? What are they doing with it? Well, if you look it up I looked up the name servers and you can see the real one uses a company called civic plus that makes sense The fake one the dot com uses keystone pack dot com And the servers are bernie and hillary, which is interesting interesting pairing too, but what does that mean? Well, if you look up keystone pack dot com you'll find out that It resolves the same ip address. They both have they both have mx records so they can receive mail They must be the same company if you look up that ip you'll find that it's hosted out in new york And if you go to the websites, you just get this placeholder park domain kind of thing It just says this is whatever the domain name is Keystone pack dot com however Is very similar to keystone pack org, which is a real political website So it sounds like they're parking domains Lookalike domains for political or government agencies Dig a little deeper make an sm tv connection and you can get another domain out big vision dot com You dig into that and it turns out to be A remailer in the netherlands. It's been operating since the 90s So a little bit of a rabbit hole there and that's as far as we'll go down it But somebody is using that dot com and they could be receiving email because they've got mx records going I noticed at the time that when I was looking into that that nobody had the dot org So I did register that and did hand it over to the city of council bluff so that they can hang on to ever save keeping Let me never get that com back without they've got the dot org What about states? Our state state of iowa iowa.gov is their official domain. They have lots of subdomains in there including for counties Um, who has iowa.com? It's parked somebody wants $50,000 for it at any point they could register Either they could put up mx records and start receiving emails from people type com instead of dot gov Who has the dot org this guy named yawn? He's had it since the 90s In fact, his website doesn't seem to have changed too much since the 90s, which is cool But anyway, if he wanted to he could start publishing mx records and stealing emails the same way, uh, anyone else could scary stuff So we're getting emails. We're we're getting hits to uh these lookalike websites What are the results or anything useful? Well, I told you a little bit about things seen in the first three days But there were even weirder and more cringe-worthy things coming after that After a while I started seeing it looked like a driver's license every day or two people are sending their Pictures their driver's license in there were all those invoices again and bills and quotes and all sorts of lovely financial information Good for fraud use Over over 200 pdf documents attached to emails that came in there were over 170 photos that were sent and including those driver's licenses Um, just here's a quick chart on dns, but basically there were over 4 000 queries against these 42 domains every day Web traffic over 1,300 hits every day a lot of those are automated But some are people that hit the wrong domain and you can control where they go Ended up over almost four month period getting 2500 emails. That's over 23 a day to these 42 domains You've got mail And and what if I told you there was some really scary stuff in there? You'd believe it I mean I assume from what you've seen so far There was one email that came in that had the trifecta not just a driver's license But also social security card and a certificate of birth all in one email. So that was good. There's a largest large-ish city in california That has a credit card form they used for permitting and they said go ahead and email it to us with your cvv2 and everything So that was cool Ended up getting automated notifications like this one Whenever there's a city that was buying water from a neighbor and every time that they did that their ics System or whatever would trigger this and you would get a receipt. So that was kind of interesting to read Or this wire transfer notice coming from a pretty big city in the midwest Every time they did a wire transfer. I was getting information about it Thankfully not everything was so scary. In fact, I think the majority of the emails were people trying to get out a jury service which makes some sense there was a little bit of police intelligence involved because Cop at some time and gotten signed up on a listserv with the wrong address and now for years Even though the email wasn't going anywhere until the domain was registered They were getting bulletins with all the latest, you know, criminal information in there. So passwords people signing up their Colleagues or their workers for different websites. They put the wrong address in and you get their initial password Also some two-factor action and we're seeing codes coming in when people are trying to log into their, you know, google accounts or apple accounts Too long didn't read summary here. This attack is cheap It's simple It's hard to stop once it starts and it works. It works and it doesn't require a lot in terms of uh, you know capabilities Uh, how do we help with this? Well, like I said registering the domains is good Getting the word out there and getting awareness up is good too. And so I gave a talk to uh, Iowa counties and told them about this I put some other things out to national counties group and I set up a website I made this website called imposter.domains And if you go there, you can do a search for any domain name you want And you can go do this now and it will give you just a couple hints as to what some similar domain names Might look like and tell you whether they're taken or not And there's a frequently asked questions that explains how all this stuff works So if somebody's not familiar with domains that works, there's all there's even a nerd mode You can turn on and you can see a little bit of dns information For these domains too if you want to so feel free to check it out imposter.domains If you spell with an er by mistake that also works because it's a look like domain, right? Anyway, the results of this are the concepts confirmed this attack works Everybody knew you could do it. It's not a surprise. It's nothing new, but I'm just telling you that From a proof of concept It's it's uh, feasible it works The awareness has expanded we between talks and that site trying to get the word out So that all these local governments that are now moving to gov's make sure that they protect themselves And we're transferring domains getting them out to the individuals who could use them So that we make sure they never go back into circulation And that is it that's all the information I had to share with you now, you know, it's half the battle Thanks so much for listening if you've got questions There's going to be q&a on def cons discord the links down there if you need to get in there You're probably already logged in. Thank you for that And that is it if you want to reach out My website with my contact info is forensic.coffee And really appreciate you listening and thanks so much recon village for giving me a chance to take part