[dns-operations] Typo in fox.com and an Akamai squatter

Robert Edmonds edmonds at mycre.ws
Mon Feb 1 18:12:50 UTC 2016 

I checked for .dnsmadeeasy.co. in NSDNAMEs in DNSDB, it looks like this
kind of typo is fairly common, and now being exploited since January 6,
when it was registered.

If you're a DNS hoster and concerned about this sort of typosquatting
please contact me offline (edmonds at fsi.io), I'm going to take a
systematic look at this problem.

    16/29.113.195.12.in-addr.arpa. IN NS ns0.dnsmadeeasy[dot]co[dot]
    bl.cr. IN NS ns2.dnsmadeeasy[dot]co[dot]
    cassanova.com. IN NS ns12.dnsmadeeasy[dot]co[dot]
    cassanova.com. IN NS ns13.dnsmadeeasy[dot]co[dot]
    cassanova.com. IN NS ns14.dnsmadeeasy[dot]co[dot]
    cassanova.com. IN NS ns15.dnsmadeeasy[dot]co[dot]
    clarksag.com. IN NS ns3.dnsmadeeasy[dot]co[dot]
    delawareentity.com. IN NS ns13.dnsmadeeasy[dot]co[dot]
    editage.co.kr. IN NS ns11.dnsmadeeasy[dot]co[dot]
    funrise.com.hk. IN NS ns12.dnsmadeeasy[dot]co[dot]
    general-auto.com. IN NS ns15.dnsmadeeasy[dot]co[dot]
    gerhardtlaw.com. IN NS ns11.dnsmadeeasy[dot]co[dot]
    honeycreekvillage.com. IN NS ns15.dnsmadeeasy[dot]co[dot]
    macleodconsulting.ca. IN NS ns3.dnsmadeeasy[dot]co[dot]
    macleodconsulting.ca. IN NS ns4.dnsmadeeasy[dot]co[dot]
    myparisienhome.com.au. IN NS ns0.dnsmadeeasy[dot]co[dot]
    orthodonticsbrookline.com. IN NS ns4.dnsmadeeasy[dot]co[dot]
    pilot.us. IN NS ns13.dnsmadeeasy[dot]co[dot]
    realtorroatan.com. IN NS ns2.dnsmadeeasy[dot]co[dot]
    richrecipesplugin.com. IN NS ns2.dnsmadeeasy[dot]co[dot]
    richrecipesplugin.com. IN NS ns3.dnsmadeeasy[dot]co[dot]
    richrecipesplugin.com. IN NS ns4.dnsmadeeasy[dot]co[dot]
    rickyrubio9.es. IN NS ns11.dnsmadeeasy[dot]co[dot]
    rockettriprewards.com. IN NS ns13.dnsmadeeasy[dot]co[dot]
    stagnom.net. IN NS ns10.dnsmadeeasy[dot]co[dot]
    stagnom.net. IN NS ns11.dnsmadeeasy[dot]co[dot]
    stagnom.net. IN NS ns12.dnsmadeeasy[dot]co[dot]
    stagnom.net. IN NS ns13.dnsmadeeasy[dot]co[dot]
    stagnom.net. IN NS ns14.dnsmadeeasy[dot]co[dot]
    stagnom.org. IN NS ns10.dnsmadeeasy[dot]co[dot]
    stagnom.org. IN NS ns11.dnsmadeeasy[dot]co[dot]
    stagnom.org. IN NS ns12.dnsmadeeasy[dot]co[dot]
    stagnom.org. IN NS ns13.dnsmadeeasy[dot]co[dot]
    stagnom.org. IN NS ns14.dnsmadeeasy[dot]co[dot]
    vintagetitletx.com. IN NS ns12.dnsmadeeasy[dot]co[dot]
    winnowtags.net. IN NS ns11.dnsmadeeasy[dot]co[dot]
    xmatchdev.com. IN NS ns0.dnsmadeeasy[dot]co[dot]
    yourfuturestudents.com.au. IN NS ns11.dnsmadeeasy[dot]co[dot]
    yourfuturestudents.com.au. IN NS ns12.dnsmadeeasy[dot]co[dot]
    yourfuturestudents.com.au. IN NS ns13.dnsmadeeasy[dot]co[dot]
    yourfuturestudents.com.au. IN NS ns15.dnsmadeeasy[dot]co[dot]

Wessels, Duane wrote:
> A very similar incident from last month was reported here:
> 
> https://www.reddit.com/r/dns/comments/40skim/xpostnetsec_strange_dns_propagation_issue_6_days/
> 
> But that time with dnsmadeeasy.co
> 
> DW
> 
> 
> > On Jan 31, 2016, at 1:47 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> > 
> > On Fri, Jan 29, 2016 at 06:06:59PM -0500,
> > Robert Edmonds <edmonds at mycre.ws> wrote 
> > a message of 38 lines which said:
> > 
> >> I only see a few other domains with NSDNAMEs in
> >> *.akamaitechnologies.co.  in DNSDB, dating back to December,
> > 
> > akamaitechnologies.co was registered in December 31 (by someone
> > unrelated to Akamai and hosted in a tax heaven) so, apparently,
> > someone else noticed...
> > 
> > Their name servers do reply for fox.com and send you somewhere in
> > Romania:
> > 
> > % dig @185.45.13.88 A fox.com 
> > 
> > ; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> @185.45.13.88 A fox.com
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6515
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> > 
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 512
> > ;; QUESTION SECTION:
> > ;fox.com.		IN A
> > 
> > ;; ANSWER SECTION:
> > fox.com.		600 IN A 185.45.13.88
> > 
> > ;; Query time: 66 msec
> > ;; SERVER: 185.45.13.88#53(185.45.13.88)
> > ;; WHEN: Sun Jan 31 10:42:34 CET 2016
> > ;; MSG SIZE  rcvd: 52
> > 
> > The records for fox.com in DNSDB show that some people were indeed
> > redirected:
> > 
> > fox.com. IN A 185.45.13.88
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Robert Edmonds

More information about the dns-operations mailing list