Home / Industry

WhoisXML API Detects Hundreds of Microsoft-Inspired Typo Domains

Microsoft is among the top technology companies globally and so is in critical need of brand protection. The company name already figured in many phishing campaigns, including Microsoft Office 365 that has been abused several times in business email compromise (BEC) scams. Threat actors use domain names that contain the word "Microsoft" to make their emails and websites believable.

As such, it's not only Microsoft that needs protection, but also other organizations whose employees could easily fall victim to Microsoft-themed typosquatting domains.

Typo Domain Detection: Microsoft Lookalike Domains

Monitoring Microsoft-themed domain name registrations using the Typosquatting Data Feed, we found 285 newly registered domains (NRDs) from 3 October 2019 to 4 May 2020. These domains were detected as soon as they appeared in the Domain Name System, although eight were reported in bulk on X-Force Early Warning on 29 April 2020. Some of the detected squatting domains are shown in the screenshot below.

Most of these domain names bear the marks of typosquatting, as they either:

  • Misspell the word "Microsoft"
  • Use phrases that contain the company name
  • Use a different top-level domain (TLD)

However, Typosquatting Data Feed also detected less noticeable variations of typosquatting. Let us explain. Domain names can take the form of Punycode, which can be used in homograph attacks. Punycode is a standard representation of internationalized domain names (IDNs), which enables the use of non-Latin or Unicode characters.

But since the Domain Name System (DNS) can only support the American Standard Code for Information Interchange (ASCII), Punycode converts domain names with Unicode characters to those with the prefix "xn--" so that computer servers can understand. However, users would see the Unicode characters, some of which are very similar to the English alphabet.

In the case of Microsoft, below are the Punycode domain names that the Typosquatting Data Feed should soon be able to detect, along with their conversions.

  • microsôft[.]com (xn--microsft-93a[.]com)
  • ṃicrosoft[.]com (xn--icrosoft-g89c[.]com)
  • microsofṭ[.]com (xn--microsof-hk0d[.]com)
  • ʍicrosoft[.]com (xn--icrosoft-93d[.]com)
  • micrọsoft[.]com (xn--micrsoft-180d[.]com)
  • microsofţ[.]com (xn--microsof-vxb[.]com)
  • mıcrosoft[.]net (xn--mcrosoft-tkb[.]net)
  • microsofț[.]com (xn--microsof-69c[.]com)
  • microsöft[.]com (xn--microsft-s4a[.]com)
  • 丨microsoft[.]com (xn--microsoft-9j6n[.]co)
  • mĩcrosoft[.]com (xn--mcrosoft-rib[.]com)
  • microsȯft[.]com (xn--microsft-9fd[.]com)
  • microsofŧ[.]com (xn--microsof-wyb[.]com)

As you can see, these domains can easily mislead people into thinking they are legitimate Microsoft domains.

Examining the Domain Infrastructure of the Typosquatting Domains

Domain intelligence can give security teams more in-depth insights into the typosquatting domains. For instance, running the domains through Bulk WHOIS Lookup would reveal that most of their registrants are from the U.S. (137 domain names). Three of those registered in the U.S. are under Microsoft Corporation and have the same WHOIS registration details as the legitimate microsoft[.]com.

On the other hand, some Microsoft-inspired domains are registered in China, Canada, Morocco, Russia, Lithuania, France, and Slovakia. The rest of the domain name registration countries were redacted for privacy or left blank.

Since IBM X-Force Exchange reported that the IP address and Autonomous System Number (ASN) of the detected domains are located in Russia, we focused on a domain registered in the said country — microsoft-windows[.]online.

IP Address Associations

Using DNS Lookup, we found that the domain resolved to the IP address 194[.]58[.]112[.]174 and used the nameserver ns1[.]reg[.]ru. Now, security teams can dive deeper using these details. Running the IP address on Reverse IP/DNS Lookup would help them decide whether to enforce IP-level or URL blocking. More than 300 domain names use the same IP address, which indicates it's shared and other domains on the address might end up being victim of overblocking.

Nameserver Associations

Running the nameserver on Reverse NS API returned 3,817 domain names that share the same nameserver.

Organizations can keep monitoring the nameserver and associated domains for the utmost security. They can also track their nameservers using Reverse NS API to avoid DNS-based attacks.


Typosquatting is one of these threats affecting big brands like Microsoft. With the help of Reverse IP/DNS Lookup and Reverse NS API, the domains detected by the Typosquatting Data Feed can be given more context including Punycode domains that are particularly tricky to identify.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

Whois

Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign