Typosquatting generator

From Wikipedia: “Typosquatting, also called URL hijacking, a sting site, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).”

This C# code allow you to create a list of typos starting from a string.

using System;
using System.Collections.Generic;
using System.Linq;

namespace TypoSample
{
    class Program
    {
        static void Main(string[] args)
        {
            List<string> strings = new Typo().GetList("emiliano");

            foreach (string s in strings)
            {
                Console.WriteLine(s);
            }
        }
    }

    internal class Typo
    {
        private static List<Character> characters = new List<Character>()
        {
            new Character() { Value = 'a', Similar = new List<char>() { '4' } },
            new Character() { Value = 'b', Similar = new List<char>() { } },
            new Character() { Value = 'c', Similar = new List<char>() {  } },
            new Character() { Value = 'd', Similar = new List<char>() {  } },
            new Character() { Value = 'e', Similar = new List<char>() { '3' } },
            new Character() { Value = 'f', Similar = new List<char>() {  } },
            new Character() { Value = 'g', Similar = new List<char>() { '6' } },
            new Character() { Value = 'h', Similar = new List<char>() { } },
            new Character() { Value = 'i', Similar = new List<char>() { '1', 'l' } },
            new Character() { Value = 'j', Similar = new List<char>() { } },
            new Character() { Value = 'k', Similar = new List<char>() { } },
            new Character() { Value = 'l', Similar = new List<char>() { '1', 'i' } },
            new Character() { Value = 'm', Similar = new List<char>() { 'n' } },
            new Character() { Value = 'n', Similar = new List<char>() { 'm' } },
            new Character() { Value = 'o', Similar = new List<char>() { '0' } },
            new Character() { Value = 'p', Similar = new List<char>() { 'q' } },
            new Character() { Value = 'q', Similar = new List<char>() { 'p' } },
            new Character() { Value = 'r', Similar = new List<char>() {  } },
            new Character() { Value = 's', Similar = new List<char>() { '5' } },
            new Character() { Value = 't', Similar = new List<char>() { 'f' } },
            new Character() { Value = 'u', Similar = new List<char>() { 'v' } },
            new Character() { Value = 'v', Similar = new List<char>() { 'u' } },
            new Character() { Value = 'w', Similar = new List<char>() {  } },
            new Character() { Value = 'x', Similar = new List<char>() {  } },
            new Character() { Value = 'y', Similar = new List<char>() {  } },
            new Character() { Value = 'z', Similar = new List<char>() { 's' } },
            new Character() { Value = '0', Similar = new List<char>() { 'o' } },
            new Character() { Value = '1', Similar = new List<char>() { 'i', 'l' } },
            new Character() { Value = '2', Similar = new List<char>() {  } },
            new Character() { Value = '3', Similar = new List<char>() { 'e' } },
            new Character() { Value = '4', Similar = new List<char>() { 'a' } },
            new Character() { Value = '5', Similar = new List<char>() { 's' } },
            new Character() { Value = '6', Similar = new List<char>() {  } },
            new Character() { Value = '7', Similar = new List<char>() {  } },
            new Character() { Value = '8', Similar = new List<char>() {  } },
            new Character() { Value = '9', Similar = new List<char>() {  } },
        };

        private List<string> calculated = new List<string>();

        private void Process(string s, string original)
        {
            char[] ca = s.ToCharArray();

            foreach (char c in ca)
            {
                Character cs = characters.Where(x => x.Value == c).FirstOrDefault();

                foreach (char ch in cs.Similar)
                {
                    string f = s.Replace(c, ch);

                    if (!calculated.Contains(f) && f != original)
                    {
                        calculated.Add(f);

                        Process(f, original);
                    }

                }
            }
        }

        internal List<string> GetList(string text)
        {
            Process(text.ToLower(), text.ToLower());

            return this.calculated;
        }
    }

    internal class Character
    {
        internal Character()
        {
            this.Similar = new List<char>();
        }

        internal char Value { get; set; }
        internal List<char> Similar { get; set; }
    }
}

Executing this program with the string “emiliano” you get this list of output strings

3miliano
3niliano
eniliano
emiliamo
3miliamo
3m1l1amo
em1l1amo
en1l1ano
3n1l1ano
3nlllano
enlllano
emlllamo
3mlllamo
3m111amo
em111amo
en111ano
3n111ano
3niiiano
eniiiano
emiiiamo
3miiiamo
3miii4mo
emiii4mo
eniii4no
3niii4no
3n1114no
en1114no
em1114mo
3m1114mo
3mlll4mo
emlll4mo
enlll4no
3nlll4no
3nlll4n0
enlll4n0
emlll4m0
3mlll4m0
3m1114m0
em1114m0
en1114n0
3n1114n0
3niii4n0
eniii4n0
emiii4m0
3miii4m0
3miiiam0
emiiiam0
eniiian0
3niiian0
3n111an0
en111an0
em111am0
3m111am0
3mlllam0
emlllam0
enlllan0
3nlllan0
3n1i1ano
en1i1ano
em1i1amo
3m1i1amo
3mlilamo
emlilamo
enlilano
3nlilano
3nl1lano
enl1lano
eml1lamo
3ml1lamo
3mi1iamo
emi1iamo
eni1iano
3ni1iano
3ni1i4no
eni1i4no
emi1i4mo
3mi1i4mo
3ml1l4mo
eml1l4mo
enl1l4no
3nl1l4no
3nlil4no
enlil4no
emlil4mo
3mlil4mo
3m1i14mo
em1i14mo
en1i14no
3n1i14no
3n1l14no
en1l14no
em1l14mo
3m1l14mo
3mili4mo
emili4mo
enili4no
3nili4no
3nili4n0
enili4n0
emili4m0
3mili4m0
3m1l14m0
em1l14m0
en1l14n0
3n1l14n0
3n1i14n0
en1i14n0
em1i14m0
3m1i14m0
3mlil4m0
emlil4m0
enlil4n0
3nlil4n0
3nl1l4n0
enl1l4n0
eml1l4m0
3ml1l4m0
3mi1i4m0
emi1i4m0
eni1i4n0
3ni1i4n0
3ni1ian0
eni1ian0
emi1iam0
3mi1iam0
3ml1lam0
eml1lam0
enl1lan0
3nl1lan0
3nlilan0
enlilan0
emlilam0
3mlilam0
3m1i1am0
em1i1am0
en1i1an0
3n1i1an0
3n1l1an0
en1l1an0
em1l1am0
3m1l1am0
3miliam0
emiliam0
enilian0
3nilian0
3m1l1ano
em1l1ano
emlllano
3mlllano
3m111ano
em111ano
emiiiano
3miiiano
3miii4no
emiii4no
em1114no
3m1114no
3mlll4no
emlll4no
emlll4n0
3mlll4n0
3m1114n0
em1114n0
emiii4n0
3miii4n0
3miiian0
emiiian0
em111an0
3m111an0
3mlllan0
emlllan0
em1i1ano
3m1i1ano
3mlilano
emlilano
eml1lano
3ml1lano
3mi1iano
emi1iano
emi1i4no
3mi1i4no
3ml1l4no
eml1l4no
emlil4no
3mlil4no
3m1i14no
em1i14no
em1l14no
3m1l14no
3mili4no
emili4no
emili4n0
3mili4n0
3m1l14n0
em1l14n0
em1i14n0
3m1i14n0
3mlil4n0
emlil4n0
eml1l4n0
3ml1l4n0
3mi1i4n0
emi1i4n0
emi1ian0
3mi1ian0
3ml1lan0
eml1lan0
emlilan0
3mlilan0
3m1i1an0
em1i1an0
em1l1an0
3m1l1an0
3milian0
emilian0

To modify the behavior of the program you can easily modify the “characters” list

The Smith Project

The project

The project starts from the desire to monitor the Internet in search of threats but also in search of situations that are not correlated with each other but which, with time or with support, may be at the basis of larger and currently unpredictable phenomena.

The first phase of the project deals with timely monitoring: the solution monitors the domains that are registered, collects information on registrations and hosting and checks the contents of the sites. This step allows you to quickly identify the different types of cyber threats. The collected data can be used for investigations and analyzes.

When a threat (present or probable) is identified, this is reported to security companies who send it to the specific blacklist and then a tweet is produced which is published on my profile: https://twitter.com/ecarlesi

The analysis of the data collected during this phase can be used as a history to identify patterns that allow forecasts on future scenarios.

The second phase of the project aims to produce evidence of phenomena deriving them from patterns discovered by the analysis performed by the components operating in phase one.

Currently, approximately 250000-300000 second-level domains are registered every day. Many of these domains are used to carry out cyber threats: spam, phishing, c2c, etc.

The information that can be acquired through the WHOIS service is not really useful in most cases. In fact, due to the anonymization options, the data are too generic and do not allow to be traced back to the real owner of the domain.

The only fact that is currently taken into account by the solution is the company that registered.

Not all providers have the same reputation. Users who make massive registrations, for example, tend to use cheaper providers who therefore see their reputation lower than others and consequently we attribute a lower initial score to registrations made with these companies.

Another indicator that is taken into consideration by the solution is that linked to the SSL certificate, its issuer and its duration.

This first information collected contributes to the production of a score that is associated with each domain. This score is added to that produced by the subsequent phases and thus contributes to the overall evaluation of the domain.

The main analysis phase is the one where the contents of the website are analyzed. The contents are downloaded and analyzed to verify that there is clearly dangerous or potentially dangerous content. The verification of the contents is based on a database of signatures which is enriched daily and which in the future will be able to learn from the analysis history.

The solution is based on several underlying systems which interacting allow to implement the required logic. The following paragraphs describe the main systems and their roles.

Zefiro

The Zefiro project was born from the idea of having active monitoring of the domains that are registered. This monitoring allows you to “see what happens in the world” before this actually happens (the purchase of the Internet domain, in fact, turns out to be one of the first activities that are carried out when starting a project). The project fulfills this requirement: to receive notification of domains that are registered in a short time, on average a few (10-16) hours.

This component was developed using .NET Framework 4.7 and runs on Windows 2019 using a SQL Server 2019 database. The evolution of this project will be in its rewrite using .NET Core.

Currently the component writes its logs into files. In the future, these files will have to flow into a logs management platform to allow more immediate monitoring and the creation of alerts in the face of logged events.

Miniluv

This project uses information related to the domain (domain name, WHOIS, HTTPS certificate and more) to associate a risk score to each domain name. This score is used later to alter the normal monitoring mode. The domains with a score below a certain threshold are sent via a notification to the subscribers of a specific mailing list.

This component was developed using .NET Framework 4.7 and runs on Windows 2019 using a SQL Server 2019 database. The evolution of this project will be in its rewrite using .NET Core.

Smith

The Smith project implements the logic of monitoring and orchestrates the agents who perform the scans. Each scan produces a report which is saved by Smith and used for statistics and future model training.

The sending of reports to companies in the sector concludes the processing phase in the event that a threat (current or probable) is found. The report is then converted into a tweet and posted to my Twitter account.

The Server component was developed using ASP.NET Core and runs on Linux machines using a SQL Server 2019 database. We currently have three instances in three virtual machines managed by the same physical host. In the future, these services will need to be on physical hardware to improve performance.

The Agent component was developed using .NET Core and runs on Linux machines. Communication with servers takes place via HTTPS calls. We currently have nine instances each on a dedicated virtual machine. The machines are spread across two providers on four continents. The current load on these machines is 90% and to stay below this threshold it was necessary to limit some components, penalizing overall performance.

IP addresses analysis

This video shows how to use the web console to quickly analyze an IP address and configure a monitor that periodically checks the status of the TCP ports that you want to monitor.

Domain monitoring

This video shows how easy it is to receive notifications about registrations of new internet domains and newly created domain sites that display downloadable content. Finding phishing sites is a joke!