URLCrazy: is someone spying on your company?

by admin Email

Introduction.

This post was inspired after reading this article in PC World.  I wanted to find a way to discover if anyone was spying on a company by abusing the fact someone might send a mail to a company while making a typo in the domain name. Luckily for me Andrew Horton @ MorningStar Security has written a tool that we can (ab-)use for this.

 

The tool is URLCrazy. This tool will generate a number of domain names that are typos for a base domain name. For each of these generated typo domain names the tool will try to find the A record and the MX records.

 

Using the tool.

I used the 0.4 version of the tool. My test machine was an Ubuntu 11.04 with Ruby 1.8.7 installed.

 

When using the tool to investigate the domain 'example.com' the tool comes up with these results:

URLCrazy

 

Investigating the results.

The first column "Typo Type" shows what kind of alteration was performed on the base domain name. For the purpose of discovering spies we can disregard this column.

The second column "Typo" is the domain name with the typo.

The third column "Pop" shows how popular this domain name is using google. For the purpose of discovering spies we can disregard this column.

The fourth column "DNS-A" shows the IP address of the domain (if it has one).

The fifth column "DNS-MX" shows the name of any mail servers found serving that domain.

The sixth column "Extn" shows the top level domain for this domain (in some cases the second level is also present such as .co.nz).

 

We are interested not in squatters sitting on a domain that looks like ours but rather in domains spying on us by catching email meant for us. In order for this to happen the typo domain should have at least an IP address, after all domains without an IP address cannot receive any emails. This means we can disregard any domains without an IP from the output. Some squatters actually have IP addresses for their squatted domains so for all other entries we need to weed them out.

 

There are two ways of doing this:

  • surf to the domain and look at it, if it is from a squatter then this will be indicated on the website (usually mentioning the domain is for sale)
  • use the WHOIS service (either through a website or using the command line) to see who registered the domain, in some cases this is not visible but the output will direct you to a website where this data can be requested

 

Of course it is possible that the typo domain is an actual website used by a honorable person/company. This we can also investigate by surfing to the website and having a look around. Now things are getting more difficult. It is possible that a spy sets up a valid looking domain with a nice website.

 

There are some things we can investigate:

  • look through the whois data for the registrant
  • google the registrant
  • if the website is suppoed to be from a company, look in official databases for the data for that company (e.g. the TVA number, accounting records)
  • if the company publishes an address then you can have a look using googlemaps or if you know anyone living close by, have them go and take a look

 

Basically you want to go through the steps detailed in the "information gathering" phase of a penetration test.

So far all the investigation and the data gathered was obtained legally and ethically. If you are convinced a certain domain is used for spying you should take the data gathered so far to an official instance and file some kind of complaint.

 

Further reading.

Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

2 comments

Comment from: Andrew Horton [Visitor]
Andrew HortonHi,

Nice write up about URLCrazy :)
22/09/11 @ 00:36
Comment from: Seb [Visitor] Email
SebNice one dude ;)
10/10/11 @ 15:42

This post has 5171 feedbacks awaiting moderation...