Twist & Shout: Ferris Bueller's Guide to Abuse Domain Permutations

Presentation from Sqr00t 2019 explores the ins and outs of domain abuse, and how to prevent it.

Presentation by Kelly Albrink and Rob Ragan at Sqr00t 2019

Internet scammers move pretty fast. If you don’t stop and look around once in a while, you could miss it.

Just as Ferris Bueller always had another trick up his sleeve to dupe Principle Rooney, attackers are employing homoglyphs, subdomain attacks, typo-squats, bit-squats, and similar attacks to trick internet denizens with fraudulent websites. Adversaries may register domains permutations in order to commit fraud, distribute malware, redirect traffic, steal credentials, or for corporate espionage. We know these threats have been around for a while, but not many defenders adopt proactive technical controls in their social engineering incident response plans.

The question isn’t what are we going to do about it. The question is what aren’t we going to do. With the capability to continuously monitor domain permutations for new HTTP, HTTPS, or SMTP services in real-time, the blue team doesn’t have to trust domain permutations any further than they can throw them.

This presentation covers:

  • Types of Abuse Domain Permutations
  • Why Domain Abuse Happens
  • Monitoring & Defense Techniques

Rob ragan

About the author, Rob Ragan

Principal Researcher

Rob Ragan is a Principal Researcher at Bishop Fox. Rob focuses on pragmatic solutions for clients and technology. He oversees strategy for continuous security automation. Rob has presented at Black Hat, DEF CON, and RSA. He is also a contributing author to Hacking Exposed Web Applications 3rd Edition. His writing has appeared in Dark Reading and he has been quoted in publications such as Wired.

Rob has more than a decade of security experience and once worked as a Software Engineer at Hewlett-Packard's Application Security Center. Rob was also with SPI Dynamics where he was a software engineer on the dynamic analysis engine for WebInspect and the static analysis engine for DevInspect.

More by Rob

Kelly albrink

About the author, Kelly Albrink

Application Security Practice Director

Kelly Albrink (CCNA CyberOps, GCIH, GSEC, OSCP, GWAPT, Sec+) is the Application Security Practice Director at Bishop Fox. In this role, she focuses on application security, red teaming, network penetration testing, and hardware security.

Kelly has presented at a number of Bay Area events including Okta's inaugural security conference, Okta Rex, Day of Shecurity, and the DeadDrop San Francisco Meetup. She is a recipient of the SANS CyberTalent Immersion Academy scholarship, and is an active CTF participant. Kelly has competed in the NetWars Tournament of Champions, a national invite-only competition that admits only those who have placed highly in regional CTFs. In addition, she volunteers with her local hackerspace, Noisebridge, where she organizes Infosec Lab Nights and mentors aspiring penetration testers.

More by Kelly

Extend Your Knowledge

Check out these related resources.

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.