Chrome Site Whitelist Extension


Tuesday 7th March 2017

Please see the associated project page for download and installation instructions. All code, version history and further information can be found on the GitHub repository.

-The project is early in development so some features are not yet working properly or tested thoroughly.-

I recently starting developing a browser extension for Google Chrome. It allows the user to set a list of whitelisted sites that will then be highlighted in Google Search results. The extension icon also changes to green when you are currently browsing a whitelisted site.

It is designed to be an anti-typosquatting tool and to highlight known trusted sites.

What is typosquatting?

Typosquatting is a form of phishing, and refers to the malicious registration of domain names that are similar to those of popular websites, with the intent to deceive users into visiting them.

Typosquatting relies on either one of two things: a user incorrectly typing a URL into the address bar, or a user only glancing at a URL before clicking it.

Below are a few examples. At first glance they look like legitimate names, but when you look more closely you'll realise that they are phishing names. Use the find tool (Ctrl+F) to determine the true identity of the characters used in the names.

googIe
arnazon
paypaI
lndiegogo
steamcomrnunity
MlCROSOFT

As you can see, there are many common combinations of letters that make for a good typosquat, such as replacing an "m" with "rn" or "nn", or replacing an "I" with a "l". Using a fixed-width font is a great way to counter this.

Another form of phishing domain is when subdomains are used. For example:

www.google.com.example.com
www.amazon.com.example.com
steamcommunity.com.example.com

To a less experienced user, these may look like the official sites. Instead, they are simply subdomains of a potentially malicious domain.

Phishing sites may attempt to be a complete clone of the official site, or simply collect account details. A false login form will be presented on the phishing site, the user enters their details, the site logs the entered details but also posts them to the official login form before redirecting the user to the official site. This is a perfect attack, since the phishing site has collected the user account details without raising any sort of suspicion from the user, and they are now browsing the official site like normal.

Generating Phishing Domains

A particularly interesting tool that I found on GitHub a while ago is dnstwist by elceef.

It takes your domain name and generates potential phishing domains, then checks whether they are registered or not. This is useful to help find any existing phishing domains that exist for your site, as well as to find domains to register to protect against typosquatting and phishing.

Example output (results condensed to 4 per type):

jamie@box:~$ ./dnstwist.py jamieweb.net
     _           _            _     _
  __| |_ __  ___| |___      _(_)___| |_
 / _` | '_ \/ __| __\ \ /\ / / / __| __|
| (_| | | | \__ \ |_ \ V  V /| \__ \ |_
 \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.04b}

Processing 264 domain variants ..33%.65%.98% 3 hits (1%)

Original*      jamieweb.net      89.34.99.41
Addition       jamieweba.net     -
Addition       jamiewebb.net     -
Addition       jamiewebc.net     -
Addition       jamiewebd.net     -
Bitsquatting   kamieweb.net      -
Bitsquatting   hamieweb.net      -
Bitsquatting   namieweb.net      -
Bitsquatting   bamieweb.net      -
Homoglyph      jannieweb.net     -
Homoglyph      jamiêweb.net      -
Homoglyph      jarnieweb.net     -
Homoglyph      jamiеweb.net      -
Hyphenation    j-amieweb.net     -
Hyphenation    ja-mieweb.net     -
Hyphenation    jam-ieweb.net     -
Hyphenation    jami-eweb.net     -
Insertion      jami4eweb.net     -
Insertion      jamiewe3b.net     -
Insertion      jamizeweb.net     -
Insertion      jaqmieweb.net     -
Omission       jaieweb.net       -
Omission       jamieeb.net       -
Omission       jamiewb.net       -
Omission       jameweb.net       -
Repetition     jaamieweb.net     -
Repetition     jamiieweb.net     -
Repetition     jammieweb.net     -
Repetition     jjamieweb.net     -
Replacement    jajieweb.net      -
Replacement    jamiewrb.net      -
Replacement    japieweb.net      -
Replacement    j1mieweb.net      -
Subdomain      j.amieweb.net     -
Subdomain      ja.mieweb.net     -
Subdomain      jam.ieweb.net     -
Subdomain      jami.eweb.net     -
Transposition  ajmieweb.net      -
Transposition  jmaieweb.net      -
Transposition  jaimeweb.net      -
Transposition  jameiweb.net      -
Vowel-swap     jameeweb.net      -
Vowel-swap     jamiewib.net      -
Vowel-swap     jumieweb.net      -
Vowel-swap     jamiewob.net      -
Various        wwjamieweb.net    -
Various        wwwjamieweb.net   -
Various        www-jamieweb.net  -
Various        jamiewebnet.net   -

Examples

A real-world example of typosquatting is ARNAZON.com. When displayed in lower case (arnazon.com), it looks very similar to the official site name and would likely fool a user should they only glance at it. Arnazon.com is actually owned by Amazon and will simply redirect you to the official Amazon.com site should you visit it.

I personally do not like it when company-owned typosquat domains simply redirect transparently to the official website. I think that a better approach would be to redirect the user to an informational page informing them of their mistake and the dangers of typosquatting.

How does the extension work?

A content script is run whenever you load a Google search page. Only google.com and google.co.uk are available by default, however you can easily edit the manifest.json file to add your own prefered Google site. The content script fetches every anchor (hyperlink) tag (<a>) on the page and checks each one individually using a for loop.

Quite conveniently, the anchor tags for Google search result links are the only anchors on the page that have a defined href AND no defined class. This makes it easy to filter out everything else, leaving only the Google search result links. The script matches the hostnames of the links to the whitelisted hostnames from the user configuration. If there is a match, the associated search result will be highlighted in green by changing it's CSS properties.

An additional content script runs on every single page. This simply checks whether the current site that you are browsing is on the whitelist. If it is, the extension icon for the tab is changed to green.

Why did I create the extension?

I created the extension to help raise user confidence when searching on Google. Even though Google is usually pretty good at filtering out malicious websites and correcting typing errors, bad stuff still gets through. Now there is no need to manually verify every Google search result link clicked, as your manually whitelisted sites will show up in green!