He also found that 193 of the 433 domain names had an mail exchange (MX) record configured, which means that they were able to receive email.
Of those 193 domains, 22 accepted email for any user, even if the recipient addresses didn't exist. This means that, at least in principle, their owners could intercept private email sent to the real ICS vendor.
In one case, Wightman received a phishing email from slemens.com (SLEMENS.COM) a few months after he tested sending email to a made-up email address under that domain. At some point, the same domain hosted malware.
Another domain, siemsns.com, was found hosting, at different times, a tech support scam leading to a remote access Trojan installer, adware in the form of a browser extension and a rogue survey.
In fact, Wightman found 254 live hosts configured on the 433 squat domains. Almost half of them hosted advertising or for-sale pages, but twenty-eight of them performed suspicious redirects and 10 hosted malware.
The researcher didn't find any malicious programs that specifically targeted industrial control systems, but he found malware for Windows and OS X, including a previously unknown OS X threat that had zero detection rate among antivirus products.
"Someone is going to get nasty with this" and specifically target ICS owners, Wightman said.
Attackers could, for example, register a squat domain and mimic the deep linking structure for a firmware update from a real vendor's website. If such a link is then distributed to users it could make the domain name mismatch harder to spot, he said.
Legally, it can be hard and costly for companies to deal with domain squatting once it happens, because they need to file a complaint and prove trademark infringement, or buy the squat domain from its existing owner for a substantial amount of money. In fact, many squatters register such domains in order to later sell them to brand owners for a significant profit.
It's much easier and cheaper for companies to register potential squat domains early on and protect their brands from potential abuse. There are tools such as dnstwist that companies can use to identify potential squat domains that could affect them.
Sign up for Computerworld eNewsletters.