Of Typosquatting Domain Names

Of Typosquatting Domain Names

The Long “Taile” of Typosquatting Domain Names Janos Szurdi, Carnegie Mellon University; Balazs Kocso and Gabor Cseh, Budapest University of Technology and Economics; Jonathan Spring, Carnegie Mellon University; Mark Felegyhazi, Budapest University of Technology and Economics; Chris Kanich, University of Illinois at Chicago https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/szurdi This paper is included in the Proceedings of the 23rd USENIX Security Symposium. August 20–22, 2014 • San Diego, CA ISBN 978-1-931971-15-7 Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX The Long “Taile” of Typosquatting Domain Names Janos Szurdi Balazs Kocso∗ Gabor Cseh∗ † Jonathan Spring Mark Felegyhazi∗ Chris Kanich Carnegie Mellon University ∗Budapest University of Technology and Economics †University of Illinois at Chicago Abstract words (possibly used in spam [17]), contain keywords of highly-visible recent events (ex. hillaryclingon.com Typosquatting is a speculative behavior that leverages for political phishing in 2008 [28]) or are similar to other, Internet naming and governance practices to extract profit typically well-known, domain names (ex. twtter.com from users’ misspellings and typing errors. Simple and [27, 32]). Domain purchasers use this final technique, of- inexpensive domain registration motivates speculators ten called “typosquatting,” to capitalize on other domain to register domain names in bulk to profit from display names’ popularity and user mistakes to drive traffic to advertisements, to redirect traffic to third party pages, their websites. to deploy phishing sites, or to serve malware. While Many old and new domain names alike do not ever previous research has focused on typosquatting domains show up in search engines, spam traps, or malicious URL which target popular websites, speculators also appear blacklists, yet still maintain a web server hosting some to be typosquatting on the “long tail” of the popularity form of content. However, maintaining the domain reg- distribution: millions of registered domain names appear istration, DNS, and web server expends resources, even to be potential typos of other site names, and only 6.8% if these domain registrations do not serve an obvious pur- target the 10,000 most popular .com domains. pose. Investigating the purpose of domain registrations Investigating the entire distribution can give a more in the “long tail” of the popularity distribution can help complete understanding of the typosquatting phenomenon. us better understand these enterprises and their relation- In this paper, we perform a comprehensive study of ty- ship to speculative and malicious online activities. In posquatting domain registrations within the .com TLD. this paper, we specifically consider the hypothesis that Our methodology helps us to significantly improve upon typosquatting is a reason for many of these registrations, existing solutions in identifying typosquatting domains and scrutinize different methods for committing malice and their monetization strategies, especially for less pop- or monetizing this behavior. ular targets. We find that about half of the possible typo In the Internet economy, monetizing on user intent domains identified by lexical analysis are truly typo do- has been a very profitable business strategy: search dis- mains. From our zone file analysis, we estimate that 20% play advertising is effective because relevant ads can be of the total number of .com domain registrations are true shown based on user search queries. DNS is similar, typo domains and their number is increasing with the ex- as domain registrations provide ample opportunities for pansion of the .com domain space. This large number of monetization through direct user navigation rather than typo registrations motivates us to review intervention at- search. Domain name front running, domain tasting and tempts and implement efficient user-side mitigation tools typosquatting domain names can all monetize this phe- to diminish the financial benefit of typosquatting to mis- nomenon. 1 [12] According to [22], domain tasting was creants. nearly eliminated in the generic TLDs by the 2009 pol- icy changes by ICANN. In addition, [12] reports that the 1 Introduction 1Domain name front running is when registrars register domains that users have been looking for in order to monetize on their registration Thousands of new domain names are registered daily that potential. Domain tasting is speculative behavior abusing the five-day at first glance do not have completely legitimate uses: grace period after domain registrations in some TLDs. This liberal registration policy gave refunds within a few days if the registrant some contain random characters (possibly used by mis- wanted, however this policy resulted in short domain registrations en creants [23]), are a composite of two completely unrelated masse. ICANN has since changed policy, limiting the behavior [12, 22]. USENIX Association 23rd USENIX Security Symposium 191 anecdotes about domain name front running by major reg- 4.9% of all lexicographically similar name registrations istrars do not seem to hold. But typosquatting, the most target these popular domains. While typos for the most prevalent speculative domain name registration behavior popular domains likely account for a significant amount to date, continues apace. of typo traffic, it is unclear whether the long tail also Typosquatting wastes users’ time and no doubt annoys supports a significant amount of typo traffic. them as well. As we show in Section 4.5, less than two Here we present a systematic study of domain name reg- percent of all domains we identify as “typo domains” redi- istrations focusing on typosquatting perpetrated against rect the user to the targeted domain, and the lion’s share the long tail of the popularity distribution. We design a set instead serve advertisements which previous research has of algorithms that can effectively identify typosquatting shown to be profitable. [16, 26] These ad-filled pages give domains and categorize the monetization method of its no clear indication to the user that they have typed the owner. We also design and implement tools to improve domain incorrectly; without a descriptive error, the user user experience by allowing them to reach their intended may abandon their task rather than double check their destination. Although various user tools exist in the wild, spelling. By monetizing these pages with advertisements, most are inaccurate and focus only on a limited set of the typosquatter does a disservice both to the user and the targeted domains. Our typo identification algorithms com- victim web site. Protecting users from typosquatters can bined with the user protection tools provide improved lessen the damage as well as disincentivize typosquatting protection against being misled by typosquatting, even by decreasing the squatters’ profits. when it is perpetrated against less popular sites. If a typosquatter hosts a site that impersonates the le- Section 2 provides background on typosquatting and gitimate brandholder it is certainly malicious and in some the most common tricks used by typosquatters. Section 3 jurisdictions illegal. Such overt violations have been mit- presents our data collection methodology and describes igated via legislation in the US and policy by ICANN our typo categorization framework. Section 4 presents a [15, 21, 30]. For example, Facebook recently extracted characterization of the extent, purpose, trends, and malice a $2.8 million judgement against typosquatters imper- involved in the perpetration of typosquatting. We present sonating their website; this successful litigation should mitigation tools and intervention options in Section 5. serve as a strong deterrent against this form of malicious Section 6 concludes. typosquatting against entities with the resources to liti- gate [18]. Several reports by commercial security teams 2 Background have cited typosquatting domains’ use in malicious cam- paigns for quiz scams [8], spam survey sites [37], in an Popularity attracts speculation, and typosquatting is a SMS micro-payment scam [14], offering deceptive down- showcase of this observation in the Internet ecosystem. loads or serving adult content [25], or in a bait-and-switch Typosquatting maintains its popularity even in the face scam offering illegal music downloads [29]. However, un- of the continuous effort to diminish its impact. In this til this paper, evidence regarding the extent of malicious section, we present a general overview of typosquatting typosquatting problems has not been available. and discuss efforts to protect legitimate domain owners Typosquatting has been studied in depth in related work. from speculation. In his first paper, Edelman points to the typosquatting phenomenon and discusses possible incentives for both 2.1 Typo techniques and monetization squatters and defenders [15]. Wang et al. include a typo- patrol service in their Strider security framework that Typosquatters register domain names that are similar to focuses on generating typo domains for popular domains those used by other websites in hope of attracting traffic and protect visitors from offending content [35]. Moore due to user mistakes. The most frequent occurrences of and Edelman revisit the problem in [26] pursuing a more mistyping are those that involve a one-character distance, thorough study of the original thesis of Edelman. They also called the Damerau-Levenshtein (DL) distance

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    17 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us