Tag Archives: typosquatting

Criminals Increasingly Using “Combosquatting” To Deceive Internet Users

Criminals online are increasingly using “combosquatting” to deceive internet users. The practice takes advantage of internet users being increasingly encouraged to check the domain name in an internet address before clicking on links. Combosquatters take advantage of this, using domain names with a familiar trademarks, but including additional words resulting in being taken to a website selling counterfeit goods, harvesting personal and financial information or installing malware.

Researchers from Georgia Tech and Stony Brook University in the U.S. conducted what is believed to be the first large-scale, empirical study of combosquatting. The work was supported by U.S. Department of Defense agencies, the National Science Foundation and the U.S. Department of Commerce.

The researchers explained that attackers might register familiarbankname-security.com or security-familiarbankname.com. Unwary users see the familiar bank name in the URL or web address, but the additional hyphenated word means the destination is very different from what was expected. The result could be counterfeit merchandise, stolen credentials, a malware infection – or another computer conscripted into a botnet attack.

The attack strategy, known as combosquatting, is a growing threat, with millions of such domains set up for malicious purposes, according to a new study presented in late October at the 2017 ACM Conference on Computer and Communications Security (CCS).

“This is a tactic that the adversaries are using more and more because they have seen that it works,” said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “This attack is hiding in plain sight, but many people aren’t computer-savvy enough to notice the difference in the URLs containing familiar trademarked names.”

Combosquatting differs from its better-known relative, typosquatting, in which adversaries register variations of URLs that users are likely to type incorrectly. Combosquatting domains don’t depend on victims making typing errors, but instead provide malicious links embedded in emails, web advertising or the results of web searches. Combosquatting attackers often combine the trademarked name with a term designed to convey a sense of urgency to encourage victims to click on what appears at first glance to be a legitimate link.

“We have seen combosquatting used in virtually every kind of cyberattack that we know of, from drive-by downloads to phishing attacks by nation-states,” said Panagiotis Kintis, a Georgia Tech graduate research assistant who is the first author of the study. “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”

For their study, the researchers began with the 500 most popular trademarked domain names in the United States, and excluded certain combinations made up of common words. They separated the domains into 20 categories, then added two additional domains: one for politics – the study was done before the 2016 election – and another for energy.

With the resulting 268 trademark-containing URLs, they set out to find domain names that incorporated the trademarked name with additional words added at the start or end. They searched through six years of active and passive domain name system (DNS) requests – more than 468 billion records – provided by one of the largest internet service providers in North America.

“The result was mind-blowing,” said Kintis. “We found orders of magnitude more combosquatting domains than typosquatting domains, for instance. The space for combosquatting is almost infinite because attackers can register as many domains as they want with any variation that they want. In some cases, registering a domain can cost less than a dollar.”

In the six-year data set, the researchers found 2.7 million combosquatting domains for the 268 popular trademarks alone, and the combosquatting domains were 100 times more prevalent than typosquatting domains. The combosquatting attacks appear to be challenging to combat, with nearly 60 percent of the abusive domains in operation for more than 1,000 days – almost three years. And the number of combosquatting domains registered grew every year between 2011 and 2016.

Among the malicious domains, the researchers discovered some that had previously been registered by legitimate companies which had combined words with their trademarks. For some reason, those companies permitted the registrations to lapse, allowing the trademark-containing domain names – which once led to legitimate sites – to be taken over by combosquatting attackers.

In many cases, malicious domains were re-registered multiple times after they had expired, suggesting an improvement in “internet hygiene” may be needed to address this threat.

“Imagine what happens in a city when the garbage isn’t picked up regularly,” Antonakakis said. “The garbage builds up and you have diseases develop. Nobody collects the garbage domains on the internet, because it’s nobody’s job. But there should be an organization that would collect these malicious domains so they cannot be reused to infect people.”

More stringent anti-fraud screening of persons registering domains would also help, he added. “We don’t want to prevent legitimate users from getting onto the internet, but there are warning signs of potential fraud that registrars could detect.”

Longitudinal Typosquatting Study Finds Most Trademark Owners Do Little To Protect Their Domains

Trademark owners do little to protect their brands from typosquatters is one of the key findings of the first content-based, longitudinal studies of typosquatting undertaken by a Belgian and American university team.In the study, data about the typosquatting domains of the 500 most popular websites was collected every day for seven months. The team looked at whether previously discovered typosquatting trends still hold today, and looked for new results and insights in the typosquatting landscape.The research team at the Belgian University of Leuven and Stony Brook University in the US trawled through 900 GB of data from 3,389,137 web pages and 424,278 distinct WHOIS records gathered over a period of seven months and also found that even though 95 percent of the popular domains investigated are actively targeted by typosquatters, only a few trademark owners protect themselves against this practice by proactively registering their own typosquatting domains.The researchers also found typosquatting domains change hands from typosquatters to legitimate owners and vice versa, and that typosquatters vary their monetisation strategy by hosting different types of pages over time. Typosquatters are also on the look-out for expiring registrations of popular domain names. The researchers found that 50 percent of all typosquatting domains can be traced back to just four typosquatting page hosters and that certain TLDs are much more prone to typosquatting than others.When looking at the 500 most popular websites, they found that 477 of the domains for these sites had at least one malicious typosquatting domain. Additionally, only 156 of the authoritative domains in the list have defensive domain registrations, meaning that 344 domains (representing 68.8% of the 500 most popular websites) have no defensive registrations whatsoever.Of the top three of the top 500 with the most defensive registrations, huffingtonpost.com had the most with 57 defensive domains, americanexpress.com with 42 domains and bloomberg.com with 39 domains. The top three of authoritative domains with the most malicious typosquatting domains were adultfriendfinder.com with 132 typosquatting domains, constantcontact.com with 103 typosquatting domains and odnoklassniki.ru with 97 such domains. Alarmingly, out of the three banks in our top 500 list (bankofamerica.com, hdfcbank.com and icicibank.com), only bankofamerica.com has defensive registrations.The researchers also found, contrary to earlier research, that the longer the domain the greater likelihood of typosquatting. With a longer domain name, the number of possible typosquatting domains following the character substitution model rises very quickly. This change has come about in the last six years.To download the results of the study in full, go to:

NCC Group Launching Domain Assured To Provide Domain Abuse Monitoring

NCC Group logo[news release] Global information assurance firm NCC Group is launching Domain Assured, a new service which monitors the abuse, health and reputation of internet domains.

The service is aimed at domain name registrars and new gTLD owners, and provides continual monitoring of the major domain abuse types such as spam, typosquatting, hosting of malicious code and phishing. These can all damage the reputation of an internet domain, resulting in lost revenues and trust as confidence from end users disappears.

Built on top of technology from NCC Group’s advanced research group, Domain Assured will use expert threat intelligence capabilities to deliver a complete, real-time picture of a domain’s threat landscape, enabling registrars and registries to take a proactive approach to seeking out abuse.

Rob Cotton, CEO at NCC Group said: “We are passionate about making the internet a safer place. Domain Assured will make a big impact in protecting organisations and their customers and ease the transition as the new gTLDs are rolled out.”

ICANN has decreed that registry operators have to adhere to a minimum level of technical analysis regarding threats to their TLDs. Domain Assured ensures this standard is met and exceeded by delivering a complete picture of a domain’s threat landscape.

The scalable cloud-based solution can monitor millions of domains while providing rapid notifications of abuse. It makes use of NCC Group’s own algorithms to predict issues before they arise. Abuse thresholds can be configured to filter out potential false positives through the user-friendly customer portal, which is available 24/7.

Domain Assured will be a tiered offering, with additional services available on top of the comprehensive monitoring. These add-ons include an additional proactive component, where any flagged issues are dealt with immediately by NCC Group’s security testing and website performance teams.

Rob continued: “Our global reach and size means we can provide this service on a massive scale. We have legal and technical teams in house dedicated to monitoring and solving each case of abuse.

“Domain abuse can damage the reputation of registries and registrars, as well as harming end users. Domain Assured uses our threat intelligence capabilities to ensure customers have a detailed dashboard of their domain environments.”

Domain Assured is the latest initiative from NCC Group in the domain space. Last year ICANN approved its escrow division as a gTLD escrow agent, while the Group has also acquired .trust from Deutsche Post, as part of its mission to create a secure and trusted internet environment through new gTLDs.

CitizenHawk Tool Automates UDRP Filings

CitizenHawk has announced the launch of a cloud-based software tool that automates the process of filing a UDRP (Uniform Domain-Name Dispute Resolution Policy) – thus enabling companies to recover domains from typosquatters and other domain infringers at a fraction of the cost of traditional methods.

The tool is called HawkUDRP and collects relevant evidence, generates the necessary UDRP documentation and completes the entire process quickly and cost effectively. HawkUDRP can generate filing packages compliant with National Arbitration Forum (NAF), World Intellectual Property Organization (WIPO), Alternative Dispute Resolution (ADR), and Dispute Resolution Services (DRS) procedures. Moreover, the new tool boasts the ability to “clump” multiple offending sites sharing common (though often hidden) ownership, enabling brands to recover numerous domains in a single filing.

“The practice, which is growing an estimated 30 percent a year, is costing brands hundreds of millions of dollars annually. Companies can now fight back without having to engage higher priced legal counsel.”

CitizenHawk has been extraordinarily effective in UDRP proceedings, winning more than 99 percent of cases filed, and HawkUDRP gives users access to the same automated processes and technology that CitizenHawk itself uses to pursue infringing domains. The company is offering HawkUDRP as a complementary product to its core HawkDiscovery online brand protection platform. Like CitizenHawk’s other brand protection tools, HawkUDRP is seamlessly integrated into HawkDiscovery’s workflow and case management system, which tracks and records every action and permits sharing with as many authorized individuals as desired.

FICORA intervenes in case of exceptionally large numbers of misspelled FI-domain names

FICORA dot FI logo[news release] The Finnish Communications Regulatory Authority (FICORA) is examining hundreds of deliberately misspelled fi-domain names of Finnish companies and services. A total of 886 fi-domain names are being examined. They were applied for via a Maltese registrar but registered under a Finnish holder.

FICORA has contacted the Finnish holder and the Maltese registrar and continues to investigate the case. The Maltese registrar’s right to apply for new fi-domain names has been denied until further notice.

Spelling mistake leads to advertisement site

It is typical of the misspelled domain names that the difference between them and a business name, trademark or similar protected by the Domain Name Act is hardly noticeable, which is when the internet user ends up on a false site due to e.g. a spelling mistake. For example, http://www-mol.fi/ is such a misspelled address.

Typically, a website utilising a misspelled address contains advertisement links to various services. If the user, who has entered the site by accident, clicks on the advertisement link, the site maintainer gets paid by the advertiser. The phenomenon is called ‘typosquatting’ in English.

This FICORA news release was sourced from:

Europe Registry logoTo register your .FI domain name, check out Europe Registry here.

Conflicts between Trademarks and Domain Names: A Critical Analysis by Snehlata Singh

Abstract: The essay discusses the issue of conflicts between trademarks and domain names. It discusses in detail the causes and kinds of the disputes and what the current legal system has to offer to this situation. Conflicts such as cybersquatting, typosquatting, reverse domain name hijacking are discussed in length with the help of relevant case laws.The proposed solutions such as ICANN and UDRP have been analysed in detail. As the essay proceeds, it is made apparent that the current legal system is incapable of handling these issues effectively. The essay concludes with the same remark and suggestions that might help in settling these disputes.To download this paper in full, see:

Doppelganger Domains Highlighted As New Case Of Domain Name Fraud Used For Data Theft

A study into the impact of Doppelganger Domains has revealed that of the Fortune 500 companies, 151 companies (or 30%) were susceptible to attacks.Doppelganger Domains are a new type of typosquatting that takes advantage of an omission instead of a misspelling. They occur when the domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.In their study, the Godai Group outlines two types of email based attacks that are possible with a Doppelganger Domain. These are where:

  • the first attack vector is completely passive. Once the attacker purchases the Doppelganger Domain, they will configure an email server to receive all email addressed to that domain, regardless of the user it was destined to. This type of configuration is also known as a catch-all email account. As email is a high-volume, primary communication mechanism for many corporations, a small percentage of those emails will be sent to the wrong destination because of user error (a typo by the email’s sender). The attacker relies on this fact and will start collecting emails from both internal and external users.
  • the second attack vector involves social engineering and is likely to be only used on specific individuals. As a Doppelganger Domain can be very similar to the legitimate email domain, an attacker will impersonate a person and attempt to obtain sensitive information via social engineering.

The Godai Group conducted a six month study where over 120,000 individual emails (or 20 gigabytes of data) were collected which included trade secrets, business invoices, employee PII, network diagrams, usernames and passwords, etc. Essentially, a simple mistype of the destination domain could send anything that is sent over email to an unintended destination.The most popular keywords used, with over 400 counts for each one, were “investigation”, “credit card”, “password”, “login” and “contract”.Examples of a Doppelganger Domain are where a company may have an email address of name@us.company.com or name@ru.bank.com. The attacker may use email addresses such as name@uscompany.com or name@rubank.com.Using the above scenario, which outlined diagrammatically in the report, an attacker could purchase both uscompany.com and rubank.com allowing them to capture the mistyped email domains. When an email is mis sent from us.company.com to rubank.com, the email arrives instead in the attacker’s mailbox. The attacker creates a script to auto‐forward those emails from his uscompany.com address to the legitimate ru.bank.com address.Most likely, the recipient at the ru.bank.com address will be unaware that the email sourced from a Doppelganger Domain. The ru.bank.com user will then reply to the Doppelganger Domain email address, with the pertinent information we requested.The ru.bank.com user then replies to the wrong email address, instead sending it to the uscompany.com address. When that response comes in to the attacker’s uscompany.com mailserver, the attacker again creates a script to auto‐forward that email out of our rubank.com email address to the valid us.company.com. If both parties are unaware of the mistyped address, the attacker now has a full Man‐in‐the‐MailBox scenario.The study outlines the issue in more detail, and also gives some “mitigation strategies” to defend against Doppelganger Domains and the two email-based attacks that stem from them, as well as offering to provide services to prevent the problem themselves.The mitigation strategies offered are:

  • purchase and register the Doppelganger Domains. On the external DNS, configure those domains to not resolve anywhere so that the sender would receive a bounced email notification.
  • Identify if attackers are already using a Doppelganger Domain against your company, and file a Uniform Domain Dispute Resolution Policy (UDRP) if they are.
  • Internally configure the DNS to not resolve any Doppelganger Domains, even if your company does not own them. This will protect internal only email from being accidentally sent to a Doppelganger Domain.
  • An alternative to configuring the internal DNS for Doppelganger Domains is to configure the mail server to not allow any outbound email destinations to Doppelganger Domains.
  • Communicate the attack vector to your internal users, customers, and business partners. The more awareness they have on social engineering attacks, the less susceptible they will be.

To download and read the full report from the Godai Group, go to files.godaigroup.net/doppelganger/Doppelganger.Domains.pdf or see godaigroup.net for more information in general about the Godai Group.

Facebook, Google Most Popular Type-In Domain Names

Most people may use a search engine to go to their website of choice, but there are still some internet users who go to at least some of their websites by typing in the domain name, and the most popular type-in is Facebook.com followed by Google.com.And if you want to typosquat a domain name, the best domain name to have is Faceboook.com.These are the findings from six months of data collected and analysed by Chris Finke from his Firefox browser add-on URL Fixer. URL Fixer corrects typos in URLs that you enter in the address bar. For example, if you type google.con, it will correct it to google.com (asking first, if you enable confirmation).Finke analysed more than 7.5 million URL bar entries and he found that facebook.com is by far the most typed in domain name, three times more popular than the second most popular typed in domain – google.com, although google.com is still the most popular website.The reason for this is many people get to Google via the search or address bar in their browser rather than going to the Google website. Likewise, Yahoo is the seventh most popular address but is a top five domain.The top ten type-in domain names are facebook.com (with 9% of all type-ins) followed by google.com (3.3%), youtube.com (3.3%), gmail.com (1.1%), twitter.com (1.1%), mail.google.com (0.6%), yahoo.com (0.6%), hotmail.com (0.6%), amazon.com (0.5%) and reddit.com (0.5%).The most commonly mistyped domain names after faceboook.com are googe.com and goole.com. However as a proportion of typed-in domain names, very few end up at scam websites with only one type-in ending up at a scam site once for every 7,390 times the correct Facebook address is typed in.And .COM domains make up 63 per cent of all typed in top level domains followed by .ORG (4%), .NET (4%)and .DE (4%), reflecting both on some of the more popular TLDs and where Finke’s add-on is popular. Rounding out the top nine are .RU (2%) then .HU, .FR, co.uk and .BR (all 1%).The top 17 TLD typos are all variations of .com. In order of frequency, they are .com, .ocm, .con, .cmo, .copm, .xom, “.com,”, .vom, .comn, .com’, “.co,”, .comj, .coim, .cpm, .colm, .conm, and .coom.The most popular non-.com/.net/.org domains: google.de, vkontakte.ru (a Russian social network), and google.fr.Facebook and Google dominated worldwide according to Finke’s analysis with the only locales where neither Google nor Facebook control the most popular domain are ru-RU (Russia – vkontakte.ru), fi-FI (Finland – aapeli.com, a gaming website), ko-KR (Korea – fomos.kr, an e-sports website), and zh-CN (China – baidu.com).And finally in his analysis Finke notes that none of the domains with more than a 0.0005 per cent share are unregistered, indicating that this kind of usage data would not be very useful to a scammer or phisher looking for new domain names.The full analysis by Chris Finke is available at www.chrisfinke.com/2011/07/25/what-do-people-type-in-the-address-bar.

Typosquatting Takes Advantage of Social Networking

Typosquattng is moving into a new phase with the popular use of social networking sites such as Facebook and Twitter.By registering domain names such as facebok.com and twitr.com, unscrupulous typosquatters are using the sites to “display advertisements or fraudulent promotional offers … in the [hope] that misspellings will draw traffic – and victims,” according to a report published on MSNBC.These sites draw “millions of people who visit Facebook and Twitter each day by offering ‘gifts’ of iPads or other ‘exclusive prizes.'”The report then notes that when a user goes to facebok.com, they find the following message:
“Dear Visitor, You’ve been selected to take part in our anonymous survey. Complete this 30 second questionnaire, and to say ‘thank you,’ we’ll offer you a few exclusive prizes. This offer is available today only.”A similar message comes up at Twitr.com, and to win these exclusive prizes, the user has part with their personal information, which then becomes the property of the cybercriminal.The full story on MSNBC is available at www.msnbc.msn.com/id/40538986

Typosquatting May Earn Google $500 million per year

Researchers at Harvard University have discovered that Google may be making around half a billion dollars per year via typosquatting, says a NewScientist report.”Moore and Edelman started by using common spelling mistakes to create a list of possible typo domains for the 3264 most popular .com websites, as determined by Alexa.com rankings,” says the report. “They estimate that each of the 3264 top sites is targeted by around 280 typo domains.”The report says researchers analysed revenue sources from 285,000 of the 900,000 typo domains found by Tyler Moore and Benjamin Edelman, the Harvard researchers, and found around 80 per cent were supported by pay-per-click ads, and Google ads were by far the most prevalent.”If the top 100,000 websites suffer the same typosquatting rate as the sites Moore and Edelman studied, up to 68 million people a day could visit a typo site, they say. They estimate that almost 60 per cent of typo sites could have adverts supplied by Google.”Google says they remove advertising from typosquatted domain names only if the original trademark holder files a complaint.To read this NewScientist report in full, see: