ABSTRACT
Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first large-scale, empirical study of combosquatting by analyzing more than 468 billion DNS records - collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.
Supplemental Material
- 2008. Combosquatting: The Business of Cybersquatting. In FairWinds Partners, LLC.Google Scholar
- 2015. Domain Blacklist: driveby. http://www.blade-defender.org/ eval-lab/. (2015).Google Scholar
- 2016. Domain Blacklist: abuse.ch. http://www.abuse.ch/. (2016).Google Scholar
- 2016. Domain Blacklist: Blackhole DNS. http://www.malwaredomains.com/ wordpress/?page_id=6. (2016).Google Scholar
- 2016. Domain Blacklist: hphosts. http://hosts-file.net/'s=Download. (2016).Google Scholar
- 2016. Domain Blacklist: itmate. http://vurl.mysteryfcm.co.uk/. (2016).Google Scholar
- 2016. Domain Blacklist: sagadc. http://dns-bh.sagadc.org/. (2016).Google Scholar
- 2016. Domain Blacklist: SANS. https://isc.sans.edu/suspicious_domains. html. (2016).Google Scholar
- 2016. Malware Domain List. http://www.malwaredomainlist.com/forums/ index.php?topic=3270.0. (2016).Google Scholar
- 2017. Certificate Transparency. https://www.certificate-transparency. org. (2017).Google Scholar
- Josh Aas. 2015. Let's Encrypt: The CA's Role in Fighting Phishing and Malware. https://letsencrypt.org/2015/10/29/phishing-and-malware. html. (2015).Google Scholar
- ACPA 1999. Anticybersquatting Consumer Protection Act (ACPA). http://www. patents.com/acpa.htm. (November 1999).Google Scholar
- Agten, Pieter and Joosen, Wouter and Piessens, Frank and Nikiforakis, Nick. 2015. Seven months' worth of mistakes: A longitudinal study of typosquatting abuse. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015). Internet Society. Google ScholarCross Ref
- Alexa. 2016. The Web Information Company. http://www.alexa.com/. (2016).Google Scholar
- AllSlang. 2016. Slang Dictionary - Text Slang & Internet Slang Words. http: //www.noslang.com/dictionary/. (2016).Google Scholar
- AllSlang. 2016. Swear Word List & Curse Filter. http://www.noswearing.com/ dictionary. (2016).Google Scholar
- Anton Cherepanov. 2014. ScanBox framework -- who's affected, and who's using it? http://2014.zeronights.org/assets/files/slides/roaming_tiger_ zeronights_2014.pdf. (July 2014).Google Scholar
- Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a Dynamic Reputation System for DNS. In the Proceedings of 19th USENIX Security Symposium (USENIX Security '10) .Google Scholar
- Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, and David Dagon. 2011. Detecting Malware Domains in the Upper DNS Hierarchy. In the Proceedings of 20th USENIX Security Symposium (USENIX Security '11).Google Scholar
- Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. In the Proceedings of 21th USENIX Security Symposium (USENIX Security '12).Google Scholar
- Asert. 2014. Illuminating the Etumbot APT Backdoor. https://github.com/kbandla/APTnotes/blob/master/2014/ ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT. pdf. (June 2014).Google Scholar
- Asert. 2016. The Four Element Sword Engagement. https://www. arbornetworks.com/blog/asert/four-element-sword-engagement/. (April 2016).Google Scholar
- Asert. 2016. Uncovering the Seven Pointed Dagger Discovery of the Trochilus RAT and Other Targeted Threats. https://goo.gl/zMbqpA. (January 2016).Google Scholar
- Athanasios Kountouras and Panagiotis Kintis and Chaz Lever and Yizheng Chen and Yacin Nadji and David Dagon and Manos Antonakakis and Rodney Joffe. 2016. Enabling Network Security Through Active DNS Datasets. In Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Paris, France, September 19--21, 2016, Proceedings. 188--208. https://doi.org/10. 1007/978-3-319-45719-2_9Google Scholar
- Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPO- SURE: Finding Malicious Domains Using Passive DNS Analysis. In Proceedings of NDSS.Google Scholar
- Bitdefender. 2013. A Closer Look at MiniDuke. https://labs.bitdefender. com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final. pdf. (May 2013).Google Scholar
- CHECK POINT SOFTWARE TECHNOLOGIES. 2015. ROCKET KIT TEN: A CAM- PAIGN WITH 9 LIVES. http://blog.checkpoint.com/wp-content/uploads/ 2015/11/rocket-kitten-report.pdf. (November 2015).Google Scholar
- Chen, Yizheng and Kintis, Panagiotis and Antonakakis, Manos and Nadji, Yacin and Dagon, David and Lee, Wenke and Farrell, Michael. 2016. Financial Lower Bounds of Online Advertising Abuse. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment-Volume 9721. Springer-Verlag New York, Inc., 231--254. Google ScholarDigital Library
- Jason W Clark and Damon McCoy. 2013. There Are No Free iPads: An Analysis of Survey Scams as a Business.. In LEET.Google Scholar
- Cylance. 2016. OPERATION DUST STORM. https://www.cylance.com/ hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_ Storm_Report.pdf?t=1477417126448. (February 2016).Google Scholar
- Artem Dinaburg. 2011. Bitsquatting: DNS Hijacking without Exploitation. In Proceedings of BlackHat Security.Google Scholar
- dmoz. 2016. DMOZ - the Open Directory Project. http://www.dmoz.org. (2016).Google Scholar
- Edelman, Benjamin. 2003. Large-scale registration of domains with typographical errors. Harvard University (2003).Google Scholar
- Fidelis Threat Research Team. 2016. Turbo Twist: Two 64-bit Derusbi Strains Converge. http://www.threatgeek.com/2016/05/ turbo-twist-two-64-bit-derusbi-strains-converge.html. (May 2016).Google Scholar
- FireEye. 2013. OPERATION SAFFRON ROSE. https://www.fireeye. com/content/dam/fireeye-www/global/en/current-threats/pdfs/ rpt-operation-saffron-rose.pdf. (May 2013).Google Scholar
- FireEye. 2013. SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. https://www.fireeye.com/content/dam/fireeye-www/ global/en/current-threats/pdfs/rpt-malware-supply-chain.pdf. (No- vember 2013).Google Scholar
- FireEye. 2014. Top Words Used in Spear Phishing Attacks. (2014).Google Scholar
- G DATA. 2014. OPERATION "TOOHASH" HOW TARGETED ATTACKS WORK. https://public.gdatasoftware.com/Presse/Publikationen/ Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf . (October 2014).Google Scholar
- Evgeniy Gabrilovich and Alex Gontmakher. 2002. The homograph attack. Communucations of the ACM 45, 2 (Feb. 2002), 128. https://doi.org/10.1145/ 503124.503156Google Scholar
- Garera, Sujata and Provos, Niels and Chew, Monica and Rubin, Aviel D. 2007. A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM workshop on Recurring malcode. ACM, 1--8. Google ScholarDigital Library
- Shuang Hao, Nick Feamster, and Ramakant Pandrangi. 2011. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, 269--278. Google ScholarDigital Library
- Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, and Scott Hollenbeck. 2013. Understanding the domain registration behavior of spammers. In Proceedings of the 2013 conference on Internet measurement conference. ACM, 63--76. Google ScholarDigital Library
- Hao, Shuang and Kantchelian, Alex and Miller, Brad and Paxson, Vern and Feamster, Nick. 2016. PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1568--1579. Google ScholarDigital Library
- Holgers, Tobias and Watson, David E. and Gribble, Steven D. 2006. Cutting through the confusion: a measurement study of homograph attacks. In Proceed- ings of the 2006 USENIX Annual Technical Conference. 1. http://dl.acm.org/ citation.cfm?id=1267359.1267383Google Scholar
- INFOSEC CONSORTIUM. 2013. Inside Report -- APT Attacks on Indian Cy- ber Space. http://ver007.com/tools/APTnotes/2013/Inside_Report_by_ Infosec_Consortium.pdf. (August 2013).Google Scholar
- Jakobsson, Markus. 2007. The human factor in phishing. Privacy & Security of Consumer Information 7, 1 (2007), 1--19.Google Scholar
- Jakobsson, Markus and Tsow, Alex and Shah, Ankur and Blevis, Eli and Lim, Youn- Kyung. 2007. What instills trust? a qualitative study of phishing. In Financial Cryptography and Data Security. Springer, 356--361.Google Scholar
- Janos Szurdi and Balazs Kocso and Gabor Cseh and Jonathan Spring and Mark Felegyhazi and Chris Kanich. 2014. The Long "Taile" of Typosquatting Domain Names. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX As- sociation, San Diego, CA, 191--206. https://www.usenix.org/conference/ usenixsecurity14/technical-sessions/presentation/szurdiGoogle Scholar
- JPCERT/CC. 2016. Asruex: Malware Infecting through Shortcut Files. http://blog.jpcert.or.jp/2016/06/ asruex-malware-infecting-through-shortcut-files.html. (June 2016).Google Scholar
- Kaspersky. 2013. THE "ICEFOG" APT: A TALE OF CLOAK AND THREE DAGGERS. https://kasperskycontenthub.com/wp-content/uploads/sites/ 43/vlpdfs/icefog.pdf. (September 2013).Google Scholar
- Kaspersky. 2015. CARBANAK APT THE GREAT BANK ROBBERY. https:// securelist.com/files/2015/02/Carbanak_APT_eng.pdf. (February 2015).Google Scholar
- Kaspersky Lab. 2014. DARKHOTEL INDICATORS OF COMPROMISE. https:// securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf. (November 2014).Google Scholar
- Kaspersky Lab. 2014. The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. https://cdn.securelist.com/files/2014/08/KL_ Epic_Turla_Technical_Appendix_20140806.pdf . (August 2014).Google Scholar
- Khan, Mohammad Taha and Huo, Xiang and Li, Zhou and Kanich, Chris. 2015. Every Second Counts: Quantifying the Negative Externalities of Cybercrime via Typosquatting. In Proceedings of the 36th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Kreibich, Christian and Kanich, Chris and Levchenko, Kirill and Enright, Brandon and Voelker, Geoffrey M and Paxson, Vern and Savage, Stefan. 2008. On the Spam Campaign Trail. LEET 8, 2008 (2008), 1--9.Google Scholar
- Let's Encrypt. 2017. Let's Encrypt -- Free SSL/TLS Certificates. https: //letsencrypt.org. (2017).Google Scholar
- Lever, Chaz and Walls, Robert and Nadji, Yacin and Dagon, David and McDaniel, Patrick and Antonakakis, Manos. 2016. Domain-Z: 28 Registrations Later. (2016).Google Scholar
- Liu, Daiping and Hao, Shuai and Wang, Haining. 2016. All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1414--1425. Google ScholarDigital Library
- Ma, Justin and Saul, Lawrence K and Savage, Stefan and Voelker, Geoffrey M. 2009. Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD). Google ScholarDigital Library
- Marczak, William R and Scott-Railton, John and Marquis-Boire, Morgan and Paxson, Vern. 2014. When governments hack opponents: A look at actors and technology. In 23rd USENIX Security Symposium (USENIX Security 14). 511--525.Google Scholar
- Microsoft. 2015. Microsoft Security Intelligence Report Volume 19 | January through June, 2015. http://download.microsoft.com/download/ 4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_ Intelligence_Report_Volume_19_English.pdf. (June 2015).Google Scholar
- Miramirkhani, Najmeh and Starov, Oleksii and Nikiforakis, Nick. 2017. Dial One for Scam: A Large-Scale Analysis of Technical Support Scams. In Proceedings of the 24th Network and Distributed System Security Symposium (NDSS 2017). Internet Society. Google ScholarCross Ref
- P.V. Mockapetris. 1983. Domain names: Concepts and facilities. RFC 882. (Nov. 1983). http://www.ietf.org/rfc/rfc882.txt Obsoleted by RFCs 1034, 1035, updated by RFC 973.Google ScholarDigital Library
- P.V. Mockapetris. 1983. Domain names: Implementation specification. RFC 883. (Nov. 1983). http://www.ietf.org/rfc/rfc883.txt Obsoleted by RFCs 1034, 1035, updated by RFC 973.Google ScholarDigital Library
- P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034 (INTERNET STANDARD). (Nov. 1987). http://www.ietf.org/rfc/rfc1034. txt Updated by RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035, 4343, 4035, 4592, 5936.Google Scholar
- P.V. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035 (INTERNET STANDARD). (Nov. 1987). http://www.ietf.org/rfc/ rfc1035.txtGoogle Scholar
- Tyler Moore and Benjamin Edelman. 2010. Measuring the Perpetrators and Funders of Typosquatting. In Financial Cryptography and Data Security, Vol. 6052. 175--191. Google ScholarDigital Library
- Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2013. Bitsquatting: Exploiting bit-flips for fun, or profit?. In WWW'13. 989--998.Google Scholar
- Nikiforakis, Nick and Balduzzi, Marco and Desmet, Lieven and Piessens, Frank and Joosen, Wouter. 2014. Soundsquatting: Uncovering the use of homophones in domain squatting. In Information Security. Springer, 291--308. Google ScholarCross Ref
- Nikiforakis, Nick and Van Acker, Steven and Meert, Wannes and Desmet, Lieven and Piessens, Frank and Joosen, Wouter. 2013. Bitsquatting: Exploiting bit-flips for fun, or profit?. In Proceedings of the 22nd international conference on World Wide Web. ACM, 989--998. Google ScholarDigital Library
- pwc. 2014. ScanBox framework -- who's affected, and who's using it? http://pwc.blogs.com/cyber_security_updates/2014/10/ scanbox-framework-whos-affected-and-whos-using-it-1.html.(Octo- ber 2014).Google Scholar
- pwc. 2015. Attacks against Israeli & Palestinian interests. http://pwc.blogs.com/cyber_security_updates/2015/04/ attacks-against-israeli-palestinian-interests.html. (April 2015).Google Scholar
- pwc. 2015. Cyber Threat Operations Sofacy II-- Same Sofacy, Different Day. http://pwc.blogs.com/files/cto-tib-20150420-01a.pdf. (April 2015).Google Scholar
- B. Rahbarinia, R. Perdisci, and M. Antonakakis. 2015. Segugio: Efficient Behavior- Based Tracking of Malware-Control Domains in Large ISP Networks. In Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on. 403--414. https://doi.org/10.1109/DSN.2015.35Google Scholar
- root9B. 2015. APT28 targets Financial Markets ROOT9B RELEASES ZERO DAY HASHES. https://www.root9b.com/sites/default/files/whitepapers/ R9b_FSOFACY_0.pdf. (May 2015).Google Scholar
- Ryan Kelly. 2016. PyEnchant a spellchecking library for Python. http: //pythonhosted.org/pyenchant/. (2016).Google Scholar
- S. Krishnan and F. Monrose. 2011. An empirical study of the performance, security and privacy implications of domain name prefetching. In Dependable Systems Networks (DSN), 2011 IEEE/IFIP 41st International Conference on. 61--72. https://doi.org/10.1109/DSN.2011.5958207Google Scholar
- SecureWorks. 2013. Secrets of the Comfoo Masters. https://www.secureworks. com/research/secrets-of-the-comfoo-masters. (July 2013).Google Scholar
- Segaran, Toby and Hammerbacher, Jeff. 2009. Beautiful data: the stories behind elegant data solutions. " O'Reilly Media, Inc.".Google Scholar
- Snyder, Peter and Kanich, Chris. 2015. No please, after you: Detecting fraud in affiliate marketing networks. In Proceedings of the Workshop on the Economics of Information Security (WEIS).Google Scholar
- SOWPODS. 2016. SOWPODS Scrabble Word List. https://www.wordgamedictionary.com/sowpods/. (2016).Google Scholar
- Symantec. 2013. Comment Crew: Indicators of Compromise. https://www.symantec.com/content/en/us/enterprise/media/security_ response/whitepapers/comment_crew_indicators_of_compromise.pdf. (February 2013).Google Scholar
- Symantec. 2013. Hidden Lynx -- Professional Hackers for Hire. http://www.symantec.com/content/en/us/enterprise/media/security_ response/whitepapers/hidden_lynx.pdf. (September 2013).Google Scholar
- Symantec. 2016. A Closer Look at MiniDuke. https://www.symantec.com/ connect/blogs/indian-organizations-targeted-suckfly-attacks. (May 2016).Google Scholar
- TrendMicro. 2011. THE "LURID" DOWNLOADER. http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf. (September 2011).Google Scholar
- TrendMicro. 2014. 2Q Report on Targeted Attack Campaigns. http://la. trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf. (January 2014).Google Scholar
- TrendMicro. 2016. Looking Into a Cyber-Attack Facilitator in the Netherlands. http://documents.trendmicro.com/assets/appendix_ looking-into-a-cyber-attack-facilitator-in-the-netherlands.pdf. (April 2016).Google Scholar
- TrendMicro. 2016. Securing Your Journey to the Cloud. http://www.trendmicro.com/. (2016).Google Scholar
- Thomas Vissers, Wouter Joosen, and Nick Nikiforakis. 2015. Parking Sensors: Analyzing and Detecting Parked Domains. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS). Google ScholarCross Ref
- Wang, Yi-Min and Beck, Doug and Wang, Jeffrey and Verbowski, Chad and Daniels, Brad. 2006. Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting. SRUTI 6 (2006), 31--36.Google Scholar
- F. Weimer. 2005. Passive DNS Replication. In Proceedings of FIRST Conference on Computer Security Incident. Hand ling, Singapore.Google Scholar
- Y. Chen and M. Antonakakis and R. Perdisci and Y. Nadji and D. Dagon and W. Lee. 2014. DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on. 598--609. https://doi.org/10. 1109/DSN.2014.61Google Scholar
Index Terms
- Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse
Recommendations
Hiding in plain sight: an empirical study of web application abuse in malware
SEC '23: Proceedings of the 32nd USENIX Conference on Security SymposiumWeb applications provide a wide array of utilities that are abused by malware as a replacement for traditional attacker-controlled servers. Thwarting these Web App-Engaged (WAE) malware requires rapid collaboration between incident responders and web app ...
Hiding in plain sight: characterizing and detecting malicious Facebook pages
ASONAM '16: Proceedings of the 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and MiningFacebook is the world's largest Online Social Network, having more than 1 billion users. Like most other social networks, Facebook is home to various categories of hostile entities who abuse the platform by posting malicious content. In this paper, we ...
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent SystemsA large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...
Comments