Hiding in plain Sight: A longitudinal study of combosquatting abuse

Panagiotis Kintis; Najmeh Miramirkhani; Charles Lever; Yizheng Chen; Roza Romero-Gómez; Nikolaos Pitropakis; Nick Nikiforakis; Manos Antonakakis

doi:10.1145/3133956.3134002

Hiding in plain Sight: A longitudinal study of combosquatting abuse

Panagiotis Kintis
, Najmeh Miramirkhani
, Charles Lever
, Yizheng Chen
, Roza Romero-Gómez
, Nikolaos Pitropakis
, Nick Nikiforakis
, Manos Antonakakis

Computer Science

Institute of Technology
Stony Brook University
London South Bank University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

145 Scopus citations

Abstract

Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.] com, youtube-live[.]com). We perform the first largescale, empirical study of combosquatting by analyzing more than 468 billion DNS records-collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.

Original language	English
Title of host publication	CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	569-586
Number of pages	18
ISBN (Electronic)	9781450349468
DOIs	https://doi.org/10.1145/3133956.3134002
State	Published - Oct 30 2017
Event	24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 - Dallas, United States Duration: Oct 30 2017 → Nov 3 2017

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
Country/Territory	United States
City	Dallas
Period	10/30/17 → 11/3/17

Keywords

Combosquatting
Domain Name System
Domain Squatting
Network Security

Access to Document

10.1145/3133956.3134002

Cite this

Kintis, P., Miramirkhani, N., Lever, C., Chen, Y., Romero-Gómez, R., Pitropakis, N., Nikiforakis, N., & Antonakakis, M. (2017). Hiding in plain Sight: A longitudinal study of combosquatting abuse. In CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 569-586). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3133956.3134002

@inproceedings{2663cd2b3ef54965bb59d4847c5cf44f,

title = "Hiding in plain Sight: A longitudinal study of combosquatting abuse",

abstract = "Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called {"}combosquatting,{"} in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.] com, youtube-live[.]com). We perform the first largescale, empirical study of combosquatting by analyzing more than 468 billion DNS records-collected from passive and active DNS data sources over almost six years. We find that almost 60\% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.",

keywords = "Combosquatting, Domain Name System, Domain Squatting, Network Security",

author = "Panagiotis Kintis and Najmeh Miramirkhani and Charles Lever and Yizheng Chen and Roza Romero-G{\'o}mez and Nikolaos Pitropakis and Nick Nikiforakis and Manos Antonakakis",

note = "Publisher Copyright: {\textcopyright} 2017 author(s).; 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 ; Conference date: 30-10-2017 Through 03-11-2017",

year = "2017",

month = oct,

day = "30",

doi = "10.1145/3133956.3134002",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "569--586",

booktitle = "CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security",

}

Kintis, P, Miramirkhani, N, Lever, C, Chen, Y, Romero-Gómez, R, Pitropakis, N, Nikiforakis, N & Antonakakis, M 2017, Hiding in plain Sight: A longitudinal study of combosquatting abuse. in CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 569-586, 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, United States, 10/30/17. https://doi.org/10.1145/3133956.3134002

Hiding in plain Sight: A longitudinal study of combosquatting abuse. / Kintis, Panagiotis; Miramirkhani, Najmeh; Lever, Charles et al.
CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2017. p. 569-586 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Hiding in plain Sight

T2 - 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017

AU - Kintis, Panagiotis

AU - Miramirkhani, Najmeh

AU - Lever, Charles

AU - Chen, Yizheng

AU - Romero-Gómez, Roza

AU - Pitropakis, Nikolaos

AU - Nikiforakis, Nick

AU - Antonakakis, Manos

PY - 2017/10/30

Y1 - 2017/10/30

N2 - Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.] com, youtube-live[.]com). We perform the first largescale, empirical study of combosquatting by analyzing more than 468 billion DNS records-collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.

AB - Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.] com, youtube-live[.]com). We perform the first largescale, empirical study of combosquatting by analyzing more than 468 billion DNS records-collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.

KW - Combosquatting

KW - Domain Name System

KW - Domain Squatting

KW - Network Security

UR - https://www.scopus.com/pages/publications/85041445188

U2 - 10.1145/3133956.3134002

DO - 10.1145/3133956.3134002

M3 - Conference contribution

AN - SCOPUS:85041445188

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 569

EP - 586

BT - CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 30 October 2017 through 3 November 2017

ER -

Kintis P, Miramirkhani N, Lever C, Chen Y, Romero-Gómez R, Pitropakis N et al. Hiding in plain Sight: A longitudinal study of combosquatting abuse. In CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2017. p. 569-586. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3133956.3134002

Hiding in plain Sight: A longitudinal study of combosquatting abuse

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this