Title | Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse |
Publication Type | Conference Paper |
Year of Publication | 2017 |
Authors | Kintis, Panagiotis, Miramirkhani, Najmeh, Lever, Charles, Chen, Yizheng, Romero-Gómez, Rosa, Pitropakis, Nikolaos, Nikiforakis, Nick, Antonakakis, Manos |
Conference Name | Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-4946-8 |
Keywords | combosquatting, composability, domain name system, domain squatting, Metrics, Network security, Networked Control Systems Security, pubcrawl, resilience, Resiliency |
Abstract | Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first large-scale, empirical study of combosquatting by analyzing more than 468 billion DNS records - collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community. |
URL | http://doi.acm.org/10.1145/3133956.3134002 |
DOI | 10.1145/3133956.3134002 |
Citation Key | kintis_hiding_2017 |