Criminals online are increasingly using “combosquatting” to deceive internet users. The practice takes advantage of internet users being increasingly encouraged to check the domain name in an internet address before clicking on links. Combosquatters take advantage of this, using domain names with a familiar trademarks, but including additional words resulting in being taken to a website selling counterfeit goods, harvesting personal and financial information or installing malware.
Researchers from Georgia Tech and Stony Brook University in the U.S. conducted what is believed to be the first large-scale, empirical study of combosquatting. The work was supported by U.S. Department of Defense agencies, the National Science Foundation and the U.S. Department of Commerce.
The researchers explained that attackers might register familiarbankname-security.com or security-familiarbankname.com. Unwary users see the familiar bank name in the URL or web address, but the additional hyphenated word means the destination is very different from what was expected. The result could be counterfeit merchandise, stolen credentials, a malware infection – or another computer conscripted into a botnet attack.
The attack strategy, known as combosquatting, is a growing threat, with millions of such domains set up for malicious purposes, according to a new study presented in late October at the 2017 ACM Conference on Computer and Communications Security (CCS).
“This is a tactic that the adversaries are using more and more because they have seen that it works,” said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “This attack is hiding in plain sight, but many people aren’t computer-savvy enough to notice the difference in the URLs containing familiar trademarked names.”
Combosquatting differs from its better-known relative, typosquatting, in which adversaries register variations of URLs that users are likely to type incorrectly. Combosquatting domains don’t depend on victims making typing errors, but instead provide malicious links embedded in emails, web advertising or the results of web searches. Combosquatting attackers often combine the trademarked name with a term designed to convey a sense of urgency to encourage victims to click on what appears at first glance to be a legitimate link.
“We have seen combosquatting used in virtually every kind of cyberattack that we know of, from drive-by downloads to phishing attacks by nation-states,” said Panagiotis Kintis, a Georgia Tech graduate research assistant who is the first author of the study. “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”
For their study, the researchers began with the 500 most popular trademarked domain names in the United States, and excluded certain combinations made up of common words. They separated the domains into 20 categories, then added two additional domains: one for politics – the study was done before the 2016 election – and another for energy.
With the resulting 268 trademark-containing URLs, they set out to find domain names that incorporated the trademarked name with additional words added at the start or end. They searched through six years of active and passive domain name system (DNS) requests – more than 468 billion records – provided by one of the largest internet service providers in North America.
“The result was mind-blowing,” said Kintis. “We found orders of magnitude more combosquatting domains than typosquatting domains, for instance. The space for combosquatting is almost infinite because attackers can register as many domains as they want with any variation that they want. In some cases, registering a domain can cost less than a dollar.”
In the six-year data set, the researchers found 2.7 million combosquatting domains for the 268 popular trademarks alone, and the combosquatting domains were 100 times more prevalent than typosquatting domains. The combosquatting attacks appear to be challenging to combat, with nearly 60 percent of the abusive domains in operation for more than 1,000 days – almost three years. And the number of combosquatting domains registered grew every year between 2011 and 2016.
Among the malicious domains, the researchers discovered some that had previously been registered by legitimate companies which had combined words with their trademarks. For some reason, those companies permitted the registrations to lapse, allowing the trademark-containing domain names – which once led to legitimate sites – to be taken over by combosquatting attackers.
In many cases, malicious domains were re-registered multiple times after they had expired, suggesting an improvement in “internet hygiene” may be needed to address this threat.
“Imagine what happens in a city when the garbage isn’t picked up regularly,” Antonakakis said. “The garbage builds up and you have diseases develop. Nobody collects the garbage domains on the internet, because it’s nobody’s job. But there should be an organization that would collect these malicious domains so they cannot be reused to infect people.”
More stringent anti-fraud screening of persons registering domains would also help, he added. “We don’t want to prevent legitimate users from getting onto the internet, but there are warning signs of potential fraud that registrars could detect.”