Email il Typosquattin ing Janos Szurdi and Nicolas Christin - - PowerPoint PPT Presentation

email il typosquattin ing
SMART_READER_LITE
LIVE PREVIEW

Email il Typosquattin ing Janos Szurdi and Nicolas Christin - - PowerPoint PPT Presentation

Jul 09, 2023 226 likes •530 views

Email il Typosquattin ing Janos Szurdi and Nicolas Christin Dictionary ry.com 2 Youtube.com 3 Fourteen Years of f Typosquatting Research 2003 Edelman : first case study on one typosquatter 2006 Wang et al. : detection 2008 Banerjee et

slide-1
SLIDE 1

Email il Typosquattin ing

Janos Szurdi and Nicolas Christin

slide-2
SLIDE 2

Dictionary ry.com

2

slide-3
SLIDE 3

Youtube.com

3

slide-4
SLIDE 4

Fourteen Years of f Typosquatting Research

and Khan et al.: quantifying harm to users 2003 2006 2008 2009 2010 2011 2014 2015 2017 Edelman: first case study on one typosquatter Wang et al.: detection Banerjee et al.: detection Chen et al.: detection Banerjee et al.: detection Moore and Edelman: monetization Szurdi et al.: large scale study Agten et al.: longitudinal study Miramirkhani et al.: technical support scam

WEB

4

slide-5
SLIDE 5
  • Email:
  • SSH:
  • FTP:
  • Godai group 2011: white paper on email typosquatting
  • Vissers et al. 2017: name server typosquatting

Other Applications Using DNS

5

slide-6
SLIDE 6

Agenda

  • 1. Email Typo Mistakes
  • What are the email typo mistakes users can make?
  • 2. In the shoes of typosquatters
  • Do users make email typo mistakes frequently?
  • 3. Typosquatting in the wild
  • Can typosquatters collect emails on a large scale?
  • How much emails typosquatting domains in the wild receive?
  • 4. In the shoes of the victims
  • Do typosquatters actually collect emails?

6

slide-7
SLIDE 7

Email Typo Mis istakes

7

slide-8
SLIDE 8

Receiver Typo

8

mom@gmail.com

slide-9
SLIDE 9

Reflection Typo

9

typo@gmail.com

slide-10
SLIDE 10

When Reflection Typos Are Really Bad

someone@zohomil.com: we received several

  • job applications
  • with CVs containing personal information

Several job advertisement copy pasted with the same mistyped address

When mistake affects other users!

10

slide-11
SLIDE 11

SMTP Typo

11

smtp.gmail.com

slide-12
SLIDE 12

In In The Shoes of Typosquatters

12

slide-13
SLIDE 13

Collection Ethics

IRB approved

  • Took measures beyond IRB requirement

Registering typosquatting domains

  • Potential trademark infringement
  • On request surrender domains

Collecting personal emails

  • Protect personal information
  • Keep on secure server
  • Encrypt emails
  • Protect privacy
  • Remove sensitive data
  • Minimize the number of emails viewed

13

slide-14
SLIDE 14

Collection In Infrastructure

14

  • utlo0k.com

gmaiql.com ho6mail.com smtpverizon.net Registered domains DNS “Forwarding” Virtual Private Servers SMTP Forwarding Main Collection Server

slide-15
SLIDE 15

Spam Filtering

Frequency-based filtering Header Based Filtering SpamAssassin Collaborative Spam Filtering Reflection Typo Detection Emails Filtered emails

15

slide-16
SLIDE 16

Receiver Typo Emails Collected

16

Infrastructure Down

slide-17
SLIDE 17

SMTP Typo Emails Collected

17

slide-18
SLIDE 18

Not All Typosquatting Domains Are Equal

18

75%

slide-19
SLIDE 19

Typosquatting Domain Quality

Domain # Emails Is Fat Finger?

  • htlook.com

1320 TRUE

  • utlo0k.com

1170 TRUE

  • utmook.com

324 FALSE

  • uulook.com

137 FALSE

  • etlook.com

84 FALSE

  • uvlook.com

25 FALSE

  • 7tlook.com

20 TRUE

  • u6look.com

7 TRUE hovmail.com 1095 FALSE ho6mail.com 147 TRUE

Factors of profitability

  • Popularity of target domain is the most

important

  • Keyboard distance
  • Conspicuousness

19

slide-20
SLIDE 20

Typosquatting In In The Wil ild

20

slide-21
SLIDE 21

In Infrastructure Concentration: Registrants

21

1% 45% One registrant: 10% of domains 1%

slide-22
SLIDE 22

In Infrastructure Concentration: Mail Server Records

22

75% 1% One Mail Server Record: 14% of domains

slide-23
SLIDE 23

Email Typosquatting Eco-system

High SMTP support

  • Millions of typosquatting domains
  • 2/3 of typo domains can receive emails

Infrastructure serving typosquatting

  • Average name servers: 4% typosquatting
  • Bad name servers: up to 89% typosquatting

Targeting email protocols

  • 41 SMTP typos of Alexa top 10k
  • smtpgmail.com
  • smtphotmail.com

Both privacy protected and typosquatting

23

slide-24
SLIDE 24

Ext xtrapolation

Model

  • Based on our previous observations
  • Features: Popularity, conspicuousness and keyboard distance

Extrapolate to

  • 1211 typosquatting domains
  • Targeting: gmail.com, hotmail.com, outlook.com, comcast.com, verizon.com

Estimate:

  • 850,000 emails/year received

One email costs one penny to collect

  • Ideal for spear phishing or scam campaigns

24

slide-25
SLIDE 25

In In The Shoes of The Victims

25

slide-26
SLIDE 26

Honey Email with Honey Token

26

slide-27
SLIDE 27

Honey Email with Honey Account

27

slide-28
SLIDE 28

Large Scale Test

Tested

  • 50,000 typosquatting domains

Domains accepting our emails Sensitive targets

  • disvover.com, bankofamericqa.com, nuaghtyamerica.com and comcacst.com

Emails read

  • 19 based on our logs

Domain registration type Percent accepted our emails All 14 % Public registration 4 % Private registration 27 %

28

slide-29
SLIDE 29

Sensitive In Information Test

Tested

  • 7269 domains
  • previously accepted our email

Emails read

  • 15 based on our logs

Sensitive information accessed

  • Tax document accessed from Caracas Venezuela
  • Shell account access attempt from Poland

29

slide-30
SLIDE 30

Summary ry

  • Users sent us emails with sensitive data
  • Typosquatting domains’ profitability depends on
  • Popularity
  • Conspicuousness
  • Keyboard distance
  • Typosquatters have infrastructure in place to collect emails
  • One email costs one penny to collect
  • Exploitation of email typosquatting is not confirmed

jszurdi@andrew.cmu.edu

30