HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE - PowerPoint PPT Presentation

HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE P . K I N T I S , N . M I R A M I R K H A N I , C . L E V E R , Y . C H E N , R . R O M E R O - G ó M E Z , N . P I T R O P A K I S , N . N I K I F O R A K I S , M . A N T O N A K A K I S O C T O B E R 3 1 , 2 0 1 7

A BRIEF STORY… • …it was about a year ago • Visited nikeshoppings.com • Bought a pair of shoes for 80€ • Shoes never appeared • nikeshoppings.com disappeared (!) 2

IS IT THAT EASY? Oct 5, 2015 – Aug 19, 2016 455B RRs (30.5TB) Jan 1, 2011 – Oct 14, 2015 13B RRs (18TB) 3

discountnikeshopping.com. nikewear.co.uk. nikebrockosweilerjerseys.com. flynike.com. senikeairmaxrea.se. nikedemarcuswarejerseys.com. ilovenike.com. wwwfashionnike.blogspot.com. nikefoot.com. lanike.com. 1-800-806-nike.com. nikefreerun2016.se. lanikekobe.fr. chaussurenikedunks.com. nikeirelandonline.net. nike1000.com. chaussurenikeoutletsoldes.com. nikejerseycheapest.com. nikeairxmaxuk.com. cheapnikeairmaxkx.com. nikejerseysbigsale.com. nikeapps.de. cybermondaynikeshoes.com. nikekd8shoes.com. nikecortez.org. enjoynikeruningtrainersuk.com. nikekobev.com. niketrainer1.com. nikecowboyjerseys.com. forbiddenluv-nike.blogspot.com. nikens.com. niketravels.com. nikeelastico.com. jp.msn.com.office.nike-poc.myshn.net. nikerunningshoe.com. nikevipmall.com. nikees.com. nike-promo-code.com. nikesbchronicles.com. nikewrites.com. nikefreerun2016.fr. nike5666.com. nikesbs.com. pickyanike.com. nikefreerunpaschere.org. nike712.net. nikesize-chart.com. nikediscountshoesonlinebuy.com. nikefreerunshoes5.com. nikeairmax90ous.us. nikestore.taipei. nikehyperdunk.org. nikelava.com. nikeespana.trade. nikestorenl.net. nikelaufschuhesaleonline.de.com. nikelebronsoldier10.net. nikefree2017.se. nikesystems.com. nikelivefabregas.com. nikenbahmarkets.com. nikefree50.fr. nikeuktrainersshop.com. nikeplusbook.com. nikenergy.com. chinanike.cn. sycoairmaxnike.us.com. nikenew.fr. mujer2016nikeairmax.top. nikefreeog.com. nikeoutletclearancestore.com. nike3333.com. nikefreerunpascherhomme2014.fr. nikes4wholesale.com. nikeaina.com. nikefreerunstore.com.tw. nikeschoenenkopennl.nl. nikeairjoredan3.site. nikefreerunweb.com. nikestory.com. nikeairmax2016shoesfr.top. nikemyadventurecamper.com. niketnrequins.com. nikeairmax90-shop.co.uk. nikeplusapp.com. niketopanky.net. nikeboing.org. nikesairjordanheels.com. 4

COMBOSQUATTING DEFINITION Before we continue… ^[a-zA-Z0-9-]* [a-zA-Z0-9-]* • Must contain the trademark intact • Must not be typosquatting 5

TRADEMARKS • 268 trademarks • 22 categories 6

COMBOSQUATTING DOMAINS Passive DNS Active DNS • Combosquatting domains in different business categories • Thousands of combosquatting domains for many trademarks 7

COMBOSQUATTING DOMAINS Existing Domains Typosquatting Upper Bound Domains Used Passive DNS Active DNS • Active combosquatting domain names over almost six years • Static number of domain names resolved • Increasing trend in domain name registrations over time 8

COMBOSQUATTING DNS DATASETS • 9,283 Jan 2011 – Oct 2016 Malware • 6,886 1.1B • 3,750 Dec 2012 – Sep 2016 Passive PBL • 2,321,914 • 4,787 610M • 2,296 Jul 2009 – Sep 2016 Active Spam • 1,022,083 • 6,400 966K • 59 Oct 2008 – Nov 2016 APT 22K • 56 9

PHISHING ATTACKS bankofamerica -com-login-sys-update-online.com 10

SOCIAL ENGINEERING ATTACKS airbnb forbeginners.com 11

TIP OF THE ICEBERG • activatemycrbankofamerica.com • activatemycrebankofamerica.com • activatemycredbankofamerica.com • activatemycredibankofamerica.com • activatemycreditbankofamerica.com • activatemycreditcabankofamerica.com • activatemycreditcarbankofamerica.com • activatemycreditcardbankofamerica.com 12

COMBOSQUATTING DOMAIN RESOLUTION Collection Errors Domain name resolutions by clients in North America 13

14

PERSISTENCE 15

IN X.509 WE TRUST • 691,182 TLS certificates • 107,572 combosquatting FQDNs 41.5% 16

17

LEXICAL CHARACTERISTICS 18

WORD DISTRIBUTION Financial Sector Comcast Chevron Social Networks 19

20

COMBOSQUATTING ANALYSIS Init Affiliate Abuse Phishing Processing • Start with 1.3M • Redirection • Found 40K • Selected the combosquatting through domains with most popular domains from affiliates login forms domains the Active DNS • 2,573 domains • Manually • Created clusters dataset identified 174 and labeled 8.7K unique phishing domains pages Unrelated 11.23% Unknown 86.6% Suspicious 88.77% Phishing 0.9% Social Engineering 13.62% Malicious 13.39% Affiliate Abuse 15.56% Trademark Abuse 69.9% 21

The Chevron Case 22

CAN WE SOLVE THE PROBLEM? • Registrants Defensive registrations (very hard) • Do not use your trademark in new domains for campaigns (paypal-prepaid[.]com) • • Registrars Flag domains that contain popular trademarks • Request verification and hand-verify the registration request • • Third Parties Domain analysis systems should take combosquatting into consideration • 23

REGISTRARS TAKING ACTION 24

25

THE EQUIFAX CASE Aug 22 equifax security2017.com equifax .com securityequifax2017.com Sep 8 26

The Chevron Case bit.ly/combosquatting-john-oliver: equifax fraudprevention.com 27

Thank you THANK YOU! PANAGIOTIS KINTIS KINTIS@GATECH.EDU