HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE - - PowerPoint PPT Presentation

▶

Feb 12, 2023 213 likes •498 views

HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE P . K I N T I S , N . M I R A M I R K H A N I , C . L E V E R , Y . C H E N , R . R O M E R O - G M E Z , N . P I T R O P A K I S , N . N I K I F O R A K I S , M

SLIDE 1

HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE

P . K I N T I S , N . M I R A M I R K H A N I , C . L E V E R , Y . C H E N , R . R O M E R O - G ó M E Z , N . P I T R O P A K I S , N . N I K I F O R A K I S , M . A N T O N A K A K I S O C T O B E R 3 1 , 2 0 1 7

SLIDE 2

…it was about a year ago
Visited nikeshoppings.com
Bought a pair of shoes for 80€
Shoes never appeared
nikeshoppings.com disappeared (!)

A BRIEF STORY…

SLIDE 3

Oct 5, 2015 – Aug 19, 2016 455B RRs (30.5TB) Jan 1, 2011 – Oct 14, 2015 13B RRs (18TB)

IS IT THAT EASY?

SLIDE 4

discountnikeshopping.com. flynike.com. ilovenike.com. lanike.com. lanikekobe.fr. nike1000.com. nikeairxmaxuk.com. nikeapps.de. nikecortez.org. nikecowboyjerseys.com. nikeelastico.com. nikees.com. nikefreerun2016.fr. nikefreerunpaschere.org. nikefreerunshoes5.com. nikelava.com. nikelebronsoldier10.net. nikenbahmarkets.com. nikenergy.com. nikenew.fr. nikeoutletclearancestore.com. nikes4wholesale.com. nikeschoenenkopennl.nl. nikestory.com. niketnrequins.com. niketopanky.net. nikebrockosweilerjerseys.com. nikedemarcuswarejerseys.com. nikefoot.com. nikefreerun2016.se. nikeirelandonline.net. nikejerseycheapest.com. nikejerseysbigsale.com. nikekd8shoes.com. nikekobev.com. nikens.com. nikerunningshoe.com. nikesbchronicles.com. nikesbs.com. nikesize-chart.com. nikestore.taipei. nikestorenl.net. nikesystems.com. nikeuktrainersshop.com. sycoairmaxnike.us.com. nikefreeog.com. nikefreerunpascherhomme2014.fr. nikefreerunstore.com.tw. nikefreerunweb.com. nikemyadventurecamper.com. nikeplusapp.com. nikesairjordanheels.com. nikewear.co.uk. senikeairmaxrea.se. wwwfashionnike.blogspot.com. 1-800-806-nike.com. chaussurenikedunks.com. chaussurenikeoutletsoldes.com. cheapnikeairmaxkx.com. cybermondaynikeshoes.com. enjoynikeruningtrainersuk.com. forbiddenluv-nike.blogspot.com. jp.msn.com.office.nike-poc.myshn.net. nike-promo-code.com. nike5666.com. nike712.net. nikeairmax90ous.us. nikeespana.trade. nikefree2017.se. nikefree50.fr. chinanike.cn. mujer2016nikeairmax.top. nike3333.com. nikeaina.com. nikeairjoredan3.site. nikeairmax2016shoesfr.top. nikeairmax90-shop.co.uk. nikeboing.org. niketrainer1.com. niketravels.com. nikevipmall.com. nikewrites.com. pickyanike.com. nikediscountshoesonlinebuy.com. nikehyperdunk.org. nikelaufschuhesaleonline.de.com. nikelivefabregas.com. nikeplusbook.com.

SLIDE 5

COMBOSQUATTING DEFINITION

Before we continue…

^[a-zA-Z0-9-]* [a-zA-Z0-9-]*

Must contain the trademark intact
Must not be typosquatting

SLIDE 6

TRADEMARKS

268 trademarks
22 categories

SLIDE 7

COMBOSQUATTING DOMAINS

Passive DNS Active DNS

Combosquatting domains in different business categories
Thousands of combosquatting domains for many trademarks

SLIDE 8

Passive DNS Active DNS

Domains Used Existing Domains

COMBOSQUATTING DOMAINS

Active combosquatting domain names over almost six years
Static number of domain names resolved
Increasing trend in domain name registrations over time

Typosquatting Upper Bound

SLIDE 9

Dec 2012 – Sep 2016 610M Jul 2009 – Sep 2016 966K Oct 2008 – Nov 2016 22K Jan 2011 – Oct 2016 1.1B

9,283
6,886

Malware

3,750
4,787

PBL

2,296
6,400

Spam

APT

2,321,914

Passive

1,022,083

Active

COMBOSQUATTING DNS DATASETS

SLIDE 10

bankofamerica-com-login-sys-update-online.com PHISHING ATTACKS

SLIDE 11

airbnbforbeginners.com SOCIAL ENGINEERING ATTACKS

SLIDE 12

activatemycrbankofamerica.com
activatemycrebankofamerica.com
activatemycredbankofamerica.com
activatemycredibankofamerica.com
activatemycreditbankofamerica.com
activatemycreditcabankofamerica.com
activatemycreditcarbankofamerica.com
activatemycreditcardbankofamerica.com

TIP OF THE ICEBERG

SLIDE 13

Domain name resolutions by clients in North America

Collection Errors

COMBOSQUATTING DOMAIN RESOLUTION

SLIDE 14

SLIDE 15

PERSISTENCE

SLIDE 16

691,182 TLS certificates
107,572 combosquatting FQDNs

41.5%

IN X.509 WE TRUST

SLIDE 17

SLIDE 18

LEXICAL CHARACTERISTICS

SLIDE 19

Financial Sector Social Networks Comcast Chevron

WORD DISTRIBUTION

SLIDE 20

SLIDE 21

Init

Start with 1.3M

combosquatting domains from the Active DNS dataset Affiliate Abuse

Redirection

through affiliates

2,573 domains

Phishing

Found 40K

domains with login forms

Manually

identified 174 unique phishing pages Processing

Selected the

The Chevron Case

SLIDE 23

Registrants
Defensive registrations (very hard)
Do not use your trademark in new domains for campaigns (paypal-prepaid[.]com)
Registrars
Flag domains that contain popular trademarks
Request verification and hand-verify the registration request
Third Parties
Domain analysis systems should take combosquatting into consideration

CAN WE SOLVE THE PROBLEM?

SLIDE 24

REGISTRARS TAKING ACTION

SLIDE 25

SLIDE 26

equifax security2017.com .com

Aug 22

securityequifax2017.com equifax

Sep 8

THE EQUIFAX CASE

SLIDE 27

The Chevron Case

bit.ly/combosquatting-john-oliver: equifaxfraudprevention.com

SLIDE 28

HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE - - PowerPoint PPT Presentation

HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE

Oct 5, 2015 – Aug 19, 2016 455B RRs (30.5TB) Jan 1, 2011 – Oct 14, 2015 13B RRs (18TB)

Before we continue…

Passive

Active

41.5%

The Chevron Case

equifax security2017.com .com

securityequifax2017.com equifax

The Chevron Case

Thank you

THANK YOU!

PANAGIOTIS KINTIS

KINTIS@GATECH.EDU