Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2019: Security and Privacy in Communication Networks pp 3–25Cite as

TL;DR Hazard: A Comprehensive Study of Levelsquatting Scams

  • Conference paper
  • First Online:

Abstract

In this paper, we present a large-scale analysis about an emerging new type of domain-name fraud, which we call levelsquatting. Unlike existing frauds that impersonate well-known brand names (like google.com) by using similar second-level domain names, adversaries here embed brand name in the subdomain section, deceiving users especially mobile users who do not pay attention to the entire domain names.

First, we develop a detection system, LDS, based on passive DNS data and webpage content. Using LDS, we successfully detect 817,681 levelsquatting domains. Second, we perform detailed characterization on levelsquatting scams. Existing blacklists are less effective against levelsquatting domains, with only around 4% of domains reported by VirusTotal and PhishTank respectively. In particular, we find a number of levelsquatting domains impersonate well-known search engines. So far, Baidu security team has acknowledged our findings and removed these domains from its search result. Finally, we analyze how levelsquatting domain names are displayed in different browsers. We find 2 mobile browsers (Firefox and UC) and 1 desktop browser (Internet Explorer) that can confuse users when showing levelsquatting domain names in the address bar.

In summary, our study sheds light to the emerging levelsquatting fraud and we believe new approaches are needed to mitigate this type of fraud.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://www.phishtank.com/.

  2. 2.

    https://www.virustotal.com/.

  3. 3.

    https://www.godaddy.com/.

  4. 4.

    We use the public suffix list provided by https://publicsuffix.org/ to match eTLD.

  5. 5.

    https://www.dnsdb.info/.

  6. 6.

    https://www.passivedns.cn/.

  7. 7.

    http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.

  8. 8.

    https://www.alexa.com/topsites/category.

  9. 9.

    We are not able to obtain WHOIS records for all e2LDs within \(Dom_{Sus}\) because they have become expired when we queried.

  10. 10.

    https://github.com/TeamHG-Memex/page-compare.

  11. 11.

    https://www.seleniumhq.org/.

  12. 12.

    https://scikit-image.org/.

  13. 13.

    The “query” mode retrieves the prior scanning result of a URL that has been submitted to VirusTotal by another user.

  14. 14.

    https://github.com/shuque/pydig.

  15. 15.

    https://github.com/zmap/zmap.

  16. 16.

    http://www.ucweb.com/.

  17. 17.

    https://liulanqi.baidu.com/.

  18. 18.

    http://se.360.cn/.

References

  1. What Is TLDR? (2017). https://www.lifewire.com/what-is-tldr-2483633

  2. How scammers use sub-domains (2016). http://easykey.uk/computer-safety/how-scammers-use-sub-domains

  3. Yang, H., et al.: How to learn klingon without a dictionary: detection and measurement of black keywords used by the underground economy. In: 2017 IEEE Symposium on Security and Privacy (SP). IEEE (2017)

    Google Scholar 

  4. Marchal, S., François, J., State, R., Engel, T.: Proactive discovery of phishing related domain names. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 190–209. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_10

    Chapter  Google Scholar 

  5. DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (1987). https://tools.ietf.org/html/rfc1035

  6. Wang, Y.-M., et al.: Strider typo-patrol: discovery and analysis of systematic typo-squatting. In: SRUTI, vol. 6, No. 31-36 p. 2 (2006)

    Google Scholar 

  7. Nikiforakis, N., et al.: Bitsquatting: exploiting bit-flips for fun, or profit?. In: Proceedings of The 22nd International Conference on World Wide Web. ACM (2013)

    Google Scholar 

  8. Wiener, S.: Grass-mud horses to victory: the phonological constraints of subversive puns. In: Proceedings of the 23rd North American Conference on Chinese Linguistics, vol. 1 (2011)

    Google Scholar 

  9. Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference, General Track (2006)

    Google Scholar 

  10. Kintis, P., et al.: Hiding in plain sight: a longitudinal study of combosquatting abuse. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM (2017)

    Google Scholar 

  11. Phishing with ‘punycode’ - when foreign letters spell English words (2017). https://nakedsecurity.sophos.com/2017/04/19/phishing-with-punycode-when-foreign-letters-spell-english-words/

  12. Liu, B., et al.: A reexamination of internationalized domain names: the good, the bad and the ugly. In: 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2018)

    Google Scholar 

  13. Maurer, M.-E., Herzner, D.: Using visual website similarity for phishing detection and reporting. In: CHI 2012 Extended Abstracts on Human Factors in Computing Systems. ACM (2012)

    Google Scholar 

  14. Levchenko, K., Pitsillidis, A., Chachra, N., et al.: Click trajectories: end-to-end analysis of the spam value chain. In: 2011 IEEE Symposium on Security and Privacy, pp. 431–446. IEEE (2011)

    Google Scholar 

  15. Du, K., et al.: The ever-changing labyrinth: a large-scale analysis of wildcard DNS powered Blackhat SEO. In: 25th USENIX Security Symposium (USENIX Security 16) (2016)

    Google Scholar 

  16. Levchenko, K., et al.: Click trajectories: end-to-end analysis of the spam value chain. In: 2011 IEEE Symposium on Security and Privacy. IEEE (2011)

    Google Scholar 

  17. Wang, D.Y., Savage, S., Voelker, G.M.: Cloak and dagger: dynamics of web search cloaking. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM (2011)

    Google Scholar 

  18. Zhang, Q., Wang, D.Y., Voelker, G.M.: DSpin: detecting automatically spun content on the web. In: NDSS (2014)

    Google Scholar 

  19. Foley, S.N., Gollmann, D., Snekkenes, E. (eds.): DeltaPhish: detecting phishing webpages in compromised websites. ESORICS 2017. LNCS, vol. 10492, pp. 370–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6_22

    Chapter  Google Scholar 

  20. Liao, X., et al.: Seeking nonsense, looking for trouble: efficient promotional-infection detection through semantic inconsistency search. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE (2016)

    Google Scholar 

  21. Hao, S., et al.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM (2016)

    Google Scholar 

  22. Li, Z., et al.: Knowing your enemy: understanding and detecting malicious web advertising. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM (2012)

    Google Scholar 

  23. new gTLD Statistics by Top-Level Domains (2016). https://ntldstats.com/tld

  24. Nagunwa, T.: Behind identity theft and fraud in cyberspace: the current landscape of phishing vectors. Int. J. Cyber-Secur. Digital Forensics (IJCSDF) 3(1), 72–83 (2014)

    Google Scholar 

  25. TLS Certificates from the Top Million Sites (2016). https://adamcaudill.com/2016/09/23/tls-certificates-top-million-sites/

  26. Kim, Y.: Convolutional neural networks for sentence classification. arXiv preprint arXiv:1408.5882 (2014)

  27. Kalchbrenner, N., Grefenstette, E., Blunsom, P.: A convolutional neural network for modelling sentences. arXiv preprint arXiv:1404.2188 (2014)

  28. Liu, P., Qiu, X., Huang, X.: Recurrent neural network for text classification with multi-task learning. arXiv preprint arXiv:1605.05101 (2016)

  29. Luo, M., et al.: Hindsight: understanding the evolution of UI vulnerabilities in mobile browsers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM (2017)

    Google Scholar 

  30. Chen, G., et al.: Combating typo-squatting for safer browsing. In: 2009 International Conference on Advanced Information Networking and Applications Workshops. IEEE (2009)

    Google Scholar 

  31. Banerjee, A., Rahman, M.S., Faloutsos, M.: SUT: quantifying and mitigating url typosquatting. Comput. Netw. 55(13), 3001–3014 (2011)

    Article  Google Scholar 

  32. Linari, A. et al.: Typo-Squatting: The Curse”of Popularity (2009)

    Google Scholar 

  33. Agten, P., et al.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: NDSS (2015)

    Google Scholar 

  34. Shuang, H., Feamster, N., Pandrangi, R.: Monitoring the initial DNS behavior of malicious domains. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference. ACM (2011)

    Google Scholar 

  35. Coull, S.E., et al.: Understanding domain registration abuses. Comput. secur. 31(7), 806–815 (2012)

    Article  MathSciNet  Google Scholar 

  36. Anderson, D.S., et al.: Spamscatter: characterizing internet scam hosting infrastructure. Diss. University of California, San Diego (2007)

    Google Scholar 

  37. Antonakakis, M., et al.: Building a dynamic reputation system for DNS. In: USENIX security symposium (2010)

    Google Scholar 

  38. Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 12) (2012)

    Google Scholar 

  39. Bilge, L., et al.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)

    Google Scholar 

  40. Antonakakis, M., et al.: Detecting Malware Domains at the Upper DNS Hierarchy. In: USENIX Security Symposium, vol. 11 (2011)

    Google Scholar 

  41. Lever, C., et al.: Domain-Z: 28 registrations later measuring the exploitation of residual trust in domains. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE (2016)

    Google Scholar 

  42. Garera, S., et al.: A framework for detection and measurement of phishing attacks. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode. ACM (2007)

    Google Scholar 

  43. Medvet, E., Kirda, E., Kruegel, C.: Visual-similarity-based phishing detection. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks. ACM (2008)

    Google Scholar 

  44. Liu, D., et al.: Don’t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM (2017)

    Google Scholar 

  45. Leontiadis, N., Moore, T., Christin, N.: Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In: USENIX Security Symposium, vol. 11 (2011)

    Google Scholar 

  46. Christin, N.: Traveling the silk road: a measurement analysis of a large anonymous online marketplace. In: Proceedings of the 22nd International Conference on World Wide Web. ACM (2013)

    Google Scholar 

  47. Barratt, M.J., Ferris, J.A., Winstock, A.R.: Use of Silk Road, the online drug marketplace, in the United Kingdom. Australia and the United States. Addiction 109(5), 774–783 (2014)

    Google Scholar 

Download references

Acknowledgments

We thank anonymous reviewers for their insightful comments. This work is supported in part by the National Natural Science Foundation of China (U1836213, U1636204) and the BNRist Network and Software Security Research Program (Grant No. BNR2019TD01004).

Author information

Authors and Affiliations

  1. Tsinghua University, Beijing, China

    Kun Du, Hao Yang, Baojun Liu, Yuxiao Ye & Mingxuan Liu

  2. University of California, Irvine, USA

    Zhou Li

  3. Tsinghua University, Beijing National Research Center for Information Science and Technology, Beijing, China

    Haixin Duan

  4. University of Texas at Dallas, Richardson, USA

    Shuang Hao, Yuxiao Ye, Xiaodong Su, Guang Liu & Zhifeng Geng

  5. Network security Research Lab at Qihoo 360, Beijing, China

    Zaifeng Zhang & Jinjin Liang

Authors
  1. Kun Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hao Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhou Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Haixin Duan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shuang Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Baojun Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Yuxiao Ye
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Mingxuan Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Xiaodong Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  10. Guang Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  11. Zhifeng Geng
    View author publications

    You can also search for this author in PubMed Google Scholar

  12. Zaifeng Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  13. Jinjin Liang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Haixin Duan .

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Songqing Chen

  2. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Boston University, Lowell, MA, USA

    Xinwen Fu

  4. Virginia Tech, Blacksburg, VA, USA

    Wenjing Lou

  5. University of Central Florida, Orlando, FL, USA

    Aziz Mohaisen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Du, K. et al. (2019). TL;DR Hazard: A Comprehensive Study of Levelsquatting Scams. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37231-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37230-9

  • Online ISBN: 978-3-030-37231-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation