Abstract
In this paper, we present a large-scale analysis about an emerging new type of domain-name fraud, which we call levelsquatting. Unlike existing frauds that impersonate well-known brand names (like google.com) by using similar second-level domain names, adversaries here embed brand name in the subdomain section, deceiving users especially mobile users who do not pay attention to the entire domain names.
First, we develop a detection system, LDS, based on passive DNS data and webpage content. Using LDS, we successfully detect 817,681 levelsquatting domains. Second, we perform detailed characterization on levelsquatting scams. Existing blacklists are less effective against levelsquatting domains, with only around 4% of domains reported by VirusTotal and PhishTank respectively. In particular, we find a number of levelsquatting domains impersonate well-known search engines. So far, Baidu security team has acknowledged our findings and removed these domains from its search result. Finally, we analyze how levelsquatting domain names are displayed in different browsers. We find 2 mobile browsers (Firefox and UC) and 1 desktop browser (Internet Explorer) that can confuse users when showing levelsquatting domain names in the address bar.
In summary, our study sheds light to the emerging levelsquatting fraud and we believe new approaches are needed to mitigate this type of fraud.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
- 3.
- 4.
We use the public suffix list provided by https://publicsuffix.org/ to match eTLD.
- 5.
- 6.
- 7.
- 8.
- 9.
We are not able to obtain WHOIS records for all e2LDs within \(Dom_{Sus}\) because they have become expired when we queried.
- 10.
- 11.
- 12.
- 13.
The “query” mode retrieves the prior scanning result of a URL that has been submitted to VirusTotal by another user.
- 14.
- 15.
- 16.
- 17.
- 18.
References
What Is TLDR? (2017). https://www.lifewire.com/what-is-tldr-2483633
How scammers use sub-domains (2016). http://easykey.uk/computer-safety/how-scammers-use-sub-domains
Yang, H., et al.: How to learn klingon without a dictionary: detection and measurement of black keywords used by the underground economy. In: 2017 IEEE Symposium on Security and Privacy (SP). IEEE (2017)
Marchal, S., François, J., State, R., Engel, T.: Proactive discovery of phishing related domain names. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 190–209. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_10
DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (1987). https://tools.ietf.org/html/rfc1035
Wang, Y.-M., et al.: Strider typo-patrol: discovery and analysis of systematic typo-squatting. In: SRUTI, vol. 6, No. 31-36 p. 2 (2006)
Nikiforakis, N., et al.: Bitsquatting: exploiting bit-flips for fun, or profit?. In: Proceedings of The 22nd International Conference on World Wide Web. ACM (2013)
Wiener, S.: Grass-mud horses to victory: the phonological constraints of subversive puns. In: Proceedings of the 23rd North American Conference on Chinese Linguistics, vol. 1 (2011)
Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference, General Track (2006)
Kintis, P., et al.: Hiding in plain sight: a longitudinal study of combosquatting abuse. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM (2017)
Phishing with ‘punycode’ - when foreign letters spell English words (2017). https://nakedsecurity.sophos.com/2017/04/19/phishing-with-punycode-when-foreign-letters-spell-english-words/
Liu, B., et al.: A reexamination of internationalized domain names: the good, the bad and the ugly. In: 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2018)
Maurer, M.-E., Herzner, D.: Using visual website similarity for phishing detection and reporting. In: CHI 2012 Extended Abstracts on Human Factors in Computing Systems. ACM (2012)
Levchenko, K., Pitsillidis, A., Chachra, N., et al.: Click trajectories: end-to-end analysis of the spam value chain. In: 2011 IEEE Symposium on Security and Privacy, pp. 431–446. IEEE (2011)
Du, K., et al.: The ever-changing labyrinth: a large-scale analysis of wildcard DNS powered Blackhat SEO. In: 25th USENIX Security Symposium (USENIX Security 16) (2016)
Levchenko, K., et al.: Click trajectories: end-to-end analysis of the spam value chain. In: 2011 IEEE Symposium on Security and Privacy. IEEE (2011)
Wang, D.Y., Savage, S., Voelker, G.M.: Cloak and dagger: dynamics of web search cloaking. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM (2011)
Zhang, Q., Wang, D.Y., Voelker, G.M.: DSpin: detecting automatically spun content on the web. In: NDSS (2014)
Foley, S.N., Gollmann, D., Snekkenes, E. (eds.): DeltaPhish: detecting phishing webpages in compromised websites. ESORICS 2017. LNCS, vol. 10492, pp. 370–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6_22
Liao, X., et al.: Seeking nonsense, looking for trouble: efficient promotional-infection detection through semantic inconsistency search. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE (2016)
Hao, S., et al.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM (2016)
Li, Z., et al.: Knowing your enemy: understanding and detecting malicious web advertising. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM (2012)
new gTLD Statistics by Top-Level Domains (2016). https://ntldstats.com/tld
Nagunwa, T.: Behind identity theft and fraud in cyberspace: the current landscape of phishing vectors. Int. J. Cyber-Secur. Digital Forensics (IJCSDF) 3(1), 72–83 (2014)
TLS Certificates from the Top Million Sites (2016). https://adamcaudill.com/2016/09/23/tls-certificates-top-million-sites/
Kim, Y.: Convolutional neural networks for sentence classification. arXiv preprint arXiv:1408.5882 (2014)
Kalchbrenner, N., Grefenstette, E., Blunsom, P.: A convolutional neural network for modelling sentences. arXiv preprint arXiv:1404.2188 (2014)
Liu, P., Qiu, X., Huang, X.: Recurrent neural network for text classification with multi-task learning. arXiv preprint arXiv:1605.05101 (2016)
Luo, M., et al.: Hindsight: understanding the evolution of UI vulnerabilities in mobile browsers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM (2017)
Chen, G., et al.: Combating typo-squatting for safer browsing. In: 2009 International Conference on Advanced Information Networking and Applications Workshops. IEEE (2009)
Banerjee, A., Rahman, M.S., Faloutsos, M.: SUT: quantifying and mitigating url typosquatting. Comput. Netw. 55(13), 3001–3014 (2011)
Linari, A. et al.: Typo-Squatting: The Curse”of Popularity (2009)
Agten, P., et al.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: NDSS (2015)
Shuang, H., Feamster, N., Pandrangi, R.: Monitoring the initial DNS behavior of malicious domains. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference. ACM (2011)
Coull, S.E., et al.: Understanding domain registration abuses. Comput. secur. 31(7), 806–815 (2012)
Anderson, D.S., et al.: Spamscatter: characterizing internet scam hosting infrastructure. Diss. University of California, San Diego (2007)
Antonakakis, M., et al.: Building a dynamic reputation system for DNS. In: USENIX security symposium (2010)
Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 12) (2012)
Bilge, L., et al.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)
Antonakakis, M., et al.: Detecting Malware Domains at the Upper DNS Hierarchy. In: USENIX Security Symposium, vol. 11 (2011)
Lever, C., et al.: Domain-Z: 28 registrations later measuring the exploitation of residual trust in domains. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE (2016)
Garera, S., et al.: A framework for detection and measurement of phishing attacks. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode. ACM (2007)
Medvet, E., Kirda, E., Kruegel, C.: Visual-similarity-based phishing detection. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks. ACM (2008)
Liu, D., et al.: Don’t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM (2017)
Leontiadis, N., Moore, T., Christin, N.: Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In: USENIX Security Symposium, vol. 11 (2011)
Christin, N.: Traveling the silk road: a measurement analysis of a large anonymous online marketplace. In: Proceedings of the 22nd International Conference on World Wide Web. ACM (2013)
Barratt, M.J., Ferris, J.A., Winstock, A.R.: Use of Silk Road, the online drug marketplace, in the United Kingdom. Australia and the United States. Addiction 109(5), 774–783 (2014)
Acknowledgments
We thank anonymous reviewers for their insightful comments. This work is supported in part by the National Natural Science Foundation of China (U1836213, U1636204) and the BNRist Network and Software Security Research Program (Grant No. BNR2019TD01004).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Du, K. et al. (2019). TL;DR Hazard: A Comprehensive Study of Levelsquatting Scams. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-37231-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37230-9
Online ISBN: 978-3-030-37231-6
eBook Packages: Computer ScienceComputer Science (R0)