Skip to main content
SpringerLink
Log in

Winding Path: Characterizing the Malicious Redirection in Squatting Domain Names

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12671))

Included in the following conference series:

Abstract

An increasing number of adversaries tend to cover up their malicious sites by leveraging the elaborate redirection chains. Prior works mostly focused on the specific attacks that users suffered, and seldom considered how users were exposed to such attacks. In this paper, we conduct a comprehensive measurement study on the malicious redirections that leverage squatting domain names as the start point. To this end, we collected 101,186 resolved squatting domain names that targeted 2,302 top brands from the ISP-level DNS traffic. After dynamically crawling these squatting domain names, we pioneered the application of performance log to mine the redirection chains they involved. Afterward, we analyzed the nodes that acted as intermediaries in malicious redirections and found that adversaries preferred to conduct URL redirection via imported JavaScript codes and iframes. Our further investigation indicates that such intermediaries have obvious aggregation, both in the domain name and the Internet infrastructure supporting them.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alexa Top 1M Sites. https://www.alexa.com/topsites

  2. Alexa Top 1M Sites Archive. https://toplists.net.in.tum.de/archive/alexa/

  3. Alexa Top Category Sites. https://www.alexa.com/topsites/category

  4. CN Top Sites. http://www.alexa.cn/siterank/

  5. Selenium. https://www.selenium.dev/

  6. University of Oregon Route Views Archive Project. http://archive.routeviews.org/

  7. Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015). Internet Society (2015)

    Google Scholar 

  8. Alrwais, S., Yuan, K., Alowaisheq, E., Li, Z., Wang, X.: Understanding the dark side of domain parking. In: 23rd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2014), pp. 207–222 (2014)

    Google Scholar 

  9. Asghari, H.: pyasn. https://github.com/hadiasghari/pyasn

  10. Du, K., et al.: TL;DR hazard: a comprehensive study of levelsquatting scams. In: Chen, S., Choo, K.-K.R., Fu, X., Lou, W., Mohaisen, A. (eds.) SecureComm 2019. LNICST, vol. 305, pp. 3–25. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-37231-6_1

    Chapter  Google Scholar 

  11. Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference, General Track, pp. 261–266 (2006)

    Google Scholar 

  12. Huang, L.S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Presented as part of the 21st \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2012), pp. 413–428 (2012)

    Google Scholar 

  13. Invernizzi, L., Thomas, K., Kapravelos, A., Comanescu, O., Picod, J.M., Bursztein, E.: Cloak of visibility: detecting when machines browse a different web. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 743–758. IEEE (2016)

    Google Scholar 

  14. Khan, M.T., Huo, X., Li, Z., Kanich, C.: Every second counts: quantifying the negative externalities of cybercrime via typosquatting. In: 2015 IEEE Symposium on Security and Privacy, pp. 135–150. IEEE (2015)

    Google Scholar 

  15. Kintis, P., et al.: Hiding in plain sight: a longitudinal study of combosquatting abuse. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 569–586 (2017)

    Google Scholar 

  16. Li, Z., Alrwais, S., Wang, X., Alowaisheq, E.: Hunting the red fox online: understanding and detection of mass redirect-script injections. In: 2014 IEEE Symposium on Security and Privacy, pp. 3–18. IEEE (2014)

    Google Scholar 

  17. Mavrommatis, N.P.P., Monrose, M.: All your iframes point to us. In: USENIX Security Symposium, pp. 1–16. USENIX Association (2008)

    Google Scholar 

  18. Mekky, H., Torres, R., Zhang, Z.L., Saha, S., Nucci, A.: Detecting malicious http redirections using trees of user browsing activity. In: IEEE INFOCOM 2014-IEEE Conference on Computer Communications, pp. 1159–1167. IEEE (2014)

    Google Scholar 

  19. Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 736–747 (2012)

    Google Scholar 

  20. Nikiforakis, N., Van Acker, S., Meert, W., Desmet, L., Piessens, F., Joosen, W.: Bitsquatting: exploiting bit-flips for fun, or profit? In: Proceedings of the 22nd International Conference on World Wide Web, pp. 989–998 (2013)

    Google Scholar 

  21. Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: Proceedings of the Internet Measurement Conference 2018, pp. 478–493 (2018)

    Google Scholar 

  22. Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: 23rd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2014), pp. 191–206 (2014)

    Google Scholar 

  23. Tian, K., Jan, S.T., Hu, H., Yao, D., Wang, G.: Needle in a haystack: tracking down elite phishing domains in the wild. In: Proceedings of the Internet Measurement Conference 2018, pp. 429–442 (2018)

    Google Scholar 

  24. Vissers, T., Joosen, W., Nikiforakis, N.: Parking sensors: analyzing and detecting parked domains. In: Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015), pp. 53–53. Internet Society (2015)

    Google Scholar 

  25. Wang, D.Y., Savage, S., Voelker, G.M.: Cloak and dagger: dynamics of web search cloaking. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 477–490 (2011)

    Google Scholar 

  26. Yang, G., Huang, J., Gu, G.: Iframes/popups are dangerous in mobile webview: studying and mitigating differential context vulnerabilities. In: 28th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2019), pp. 977–994 (2019)

    Google Scholar 

  27. Zeng, Y., Zang, T., Zhang, Y., Chen, X., Wang, Y.: A comprehensive measurement study of domain-squatting abuse. In: ICC 2019–2019 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2019)

    Google Scholar 

  28. Zhou, Y., Evans, D.: Understanding and monitoring embedded web scripts. In: 2015 IEEE Symposium on Security and Privacy, pp. 850–865. IEEE (2015)

    Google Scholar 

Download references

Acknowledgment

We thank the anonymous reviewers for their comments on this paper. We would also like to thank Ignacio Castro for shepherding this paper. This work was partially supported by the National Key Research and Development Program of China under grant No. 2016QY05X1002 and the Strategic Priority Research Program of Chinese Academy of Sciences under grant No. XDC02030100.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Yuwei Zeng, Xunxun Chen & Tianning Zang

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Yuwei Zeng & Tianning Zang

  3. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing, China

    Xunxun Chen

  4. Jilin University, Changchun, China

    Haiwei Tsang

Authors
  1. Yuwei Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xunxun Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tianning Zang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Haiwei Tsang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tianning Zang .

Editor information

Editors and Affiliations

  1. Brandenburg University of Technology (BTU), Cottbus, Germany

    Oliver Hohlfeld

  2. Telefonica Research, Barcelona, Spain

    Andra Lutu

  3. Iribe Center, University of Maryland, College Park, MD, USA

    Dave Levin

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zeng, Y., Chen, X., Zang, T., Tsang, H. (2021). Winding Path: Characterizing the Malicious Redirection in Squatting Domain Names. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72582-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72581-5

  • Online ISBN: 978-3-030-72582-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation