Abstract
Attackers use various techniques to lure victims to malicious domains. A typical approach is to generate domains which look similar to well-known ones so that a confused victim is tricked into visiting the domain. An important attack technique in practice is the impersonation of domains in the lower DNS hierarchy as subdomains of otherwise unsuspiciously looking domains, such as paypal.com.foo.example.com.
In this paper, we present an in-depth, empirical measurement study of low-level domain impersonations to understand their prevalence and provide a basis for the development of corresponding countermeasures. We introduce a generic measurement approach to find and analyze such domains in phishing feeds from three large anti-phishing vendors (PhishLabs, Phishtank, and OpenPhish) covering multiple years and a data set consisting of one and a half years of certificate transparency logs (CTL). In our measurement study, we discovered more than 122,000 cases of domain impersonations detected during the last seven years in PhishLabs, almost 3,000 in Phishtank, and a couple of hundred instances in OpenPhish. Additionally, we compared the usage of low-level domain impersonation with other well-known domain squatting techniques and find that low-level domain impersonation is among the most popular squatting techniques in the wild.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
CertStream. https://certstream.calidog.io/. Accessed 06 Apr 2020
Half of all Phishing Sites Now Have the Padlock. https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/comment-page-1/. Accessed 06 Apr 2020
LEGO vs Cybersquatters: The burden of new gTLDs. https://news.netcraft.com/archives/2017/04/14/lego-vs-cybersquatters-the-burden-of-new-gtlds.html. Accessed 06 Apr 2020
OpenPhish. https://openphish.com. Accessed 06 Apr 2020
Phishing Activity Trends Report, 3rd Quarter 2019. https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf. Accessed 06 Apr 2020
PhishLabs. https://www.phishlabs.com. Accessed 06 Apr 2020
Phishtank. https://www.phishtank.com/. Accessed 06 Apr 2020
Twitch Phishing - 182 Phishing Streams In 2 Weeks (2018). https://www.reddit.com/r/runescape/comments/8in1r0/twitch_phishing_182_phishing_streams_in_2_weeks/. Accessed 06 Apr 2020
What is Certificate Transparency? (2018). https://www.certificate-transparency.org/what-is-ct. Accessed 06 Apr 2020
Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Network and Distributed System Security Symposium (NDSS) (2015)
Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting Malware Domains at the Upper DNS Hierarchy. In: USENIX Security Symposium (2011)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Network and Distributed System Security Symposium (NDSS) (2011)
blog.comodo.com: Comodo SSL Affiliate The Recent RA Compromise (2011). https://blog.comodo.com/other/the-recent-ra-compromise/. Accessed 06 Apr 2020
Chiba, D., Akiyama, A.H., Koide, T., Sawabe, Y., Goto, S., Akiyama, M.: DomainScouter: understanding the risks of deceptive IDNs. In: Research in Attacks, Intrusions, and Defenses (RAID) (2019)
Fisher, D.: Attackers Obtain Valid Cert for Google Domains, Mozilla Moves to Revoke It (2011). https://threatpost.com/attackers-obtain-valid-cert-google-domains-mozilla-moves-revoke-it-082911/75590/. Accessed 06 Apr 2020
Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Conference on Computer and Communications Security (CCS) (2016)
Hassold, C.: Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment (2018). https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment. Accessed 06 Apr 2020
Hatch, O.G.: The Anticybersquatting Consumer Protection Act (1999). https://www.gpo.gov/fdsys/pkg/CRPT-106srpt140/html/CRPT-106srpt140.htm. Accessed 06 Apr 2020
Ho, G., Sharma, A., Javed, M., Paxson, V., Wagner, D.: Detecting credential spearphishing in enterprise settings. In: USENIX Security Symposium (2017)
Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference (2006)
Kintis, P., et al.: Hiding in plain sight: a longitudinal study of combosquatting abuse. In: Conference on Computer and Communications Security (CCS) (2017)
Lauinger, T., Chaabane, A., Buyukkayhan, A.S., Onarlioglu, K., Robertson, W.: Game of registrars: an empirical analysis of post-expiration domain name takeovers. In: Usenix Security Symposium (2017)
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczynski, M., Joosen, W.: TRANCO: a research-oriented top sites rankinghardened against manipulation. In: Network and Distributed System Security Symposium (NDSS) (2019)
Liu, B., et al.: A reexamination of internationalized domain names: the good, the bad and the ugly. In: International Conference on Dependable Systems and Networks (DSN) (2018)
Liu, D., Li, Z., Du, K., Wang, H., Liu, B., Duan, H.: Don’t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains. In: Conference on Computer and Communications Security (CCS) (2017)
Luo, M., Starov, O., Honarmand, N., Nikiforakis, N.: Hindsight: understanding the evolution of UI vulnerabilities in mobile browsers. In: Conference on Computer and Communications Security (CCS) (2017)
Mockapetris, P.: RFC 1035 - Domain Names - Implementation and Specification (1987). https://tools.ietf.org/html/rfc1035. Accessed 06 Apr 2020
Nikiforakis, N., Balduzzi, M., Desmet, L., Piessens, F., Joosen, W.: Soundsquatting: uncovering the use of homophones in domain squatting. In: International Conference on Information Security (ISC) (2014)
Nikiforakis, N., Van Acker, S., Meert, W., Desmet, L., Piessens, F., Joosen, W.: Bitsquatting: exploiting bit-flips for fun, or profit? In: International World Wide Web Conference (WWW) (2013)
Quinkert, F., Degeling, M., Blythe, J., Holz, T.: Be the phisher - understanding users’ perception of malicious domains. In: ASIA Conference on Computer and Communications Security (ASIACCS) (2020)
Quinkert, F., Lauinger, T., Robertson, W., Kirda, E., Holz, T.: It’s not what it looks like: measuring attacks and defensive registrations of homograph domains. In: Conference on Communications and Network Security (CNS) (2019)
Roberts, R., Goldschlag, Y., Walter, R., Chung, T., Mislove, A., Levin, D.: You are who you appear to be: a longitudinal study of domain impersonation in TLS Certificates. In: Conference on Computer and Communications Security (CCS) (2019)
Scheitle, Q., et al.: The rise of certificate transparency and its implications on the internet ecosystem. In: Internet Measurement Conference (IMC) (2018)
Suzuki, H., Chiba, D., Yoneya, Y., Mori, T., Goto, S.: ShamFinder: an automated framework for detecting IDN homographs. In: Internet Measurement Conference (IMC) (2019)
Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “Taile” of typosquatting domain names. In: USENIX Security Symposium (2014)
Tian, K., Jan, S.T.K., Hu, H., Yao, D., Wang, G.: Needle in a haystack: tracking down elite phishing domains in the wild. In: Internet Measurement Conference (IMC) (2018)
Wang, Y.M., Beck, D., Wang, J., Verbowski, C., Daniels, B.: Strider typo-patrol: discovery and analysis of systematic typo-squatting. In: USENIX Workshop on Steps Reducing Unwanted Traffic on the Internet (SRUTI) (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Quinkert, F., Tatang, D., Holz, T. (2021). Digging Deeper: An Analysis of Domain Impersonation in the Lower DNS Hierarchy. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-80825-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80824-2
Online ISBN: 978-3-030-80825-9
eBook Packages: Computer ScienceComputer Science (R0)