Skip to main content
SpringerLink
Log in

Digging Deeper: An Analysis of Domain Impersonation in the Lower DNS Hierarchy

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12756))

Abstract

Attackers use various techniques to lure victims to malicious domains. A typical approach is to generate domains which look similar to well-known ones so that a confused victim is tricked into visiting the domain. An important attack technique in practice is the impersonation of domains in the lower DNS hierarchy as subdomains of otherwise unsuspiciously looking domains, such as paypal.com.foo.example.com.

In this paper, we present an in-depth, empirical measurement study of low-level domain impersonations to understand their prevalence and provide a basis for the development of corresponding countermeasures. We introduce a generic measurement approach to find and analyze such domains in phishing feeds from three large anti-phishing vendors (PhishLabs, Phishtank, and OpenPhish) covering multiple years and a data set consisting of one and a half years of certificate transparency logs (CTL). In our measurement study, we discovered more than 122,000 cases of domain impersonations detected during the last seven years in PhishLabs, almost 3,000 in Phishtank, and a couple of hundred instances in OpenPhish. Additionally, we compared the usage of low-level domain impersonation with other well-known domain squatting techniques and find that low-level domain impersonation is among the most popular squatting techniques in the wild.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. CertStream. https://certstream.calidog.io/. Accessed 06 Apr 2020

  2. Half of all Phishing Sites Now Have the Padlock. https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/comment-page-1/. Accessed 06 Apr 2020

  3. LEGO vs Cybersquatters: The burden of new gTLDs. https://news.netcraft.com/archives/2017/04/14/lego-vs-cybersquatters-the-burden-of-new-gtlds.html. Accessed 06 Apr 2020

  4. OpenPhish. https://openphish.com. Accessed 06 Apr 2020

  5. Phishing Activity Trends Report, 3rd Quarter 2019. https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf. Accessed 06 Apr 2020

  6. PhishLabs. https://www.phishlabs.com. Accessed 06 Apr 2020

  7. Phishtank. https://www.phishtank.com/. Accessed 06 Apr 2020

  8. Twitch Phishing - 182 Phishing Streams In 2 Weeks (2018). https://www.reddit.com/r/runescape/comments/8in1r0/twitch_phishing_182_phishing_streams_in_2_weeks/. Accessed 06 Apr 2020

  9. What is Certificate Transparency? (2018). https://www.certificate-transparency.org/what-is-ct. Accessed 06 Apr 2020

  10. Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Network and Distributed System Security Symposium (NDSS) (2015)

    Google Scholar 

  11. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting Malware Domains at the Upper DNS Hierarchy. In: USENIX Security Symposium (2011)

    Google Scholar 

  12. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Network and Distributed System Security Symposium (NDSS) (2011)

    Google Scholar 

  13. blog.comodo.com: Comodo SSL Affiliate The Recent RA Compromise (2011). https://blog.comodo.com/other/the-recent-ra-compromise/. Accessed 06 Apr 2020

  14. Chiba, D., Akiyama, A.H., Koide, T., Sawabe, Y., Goto, S., Akiyama, M.: DomainScouter: understanding the risks of deceptive IDNs. In: Research in Attacks, Intrusions, and Defenses (RAID) (2019)

    Google Scholar 

  15. Fisher, D.: Attackers Obtain Valid Cert for Google Domains, Mozilla Moves to Revoke It (2011). https://threatpost.com/attackers-obtain-valid-cert-google-domains-mozilla-moves-revoke-it-082911/75590/. Accessed 06 Apr 2020

  16. Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Conference on Computer and Communications Security (CCS) (2016)

    Google Scholar 

  17. Hassold, C.: Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment (2018). https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment. Accessed 06 Apr 2020

  18. Hatch, O.G.: The Anticybersquatting Consumer Protection Act (1999). https://www.gpo.gov/fdsys/pkg/CRPT-106srpt140/html/CRPT-106srpt140.htm. Accessed 06 Apr 2020

  19. Ho, G., Sharma, A., Javed, M., Paxson, V., Wagner, D.: Detecting credential spearphishing in enterprise settings. In: USENIX Security Symposium (2017)

    Google Scholar 

  20. Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference (2006)

    Google Scholar 

  21. Kintis, P., et al.: Hiding in plain sight: a longitudinal study of combosquatting abuse. In: Conference on Computer and Communications Security (CCS) (2017)

    Google Scholar 

  22. Lauinger, T., Chaabane, A., Buyukkayhan, A.S., Onarlioglu, K., Robertson, W.: Game of registrars: an empirical analysis of post-expiration domain name takeovers. In: Usenix Security Symposium (2017)

    Google Scholar 

  23. Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczynski, M., Joosen, W.: TRANCO: a research-oriented top sites rankinghardened against manipulation. In: Network and Distributed System Security Symposium (NDSS) (2019)

    Google Scholar 

  24. Liu, B., et al.: A reexamination of internationalized domain names: the good, the bad and the ugly. In: International Conference on Dependable Systems and Networks (DSN) (2018)

    Google Scholar 

  25. Liu, D., Li, Z., Du, K., Wang, H., Liu, B., Duan, H.: Don’t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains. In: Conference on Computer and Communications Security (CCS) (2017)

    Google Scholar 

  26. Luo, M., Starov, O., Honarmand, N., Nikiforakis, N.: Hindsight: understanding the evolution of UI vulnerabilities in mobile browsers. In: Conference on Computer and Communications Security (CCS) (2017)

    Google Scholar 

  27. Mockapetris, P.: RFC 1035 - Domain Names - Implementation and Specification (1987). https://tools.ietf.org/html/rfc1035. Accessed 06 Apr 2020

  28. Nikiforakis, N., Balduzzi, M., Desmet, L., Piessens, F., Joosen, W.: Soundsquatting: uncovering the use of homophones in domain squatting. In: International Conference on Information Security (ISC) (2014)

    Google Scholar 

  29. Nikiforakis, N., Van Acker, S., Meert, W., Desmet, L., Piessens, F., Joosen, W.: Bitsquatting: exploiting bit-flips for fun, or profit? In: International World Wide Web Conference (WWW) (2013)

    Google Scholar 

  30. Quinkert, F., Degeling, M., Blythe, J., Holz, T.: Be the phisher - understanding users’ perception of malicious domains. In: ASIA Conference on Computer and Communications Security (ASIACCS) (2020)

    Google Scholar 

  31. Quinkert, F., Lauinger, T., Robertson, W., Kirda, E., Holz, T.: It’s not what it looks like: measuring attacks and defensive registrations of homograph domains. In: Conference on Communications and Network Security (CNS) (2019)

    Google Scholar 

  32. Roberts, R., Goldschlag, Y., Walter, R., Chung, T., Mislove, A., Levin, D.: You are who you appear to be: a longitudinal study of domain impersonation in TLS Certificates. In: Conference on Computer and Communications Security (CCS) (2019)

    Google Scholar 

  33. Scheitle, Q., et al.: The rise of certificate transparency and its implications on the internet ecosystem. In: Internet Measurement Conference (IMC) (2018)

    Google Scholar 

  34. Suzuki, H., Chiba, D., Yoneya, Y., Mori, T., Goto, S.: ShamFinder: an automated framework for detecting IDN homographs. In: Internet Measurement Conference (IMC) (2019)

    Google Scholar 

  35. Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “Taile” of typosquatting domain names. In: USENIX Security Symposium (2014)

    Google Scholar 

  36. Tian, K., Jan, S.T.K., Hu, H., Yao, D., Wang, G.: Needle in a haystack: tracking down elite phishing domains in the wild. In: Internet Measurement Conference (IMC) (2018)

    Google Scholar 

  37. Wang, Y.M., Beck, D., Wang, J., Verbowski, C., Daniels, B.: Strider typo-patrol: discovery and analysis of systematic typo-squatting. In: USENIX Workshop on Steps Reducing Unwanted Traffic on the Internet (SRUTI) (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Ruhr University Bochum, Bochum, Germany

    Florian Quinkert, Dennis Tatang & Thorsten Holz

Authors
  1. Florian Quinkert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dennis Tatang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Florian Quinkert .

Editor information

Editors and Affiliations

  1. NortonLifeLock Research Group, Biot, France

    Leyla Bilge

  2. King's College London, London, UK

    Lorenzo Cavallaro

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Lisbon, Lisbon, Portugal

    Nuno Neves

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Quinkert, F., Tatang, D., Holz, T. (2021). Digging Deeper: An Analysis of Domain Impersonation in the Lower DNS Hierarchy. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80825-9_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80824-2

  • Online ISBN: 978-3-030-80825-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation