research-article

Be the Phisher -- Understanding Users' Perception of Malicious Domains

Authors:

Florian Quinkert,

Martin Degeling,

Thorsten HolzAuthors Info & Claims

ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Pages 263 - 276

https://doi.org/10.1145/3320269.3384765

Published: 05 October 2020 Publication History

Abstract

Attackers use various domain squatting techniques to convince users that their services are legitimate. Previous work has shown that methods liketyposquatting, where single characters are removed or duplicated, can successfully deceive users.

In this paper, we present a study that evaluates how well participants distinguish malicious from benign domains before and after they learned and applied domain squatting techniques themselves. In a multi-part survey, 288 participants create 2,880 malicious domains based on common domain squatting techniques and rate both domains created by other participants and real-world phishing domains in terms of how convincing they are. Our key results show that participants have problems to identify legitimate domains as benign if they include unusual top-level domains, additional terms, or use subdomains. Moreover, participants rated domains created by other participants higher than real-world phishing domains. Overall, we find that participants are more sceptic of domains, and flag more benign domains as malicious, if they contain domain squatting characteristics after they gained practical experience creating phishing domains themselves. In particular, the number of falsely classified domains that were actually benign increased from 33.7% to 46.6% after our training. Our results show that training users to act as an adversary can help to increase the effectiveness of security trainings. In addition, we recommend that online services do not create domains that make use of common domain squatting techniques, to reduce confusion for users.

References

[1]

"Amazon Mechanical Turk (MTurk)," https://www.mturk.com/, accessed: 2019/12/09.

[2]

"jQuery," https://jquery.com/, accessed: 2019/12/09.

[3]

"LEGO vs Cybersquatters: The burden of new gTLDs," https://news.netcraft.com/archives/2017/04/14/lego-vs-cybersquatters-the-burden-of-new-gtlds.html, accessed: 2019/12/09.

[4]

"MySQL," https://www.mysql.com/, accessed: 2019/12/09.

[5]

"Node.js," https://nodejs.org/en/, accessed: 2019/12/09.

[6]

"Phishtank," https://www.phishtank.com/, accessed: 2019/12/09.

[7]

P. Agten, W. Joosen, F. Piessens, and N. Nikiforakis, "Seven months' worth of mistakes: A longitudinal study of typosquatting abuse," in Network and Distributed System Security Symposium (NDSS), 2015.

[8]

M. Blythe, H. L. Petrie, and J. A. Clark, "F for fake: four studies on how we fall for phish," in Conference on Human Factors in Computing Systems (CHI), 2011.

Digital Library

[9]

G. Canova, M. Volkamer, C. Bergmann, and R. Borza, "NoPhish: An Anti-Phishing Education App," in Security and Trust Management (STM), 2014.

[10]

G. Canova, M. Volkamer, C. Bergmann, and B. Reinheimer, "NoPhish App Evaluation: Lab and Retention Study," in Workshop on Usable Security and Privacy (USEC), 2015.

[11]

D. Chiba, A. H. Akiyama, T. Koide, Y. Sawabe, S. Goto, and M. Akiyama, "DomainScouter: Understanding the Risks of Deceptive IDNs," in Research in Attacks, Intrusions, and Defenses (RAID), 2019.

[12]

R. Dhamija, J. D. Tygar, and M. Hearst, "Why Phishing Works," in Conference on Human Factors in Computing Systems (CHI), 2006.

[13]

S. Egelmann and A. Peer, "Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS)," in Conference on Human Factors in Computing Systems (CHI), 2015.

Digital Library

[14]

O. G. Hatch, "The Anticybersquatting Consumer Protection Act," https://www.gpo.gov/fdsys/pkg/CRPT-106srpt140/html/CRPT-106srpt140.htm, 1999, accessed: 2019/12/09.

[15]

T. Holgers, D. E. Watson, and S. D. Gribble, "Cutting through the Confusion: A Measurement Study of Homograph Attacks." in USENIX Annual Technical Conference, 2006.

[16]

T. E. P. Institute, "Minimum Wage Tracker," https://www.epi.org/minimum-wage-tracker, 2019, accessed: 2019/12/09.

[17]

P. Kintis, N. Miramirkhani, C. Lever, Y. Chen, R. Romero-Gómez, N. Pitropakis, N. Nikiforakis, and M. Antonakakis, "Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse," in Conference on Computer and Communications Security (CCS), 2017.

[18]

M. Korczynski, M. Wullink, S. Tajalizadehkhoob, G. C. M. Moura, A. Noroozian, D. Bagley, and C. Hesselman, "Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs," in ASIA Conference on Computer and Communications Security (AsiaCCS), 2018.

Digital Library

[19]

P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong, "Teaching Johnny Not to Fall for Phish," in ACM Transactions on Internet Technology (TOIT), 2010.

[20]

E. Lin, S. Greenberg, E. Trotter, D. Ma, and J. Aycock, "Does Domain Highlighting Help People Identify Phishing Sites?" in Conference on Human Factors in Computing Systems (CHI), 2011.

[21]

B. Liu, C. Lu, Z. Li, Y. Liu, H. Duan, S. Hao, and Z. Zhang, "A Reexamination of Internationalized Domain Names: The Good, the Bad and the Ugly," in International Conference on Dependable Systems and Networks (DSN), 2018.

[22]

D. Liu, Z. Li, K. Du, H. Wang, B. Liu, and H. Duan, "Don't Let One Rotten Apple Spoil the Whole Barrel: Towards Automated Detection of Shadowed Domains," in Conference on Computer and Communications Security (CCS), 2017.

[23]

P. Mockapetris, "RFC 1035 - Domain Names - Implementation and Specification," https://tools.ietf.org/html/rfc1035, 1987, accessed: 2019/12/09.

[24]

N. Nikiforakis, M. Balduzzi, L. Desmet, F. Piessens, and W. Joosen, "Soundsquatting: Uncovering the use of homophones in domain squatting," in International Conference on Information Security (ISC), 2014.

[25]

N. Nikiforakis, S. Van Acker, W. Meert, L. Desmet, F. Piessens, and W. Joosen, "Bitsquatting: Exploiting bit-flips for fun, or profit?" in International World Wide Web conference (WWW), 2013.

Digital Library

[26]

F. Quinkert, T. Lauinger, W. Robertson, E. Kirda, and T. Holz, "It's Not What It Looks Like: Measuring Attacks and Defensive Registrations of Homograph Domains," in Conference on Communications and Network Security (CNS), 2019.

[27]

S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, "Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish," in Symposium On Usable Privacy and Security (SOUPS), 2007.

Digital Library

[28]

H. Suzuki, D. Chiba, Y. Yoneya, T. Mori, and S. Goto, "ShamFinder: An Automated Framework for Detecting IDN Homographs," in Internet Measurement Conference (IMC), 2019.

Digital Library

[29]

J. Szurdi, B. Kocso, G. Cseh, J. Spring, M. Felegyhazi, and C. Kanich, "The Long "Taile" of Typosquatting Domain Names," in USENIX Security Symposium, 2014.

[30]

M. Vergelis, T. Shcherbakova, and T. Sidorina, "Spam and phishing in Q2 2019," https://securelist.com/spam-and-phishing-in-q2--2019/92379/, 2019, accessed: 2019/12/09.

[31]

Y.-M. Wang, D. Beck, J. Wang, C. Verbowski, and B. Daniels, "Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting," in USENIX Workshop on Steps Reducing Unwanted Traffic on the Internet (SRUTI), 2006.

Cited By

Chiba DNakano HKoide T(2025)DomainHarvester: Uncovering Trustworthy Domains Beyond Popularity RankingsIEEE Access10.1109/ACCESS.2025.353988213(28167-28188)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3539882
Hu HZivi ADoerr C(2024)Dealing with Bad Apples: Organizational Awareness and Protection for Bit-flip and Typo-Squatting AttacksProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664518(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664518
Timko DRahman MVilela JSchulmann HLi N(2024)Smishing Dataset I: Phishing SMS Dataset from Smishtank.comProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653282(289-294)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653282
Show More Cited By

Index Terms

Be the Phisher -- Understanding Users' Perception of Malicious Domains
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy
  2. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks
      1. Phishing

Recommendations

Hyperlink Hijacking: Exploiting Erroneous URL Links to Phantom Domains
WWW '24: Proceedings of the ACM Web Conference 2024

Web users often follow hyperlinks hastily, expecting them to be correctly programmed. However, it is possible those links contain typos or other mistakes. By discovering active but erroneous hyperlinks, a malicious actor can spoof a website or service, ...
Formulistic Detection of Malicious Fast-Flux Domains
PAAP '12: Proceedings of the 2012 Fifth International Symposium on Parallel Architectures, Algorithms and Programming

Bonnet creates harmful network attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime of botnets. To circumvent the detection of command and ...
Monitoring the initial DNS behavior of malicious domains
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Attackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

October 2020

957 pages

ISBN:9781450367509

DOI:10.1145/3320269

General Chairs:
Hung-Min Sun
National Tsing Hua University, Taiwan
,
Shiuhpyng Shieh
National Chiao Tung University, Taiwan
,
Program Chairs:
Guofei Gu
Texas A&M University, USA
,
Giuseppe Ateniese
Stevens Institute of Technology, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '20

Sponsor:

SIGSAC

ASIA CCS '20: The 15th ACM Asia Conference on Computer and Communications Security

October 5 - 9, 2020

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
357
Total Downloads

Downloads (Last 12 months)75
Downloads (Last 6 weeks)5

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chiba DNakano HKoide T(2025)DomainHarvester: Uncovering Trustworthy Domains Beyond Popularity RankingsIEEE Access10.1109/ACCESS.2025.353988213(28167-28188)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3539882
Hu HZivi ADoerr C(2024)Dealing with Bad Apples: Organizational Awareness and Protection for Bit-flip and Typo-Squatting AttacksProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664518(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664518
Timko DRahman MVilela JSchulmann HLi N(2024)Smishing Dataset I: Phishing SMS Dataset from Smishtank.comProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653282(289-294)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653282
Weinz MSchröer SApruzzese G(2024)“Hey Google, Remind Me to Be Phished” Exploiting the Notifications of the Google (AI) Assistant on Android for Social Engineering Attacks2024 APWG Symposium on Electronic Crime Research (eCrime)10.1109/eCrime66200.2024.00014(109-122)Online publication date: 24-Sep-2024
https://doi.org/10.1109/eCrime66200.2024.00014
Koide TNakano HChiba D(2024)ChatPhishDetector: Detecting Phishing Sites Using Large Language ModelsIEEE Access10.1109/ACCESS.2024.348390512(154381-154400)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3483905
Almashor MAhmed EPick BXue JAbuadbba SGaire RWang SCamtepe SNepal S(2023)Unraveling Threat Intelligence Through the Lens of Malicious URL CampaignsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630600(78-86)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3630590.3630600
Zheng SBecker I(2023)Phishing to improve detectionProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617121(334-343)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617121
Timko DRahman MBoureanu ISchneider SReaves BTippenhauer N(2023)Commercial Anti-Smishing Tools and Their Comparative Effectiveness Against Modern ThreatsProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3558482.3590173(1-12)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1145/3558482.3590173
Sharevski FDevine APieroni EJachim P(2022)Phishing with Malicious QR CodesProceedings of the 2022 European Symposium on Usable Security10.1145/3549015.3554172(160-171)Online publication date: 29-Sep-2022
https://dl.acm.org/doi/10.1145/3549015.3554172
Valentim RDrago ICerutti FMellia M(2022)AI-based Sound-Squatting Attack Made Possible2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW55150.2022.00053(448-453)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSPW55150.2022.00053
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten