Cybersecurity“Combosquatting” attacks, hiding in plain sight, trick computer users

Published 6 November 2017

To guard against unknowingly visiting malicious websites, computer users have been taught to double-check website URLs before they click on a link. But attackers are now taking advantage of that practice to trick users into visiting website domains that contain familiar trademarks — but with additional words that change the destination to an attack site. The attack strategy, known as combosquatting, is a growing threat, with millions of such domains set up for malicious purposes.

To guard against unknowingly visiting malicious websites, computer users have been taught to double-check website URLs before they click on a link. But attackers are now taking advantage of that practice to trick users into visiting website domains that contain familiar trademarks — but with additional words that change the destination to an attack site.

For example, attackers might register www.familiarbankname-security[.]com or www.security-familiarbankname[.]com. Unwary users see the familiar bank name in the URL, but the additional hyphenated word means the destination is very different from what was expected. The result could be counterfeit merchandise, stolen credentials, a malware infection – or another computer conscripted into a botnet attack.

The attack strategy, known as combosquatting, is a growing threat, with millions of such domains set up for malicious purposes, according to a new study presented 31 October at the 2017 ACM Conference on Computer and Communications Security (CCS). 

“This is a tactic that the adversaries are using more and more because they have seen that it works,” said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “This attack is hiding in plain sight, but many people aren’t computer-savvy enough to notice the difference in the URLs containing familiar trademarked names.”

Georgia Tech says that researchers from Georgia Tech and Stony Brook University conducted the study, which is believed to be the first large-scale, empirical study of combosquatting. The work was supported by U.S. Department of Defense agencies, the National Science Foundation and the U.S. Department of Commerce.

Combosquatting differs from its better-known relative, typosquatting, in which adversaries register variations of URLs that users are likely to type incorrectly. Combosquatting domains don’t depend on victims making typing errors, but instead provide malicious links embedded in emails, web advertising or the results of web searches. Combosquatting attackers often combine the trademarked name with a term designed to convey a sense of urgency to encourage victims to click on what appears at first glance to be a legitimate link.

“We have seen combosquatting used in virtually every kind of cyberattack that we know of, from drive-by downloads to phishing attacks by nation-states,” said Panagiotis Kintis, a Georgia Tech graduate research assistant who is the first author of the study. “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false