“Combosquatting” attacks, hiding in plain sight, trick computer users

sense of comfort with it.”

For their study, the researchers began with the 500 most popular trademarked domain names in the United States, and excluded certain combinations made up of common words. They separated the domains into 20 categories, then added two additional domains: one for politics – the study was done before the 2016 election – and another for energy. 

With the resulting 268 trademark-containing URLs, they set out to find domain names that incorporated the trademarked name with additional words added at the start or end. They searched through six years of active and passive domain name system (DNS) requests – more than 468 billion records – provided by one of the largest internet service providers in North America.

“The result was mind-blowing,” said Kintis. “We found orders of magnitude more combosquatting domains than typosquatting domains, for instance. The space for combosquatting is almost infinite because attackers can register as many domains as they want with any variation that they want. In some cases, registering a domain can cost less than a dollar.”

In the six-year data set, the researchers found 2.7 million combosquatting domains for the 268 popular trademarks alone, and the combosquatting domains were 100 times more prevalent than typosquatting domains. The combosquatting attacks appear to be challenging to combat, with nearly 60 percent of the abusive domains in operation for more than 1,000 days – almost three years. And the number of combosquatting domains registered grew every year between 2011 and 2016.

Among the malicious domains, the researchers discovered some that had previously been registered by legitimate companies which had combined words with their trademarks. For some reason, those companies permitted the registrations to lapse, allowing the trademark-containing domain names – which once led to legitimate sites – to be taken over by combosquatting attackers. 

In many cases, malicious domains were re-registered multiple times after they had expired, suggesting an improvement in “internet hygiene” may be needed to address this threat.

“Imagine what happens in a city when the garbage isn’t picked up regularly,” Antonakakis said. “The garbage builds up and you have diseases develop. Nobody collects the garbage domains on the internet, because it’s nobody’s job. But there should be an organization that would collect these malicious domains so they cannot be reused to infect people.”

More stringent anti-fraud screening of persons registering domains would also help, he added. “We don’t want to prevent legitimate users from getting onto the internet, but there are warning signs of potential fraud that registrars could detect.”

What can be done by ordinary computer users and the organizations where they work? 

“Users unfortunately have to be better educated than they are now,” Antonakakis said. “Organizations can provide training in the on-boarding process that takes place for new employees, and they can protect their network perimeters to prevent users from being exposed to known combosquatting domains. More needs to be done to address this growing cybersecurity problem.”

In addition to those already mentioned, the research included Najmeh Miramirkhani and Nick Nikiforakis from Stony Brook University; Charles Lever, Yizheng Chen and Rosa Romero-Gómez from Georgia Tech, and Nikolaos Pitropakis from London South Bank University.

— Read more in Panagiotis Kintis et al., “Hiding in Plain Sight:A Longitudinal Study of Combosquatting Abuse” (paper presented at the 2017 ACM Conference on Computer and Communications Security [CCS], 31 October 2017); and the accompanying presentation slides