“Combosquatting”, while not new, is becoming one of the latest tools of the trade for criminals to deceive internet users. The practice, which was identified around a decade ago, sees criminals taking advantage of internet users who are increasingly encouraged to check domain names in internet addresses before clicking on links. Criminals register domain names with familiar trademarks, but include additional words and the unsuspecting internet user clicks on a link, often in phishing emails, and is taken to a website selling counterfeit goods, harvesting personal and financial information or installing malware.
In what is believed to be the first large-scale, empirical study of combosquatting, researchers from Georgia Tech and Stony Brook University in the U.S., supported by U.S. Department of Defense agencies, the National Science Foundation and the U.S. Department of Commerce, explained how attackers might register domain names such as familiarbankname-security.com or security-familiarbankname.com. Unwary users see the familiar bank name in the URL or web address, but the additional hyphenated word means the destination is very different from what was expected. The result could be a website selling counterfeit merchandise, stealing credentials, infecting the user’s computer with malware or result in another computer conscripted into a botnet attack.
The attack strategy, known as combosquatting, is a growing threat, with millions of such domains set up for malicious purposes, according to a new study presented in late October at the 2017 ACM Conference on Computer and Communications Security (CCS).
“This is a tactic that the adversaries are using more and more because they have seen that it works,” said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “This attack is hiding in plain sight, but many people aren’t computer-savvy enough to notice the difference in the URLs containing familiar trademarked names.”
Combosquatting differs from its better-known relative, typosquatting, in which adversaries register variations of URLs that users are likely to type incorrectly. Combosquatting domains don’t depend on victims making typing errors, but instead provide malicious links embedded in emails, web advertising or the results of web searches. Combosquatting attackers often combine the trademarked name with a term designed to convey a sense of urgency to encourage victims to click on what appears at first glance to be a legitimate link.
In the six-year data set, the researchers found 2.7 million combosquatting domains for the 268 popular trademarks alone, and the combosquatting domains were 100 times more prevalent than typosquatting domains. The combosquatting attacks appear to be challenging to combat, with nearly 60 percent of the abusive domains in operation for more than 1,000 days – almost three years. And the number of combosquatting domains registered grew every year between 2011 and 2016.
Among the malicious domains, the researchers discovered some that had previously been registered by legitimate companies which had combined words with their trademarks. For some reason, those companies permitted the registrations to lapse, allowing the trademark-containing domain names – which once led to legitimate sites – to be taken over by combosquatting attackers.
In many cases, malicious domains were re-registered multiple times after they had expired, suggesting an improvement in “internet hygiene” may be needed to address this threat.