Panning for gold.com: Understanding the Dynamics of Domain Dropcatching

An event that is rarely considered by technical users and laymen alike is that of a domain name expiration. The massive growth in the registration of domain names is matched by massive numbers of domain expirations, after which domains are made available for registration again. While the vast majority of expiring domains are of no value, among the hundreds of thousands of daily expirations, there exist domains that are clearly valuable, either because of their lexical composition, or because of their residual trust. In this paper, we investigate the dynamics of domain dropcatching where companies, on behalf of users, compete to register the most desirable domains as soon as they are made available and then auction them off to the highest bidder. Using a data-driven approach, we monitor the expiration of 28 million domains over the period of nine months, collecting domain features, WHOIS records, and crawling the registered domains on a regular basis to uncover the purpose for which they were re-registered (caught). Among others, we find that on average, only 10% of the expired (dropped) domains are caught with the vast majority of the re-registrations happening on the day they are released. We investigate the features that make some domains more likely to be caught than others and discover that a domain that was malicious at the time of its expiration is twice as likely to be caught than the average domain. Moreover, previously-malicious domains are significantly more likely to be reused for malicious purposes than previously benign domains. We identify three types of users who are interested in purchasing dropped domains, ranging from freelancers who purchase one or two domains to professionals who invest more than $115K purchasing dropped domains in only three months. Finally, we observe that less than 11% were used to host web content with the remaining domains used either by speculators, or by malicious actors.

[1]  Stefan Savage,et al.  Affiliate Crookies: Characterizing Affiliate Marketing Abuse , 2015, Internet Measurement Conference.

[2]  Tobias Lauinger,et al.  WHOIS Lost in Translation: (Mis)Understanding Domain Name Expiration and Re-Registration , 2016, Internet Measurement Conference.

[3]  Chris Kanich,et al.  Every Second Counts: Quantifying the Negative Externalities of Cybercrime via Typosquatting , 2015, 2015 IEEE Symposium on Security and Privacy.

[4]  Wouter Joosen,et al.  Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse , 2015, NDSS.

[5]  Georg Carle,et al.  A forensic case study on as hijacking: the attacker's perspective , 2013, CCRV.

[6]  Tobias Lauinger,et al.  Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers , 2017, USENIX Security Symposium.

[7]  David Kesmodel,et al.  The Domain Game: How People Get Rich from Internet Domain Names , 2008 .

[8]  Steven D. Gribble,et al.  Cutting through the Confusion: A Measurement Study of Homograph Attacks , 2006, USENIX Annual Technical Conference, General Track.

[9]  Tyler Moore,et al.  Measuring the Perpetrators and Funders of Typosquatting , 2010, Financial Cryptography.

[10]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[11]  Georg Carle,et al.  The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire , 2015, TMA.

[12]  Patrick D. McDaniel,et al.  Domain-Z: 28 Registrations Later Measuring the Exploitation of Residual Trust in Domains , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[13]  Vern Paxson,et al.  The BIZ Top-Level Domain: Ten Years Later , 2012, PAM.

[14]  Lawrence K. Saul,et al.  From .academy to .zone: An Analysis of the New TLD Land Rush , 2015, Internet Measurement Conference.

[15]  Vern Paxson,et al.  On the Potential of Proactive Domain Blacklisting , 2010, LEET.

[16]  Nikolaos Pitropakis,et al.  Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse , 2017, CCS.

[17]  A. James 2010 , 2011, Philo of Alexandria: an Annotated Bibliography 2007-2016.

[18]  Wouter Joosen,et al.  The Wolf of Name Street: Hijacking Domains Through Their Nameservers , 2017, CCS.

[19]  Stefan Savage,et al.  XXXtortion?: inferring registration intent in the .XXX TLD , 2014, WWW.

[20]  Wouter Joosen,et al.  Parking Sensors: Analyzing and Detecting Parked Domains , 2015, NDSS.

[21]  Chris Kanich,et al.  The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.

[22]  Giovanni Vigna,et al.  Prophiler: a fast filter for the large-scale detection of malicious web pages , 2011, WWW.

[23]  Nick Feamster,et al.  PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration , 2016, CCS.

[24]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[25]  Nick Feamster,et al.  Understanding the domain registration behavior of spammers , 2013, Internet Measurement Conference.

[26]  Tyler Moore,et al.  The Ghosts of Banking Past: Empirical Analysis of Closed Bank Websites , 2014, Financial Cryptography.