Ten years of attacks on companies using visual impersonation of domain names

We identify over a quarter of a million domains used by medium and large companies within the .com registry. We find that for around 7% of these companies very similar domain names have been registered with character changes that are intended to be indistinguishable at a casual glance. These domains would be suitable for use in Business Email Compromise frauds. Using historical registration and name server data we identify the timing, rate, and movement of these look-alike domains over a ten year period. This allows us to identify clusters of registrations which are quite clearly malicious and show how the criminals have moved their activity over time in response to countermeasures. Although the malicious activity peaked in 2016, there is still sufficient ongoing activity to cause concern.

[1]  P. McFedries,et al.  Technically Speaking: Gone Phishin' , 2006 .

[2]  Wouter Joosen,et al.  Bitsquatting: exploiting bit-flips for fun, or profit? , 2013, WWW '13.

[3]  Viktor Krammer Phishing defense against IDN address spoofing attacks , 2006, PST.

[4]  Tyler Moore,et al.  Ethical Dilemmas in Take-Down Research , 2011, Financial Cryptography Workshops.

[5]  Cassandra Cross,et al.  Exploiting trust for financial gain: an overview of business email compromise (BEC) fraud , 2020, Journal of Financial Crime.

[6]  Michalis Faloutsos,et al.  Cyber-Fraud is One Typo Away , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[7]  Evgeniy Gabrilovich,et al.  The homograph attack , 2002, CACM.

[8]  Tyler Moore,et al.  Concentrating Correctly on Cybercrime Concentration , 2015, WEIS.

[9]  Tyler Moore,et al.  Measuring the Perpetrators and Funders of Typosquatting , 2010, Financial Cryptography.

[10]  Nicolas Christin,et al.  Email typosquatting , 2017, Internet Measurement Conference.

[11]  Chris Kanich,et al.  The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.

[12]  Tobias Lauinger,et al.  It's Not what It Looks Like: Measuring Attacks and Defensive Registrations of Homograph Domains , 2019, 2019 IEEE Conference on Communications and Network Security (CNS).

[13]  Tyler Moore,et al.  The Iterated Weakest Link - A Model of Adaptive Security Investment , 2016, WEIS.

[14]  Gang Wang,et al.  Needle in a Haystack: Tracking Down Elite Phishing Domains in the Wild , 2018, Internet Measurement Conference.