Kromtech Security Cybersquatting and Typosquatting Research
Cybersquatting and typosquatting both pose serious risks to your organization and may affect your organization's reputation, income, intellectual property, trade secrets, and security.
Cybersquatting is generally defined as registering a domain using a trademark in bad faith, usually with the intent to make a profit from either ad revenue, the intent of selling the domain to the trademark owner, or possibly more malicious intent.
Typosquatting is a form of cybersquatting where someone has registered a domain that they know will be a common typo. Typosquatting is always done with malicious intent and usually for Phishing.
Why did we do this?
This is definitely not a new subject. So in considering this and the fact that there has been so much discussion on it from so many various sources throughout the years, our team at Kromtech Security decided to see just how many organizations are taking this old threat seriously. What we found came as a real surprise to us, it is still not taken seriously by the majority.
How was the research conducted?
We employed custom scripts along with DNSTwist, a readily available Python script for the purpose of generating permutations of popular domain names, to gather our results. For the data we used lists of popular domains, sites, and social networks from Moz500, Fortune 1000 (2012), Quantcast Top 50 (US), and Majestic Million (Top 10k). Then we filtered and visualized the results.
These similar domains (here using facebook.com as an example) were tested using our scripts along with DNSTwist and fuzzers (generators) for the following variations:
We found similar domains in all these variations throughout our research using each of the data lists.
Figure 1. This figure shows the percentage of each variation of the similar domains found using the Moz500 list.
It was interesting to see which variations were the largest slices of the pie. While all variations need to be considered, these variations should receive the primary focus when your organization is registering similar domains.
Figure 2. Total quantity of scanned domains.
As you can see, we scanned a lot of domains.
Next, we filtered the results to classify the percentage of these similar domains that were legitimate domains, the percentage that were registered but down, the percentage that were mostly parked domains, domains for sale, or domains full of advertisements (which we labeled in total as Other), and the percentage of “potentially malicious” domains.
Figure 3. This figure shows the percentage of each classification using the Moz500 list.
Focusing on the “Potentially Malicious” section, we'd like to note that this section consists of registered domains where we could not find a link to the original domain and the registered domain contained at least one phishing hit from VirusTotal. While this does not guarantee that it is malicious, we consider it a fairly good indicator that it may be.
Now 3.6% looks small in the chart above, but please remember that this is just one list, it is a very large quantity when combined with the total volume of domains that we scanned using all of the data lists and variations. We were amazed to find this, we were also very surprised to find the gray are labeled “Other” to be so large, after all, this is not a new topic, there should not be this many.
So we dug deeper, we wanted to find out next just how many similar domains to existing domains that were still available for anyone to register and use to host ads, phishing sites, or anything that someone can think of to profit off an existing trademark. We found quite a number of these similar domains still available.
Figure 4. Quantity of generated similar domains per original domain
So given such a large number of generated similar domain names, we wondered how many domain owners, if any, were actually taking this old threat seriously. We did find that some are, but they are definitely in the minority.
Figure 5. This chart shows similar domains registered by the original domain owner (top 30)
All we did here was test to see if the similar domain registered by the original domain owner redirected to the original domain, we did not test to see if it was to protect against typosquatting or for Black Hat SEO. You can see from this chart that the drop just in the top 30 is quite significant, especially considering that we scanned hundreds of thousands of similar domain names.
What did we learn?
We found ourselves completely shocked. So many organizations are not taking this old threat seriously. There have been countless research papers and articles on this very subject spanning years. It has been made very clear that this type of activity exists. It's been repeatedly demonstrated how someone can use this type of attack to steal logins and passwords through typosquatted redirects, trick users into sending sensitive documents via phishing, profit off the good name of an existing trademark, steal customers, perform social engineering, and compromise systems. So why is this still not taken seriously by so many? Is it ignorance or apathy? We don't have the answer to this, but we do hope that this research shows the extent of the still existing threat and sheds even more light on the risk organizations are taking by ignoring it.
What can you do about it?
How to help protect your employees from falling prey to phishing via typosquatting:
In the US, you can file a lawsuit against a cybersquatter under the Anticybersquatting Consumer Protection Act (ACPA), found at 15 U.S.C. § 1125(d). The ACPA allows you to file in federal court to obtain a court order forcing the squatter to transfer the domain name to you. You may even be able to get additional damages awarded (up to $100,000).
In order to prevail, you must present proof that the squatter had a bad faith intent to profit from your business, that your registered trademark was distinctive at the at the time the squatter registered it, and that it is either identical or similar enough to be confusing.
Use the international arbitration system created by the Internet Corporation of Assigned Names and Numbers (ICANN) titled Uniform Domain-Name Dispute-Resolution Policy.
If you can show through proper arbitration that the domain name is identical or similar enough to be confusing to your registered trademark or service mark, that the current domain owner does not have any rights or legitimate interests in that domain name, and that it is being used in bad faith, the domain name will be canceled or transferred to you. However, ICANN does not have a process to provide additional remedies, such as damages awarded.
How can Kromtech Security help?
First, we hope our research here helps the most and awakens those who have been sleeping through this threat. Beyond that, we do provide consulting for specific companies and you can also download our tools to help secure your organization:
Interesting Cases: Facebook.com, Whatsapp.com, Office.com, Googleusercontent.com, Teamviewer.com
Figure 6. This chart compares facebook.com, whatsapp.com, teamviewer.com, office.com, and googleusercontent.com.
As you can see, Facebook.com is highly targeted, with a fair amount of typosquatted and potentially malicious domains. Teamviewer.com appears to be the most proactive of this group.
Figure 7. Comparing facebook.com to whatsapp.com we can see that both are being highly targeted with potentially malicious similar domains.
Figure 8. This chart shows that Microsoft Office 365 does not take cybersquatting or typosquatting that seriously. We expected a lot more from Microsoft, especially with a flagship product.
Figure 9. googleusercontent.com is Googles cloud service. We expected a little more of a proactive approach from Google.
Figure 10. This chart shows that teamviewer.com, which provides remote desktop access, has taken typosquatting somewhat seriously.
Figure 11. An example of a parked domain
Other reference cases
Credit Karma wins:
Charter Communications loses:
O2 Worldwide Limited loses:
Donald Trump wins:
Tom Cruise wins:
Bruce Springsteen loses:
Kevin Spacey loses:
WIPO UDRP Domain Name Decisions (gTLD) for all years:
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org