Kromtech Security Cybersquatting Research
Kromtech Security Center found that almost 6,800 out of 19,411 active domains squatting on the top 500 most visited domains contain malicious content.
An accidental visit to one of these sites may cause the loss of any of your personally identifiable information stored in your browser, the interception of your credentials as you type them, installation of malicious software, silent spying on your internet activity, and possibly compromise your computer, phone, tablet, or other Internet-connected device.
Cybersquatting is a real threat for the Internets Average Joe.
This research is concentrated around the users and their risk on the World Wide Web. Patterns described here show the dark side of squatted domains, which cause disruptions, stolen data, malware, unwanted programs, unwanted pop-ups, and more.
We are going to explain here why its so important for regular users to be aware of the threats related to cybersquatting; showing you how vast a threat cybersquatting represents, how to detect it, and how to defend the best you currently can against it. Its our second article about cybersquatting, our first was more corporate focused, you can find it here.
Can you find differences on these links? Which one looks legitimate for you? Could you find the right one on your phone? Please don't try to put them in your browser.
Correct answer: none of them are legitimate.
Covering the links above, youll probably only see facebook.com as the link name, but the actual embedded hyperlink may contain the cybersquatted domain name, which can forward you to the potentially malicious site. Why didnt you see anything suspicious? Because the font used is confusing.
The example below shows how malicious links which forward to cybersquatted domains might be hidden behind the correct domain name label.
You can see that the link looks like facebook.com, but there is a slight variation in the c in the embedded hyperlink, would you have checked and noticed? How about on your phone or tablet?
From our previous article about Cybersquatting, and according to the United States Anticybersquatting Consumer Protection Act, here are main attributes for a squatted domain:
Our previous part contains a lot of information on how to defend against cybersquatting as a company, but here were going to talk more about how it affects you as an everyday user of the Internet since your everyday Internet routine can lead you to scam hyperlinks, which can subject you to attack.
The short answer is no, not easily.
You can fall victim if:
There is major concern about the large number of users that are intercepted by these links. The security community certainly isnt sleeping on this issue and on April 4, 2018, Matthew Chambers released an article on krebsonsecurity.com which gave us some insight into the quantity of mistyped traffic on some “.cm” domains (a common typo for domains that typically end with “.com”).
Matthews results were gathered from 155 domains and filtered out traffic from search engine robots. Everyone was shocked to see nearly 12 million visits of the mistyped the “.com” during just three months, from Jan - Mar of 2018. That is almost 50 million visits per year.
This made us wonder how much of this was malicious to us, so we decided to find out. We cant even imagine how much traffic would be captured using the scope of our research, so well show it only for particular cases.
Our Cybersquatting Research Scope
We processed and analyzed the latest Moz top 500 most visited websites to determine how many available permutations we could find for similar domain names.
We found quite a number of active similar domains for each. In Figure 1 you can see the count of active similar domains for the Top 500 most visited resources. Each star represents a company and the number of similar domains already registered for them.
Figure 1. Quantity of similar registered domains found per original domain from Top 500 most visited web page. Full-size image URL
As you can see here, there is a wide range of similar domains currently registered using just a portion of the total data; from just a few to 715 (hospedagemdesites.ws). With all the data we analyzed still only being a subset of the total domains available, and depending upon the length of the original domain, there are far more than this out there.
Figure 2. Cybersquatting Threat Scope 2018. Full-size image URL
The left side of Figure 2 represents the results of our automated analysis, obtained using dnstwist along with our Python scripts. The right side of Figure 2 represents the results of our manual analysis of the data.
For our manual analysis we did a few things differently:
As you can see on the right side of Figure 2, which represents our manual analysis, we found that 71.7% were not harmful (well, to us anyway, they are probably stealing revenue from the original domain owner) and 28.3% percent were potentially malicious to us. That means that nearly 30% of currently active cybersquatted domains are potentially malicious to end users. That is a very large number when scaled!
Its important to note the differences in automation versus manual. There is a larger possibility of false positives and/or false negatives with automation, scripts cannot interpret as the human brain does. We also took a further step than our automation, in sorting by final destinations. So we should expect our automated number to be different than what we get manually and that our manual classification should be a much more accurate representation of the threats.
Its interesting to note here that by aggregating on final destinations, we get a glimpse into the industries involved in the cybersquatting business.
An analysis of the top redirected links shows us whos using cybersquatting to steal users from mistyped or phished URLs. Figure 3 below shows the destinations for the top 35 of them based on their occurrence. We included the parameters within the URLs because without them they may have other behavior (ie. different redirects, attacks, or page displayed). The behavior may vary depending on time zone, browser, country, and browser extensions or plugins used. We strongly recommend that you DONT visit them with your web browsers. For our manual analysis, we used Chrome and Firefox on Windows 7 and Ubuntu.
Figure 3. The top 35 redirect URLs we encountered through our manual analysis. Full-size image URL
The #1 Redirect from active squatted domains is...a Browser Hijacker!
From our results, we find that 64 squatted domains are pointed to searchinquire.com
Without any parameters, we find that it opens a page which gets nearly 40,000 daily page views.
The first results displayed by Google for searchinquire show articles about removing the searchfusion browser redirect/hijacker virus. Picking one of those results, for example from 2-viruses, we can see that they are well-known for their malware.
What is a browser hijacker?
A browser hijacker is an unwanted form of software that modifies your web browser in any number of the following ways:
Looking even deeper, we can see that searchfusion.com gets almost 250,000 visits a day, most from their browser hijacker.
There are also many posts on Google+ and Facebook with no reasonable content, but contain links or redirects to searchinquire and searchfusion, indicating that accounts may have been compromised via hijacked redirects and users had their credentials stolen and accounts used. For additional references: https://plus.google.com/s/searchinquire.com/top
#2 and #4 in our list both lead to very mysterious pages, redirects from 121 cybersquatted domains
|http://sl04[.]ru/0ab943029b5d/||60 redirect in total|
|http://000000000000000000000000000000000[.]com/South32/||41 redirect in total|
#3 leads to media resource aol.com, 53 redirects from cybersquatted domains.
#5 leads to Shopify.com with the referral parameter “mvm”(apparently bought by 3rd party services).
|https://www.shopify.com/?ref=mvm||40 redirects in total|
#6 leads to different domain registrars, with 160 redirects, which is 17.9% of the 900 destinations we manually checked.
Most of the domain registrars know about cybersquatting and will try to get the maximum price from the original owners or companies. The most similar domain names will cost the most - the price can vary from $10 to $20,000 per domain.
What we noticed through a more detailed analysis of cybersquatted links:
Here are some articles about the recent phishing campaigns:
We also discovered that the majority of companies that are registering the most similar domains are only doing so to avoid the following risks:
Below, in Figure 4, you can see the distribution of the total number of similar domains registered per domain vs. the similar domains registered by the original domain owner
Figure 4. Total similar domains registered per company domain vs. similar domains registered by original domain owner. Full-size image URL
We used the total number of similar domains registered per company domain vs the similar domains registered by the original domain owner to plot trend lines.
We discovered that the average trendline of registered similar domain names is around 15%, which shows that not many companies are taking this threat seriously. Maybe they cannot afford to do so, are ignoring the threat, or just dont know about it. In fact, most of the companies we analyzed are at the bottom of this chart, they have not registered many similar domain names.
This is a huge threat! The risks of cybersquatting are important with all sites but may be most relevant to news resources, e-commerce, banking, social media, online apps (including email), software download sites, and, frankly, any site that requests personal information or a login and password. Attackers use these cybersqatted domains to lure and entice those who mistype the real domain or were tricked into clicking a link. They are hijacking you, annoying you with popups, stealing your money, your credentials, and/or compromising your computer, phone, or tablet.
Figure 5. Percent of similar domains registered by the original domain owner. Full-size image URL
Companies within the Moz Top 500 that appear to care the most about cybersquatted domains, but mainly for their own reasons.
|Company||Area of use||
Risk related to cybersquatting
Clients loss by redirects to other resources
Clients loss by redirects to other resources
Clients loss by redirects to other resources
Malicious software Phishing
Whatsapp, even being on the bottom of the graph, has somewhat avoided these risks by changing their authentication mechanism on their Web service. Now you can only enter the service by scanning the QR code from web.whatsapp.com, but users should still be properly informed of greater risk mitigation:
Phishing pages still exist, here is a Whatsapp phishing page for Iranian users, where its completely restricted:
This particular phishing page asks for a phone number. Triggering only on Iranian phone numbers, it then asks for an activation code, and finally redirects to a phone input page.
Cybersquatting cases in details
In Figure 6 below, we have a face to face comparison of the current state of similar websites for Facebook and for WhatsApp
Figure 6. Direct comparison of Facebook and WhatsApp domains. Full-size image URL
We analyzed 278 links for Facebook and 132 links for WhatsApp. The pie charts show the classification of the links by these categories:
We found that 33.8% of the links to Facebook and 16.7% of the links to WhatsApp contain malicious content!
Because we analyzed 27,310 cybersquatted links, weve done some bonus infographics. The detailed infographic of all would be incomprehensible, so we made a simplified version with a few selected popular companies for a better perception of the overall threat. See Figure 7 below and understand that it is still the only representative of a very small minority of the total number of domains out there, think scale!
Figure 7. Simplified standalone statistics on permutated domain cases. Full-size image URL
Blue shows no harm, red indicates threats detected, and grey represents unwanted URLs. We only aggregated this data by:
VirusTotal, Malicious extensions, Input forms, Mentions of official domain
|Down, Malvertising, Ads|
Red and Grey in Figure 7 are currently active potentially malicious cybersquatted domains! It is even more frightening if we aggregate them using the 7 categories analyzed with Facebook and WhatsApp (think scale again):
Figure 8. Detailed standalone statistics on permutaded domains cases. Full-size image URL
Pink is malvertising, light blue is likely phishing, purple maybe stealing credentials, red contains malicious code, dark yellow/light orange triggered on VirusTotal, charcoal are sites that are down, green are safe (registered by original domain owner to direct to the original domain).
Our GitHub repository with code, initial and generated datasets.
We are always looking for ways to improve our code and reduce false positives, your suggestions are most welcome on our GitHub repository.
Tools to defend yourself against cybersquatting
Cybersquatting is a very serious threat to you. It is used for various nefarious purposes including serving malicious software, phishing, malvertising, stealing your credentials, hijacking your browser, spying on your Internet activity, or more.
While we noted in our previous article that companies should protect themselves by registering, at the very least, the most obvious and similar-looking domains, but there isnt much available to protect us, regular users.
We must protect ourselves and be aware of this threat:
Even though popular apps or services, like Gmail, as an example, may warn you about suspicious links in the text, you still must remain vigilant, their detection measures may not detect everything and new vulnerabilities are frequently found.
So, no Google, we should not just be careful with the messages you detected, we should always be careful!
For example, the researchers at Avanan recently disclosed baseStriker on May 8, 2018, a phishing methodology that affects 100M Microsoft Office365 users.
The attack is fairly simple and sends a malicious link, that would ordinarily be blocked by Microsoft, past their security filters by splitting the URL into two snippets of HTML: a base tag and a regular href tag. You can check out the full post and video explanation here
Microsoft has fixed the vulnerability after 14 days
There are a vast number of active, malicious links out there right now!
End users are at risk even more so than companies. While products exist to help protect, none can protect all. Many of the existing security products have static data sources, either without a rescan or with an inefficient rescan of the link.
You cant completely trust the results of these sites and apps, because yesterday there may have been cute kittens on that link and today you might get a Phish or Trojan from the same link.
Because of this, we cannot currently recommend a usable and simple product to avoid these squatted domains. Your Antivirus can block a part of them, but if the link changes its content, and nobody reports it, you may still fall prey to a new phishing campaign or even catch some malware.
All of this means that it is mainly up to you to protect yourself.
Definitely, use the tools currently available, do not follow links from unknown or unexpected sources, and carefully examine any link you receive before visiting it. From our research here you know that the threats you face are immense if you are not careful.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org