Typosquatting for Fun and Profit: Cross-Country Analysis of Pop-Up Scam
DOI:
https://doi.org/10.13052/jcsm2245-1439.924Keywords:
phishing, typosquatting, scam, web securityAbstract
Today, many different types of scams can be found on the internet. Online criminals are always finding new creative ways to trick internet users, be it in the form of lottery scams, downloading scam apps for smartphones or fake gambling websites. This paper presents a large-scale study on one particular delivery method of online scam: pop-up scam on typosquatting domains. Typosquatting describes the concept of registering domains which are very similar to existing ones while deliberately containing common typing errors; these domains are then used to trick online users while under the belief of browsing the intended website. Pop-up scam uses JavaScript alert boxes to present a message which attracts the user’s attention very effectively, as they are a blocking user interface element.
Our study among typosquatting domains derived from the Majestic Million list utilising an Austrian IP address revealed on 1219 distinct typosquatting URLs a total of 2577 pop-up messages, out of which 1538 were malicious. Approximately a third of those distinct URLs (403) were targeted and displayed pop-up messages to one specific HTTP user agent only. Based on our scans, we present an in-depth analysis as well as a detailed classification of different targeting parameters (user agent and language) which triggered varying kinds of pop-up scams. Furthermore, we expound the differences of current pop-up scam characteristics in comparison with a previous scan performed in late 2018 and examine the use of IDN homograph attacks as well as the application of message localisation using additional scans with IP addresses from the United States and Japan.
Downloads
Author Biographies
Tobias Dam, Institute of IT Security Research, St. Pölten University of Applied Sciences, Austria
Tobias Dam received a master’s degree in Information Security from the St. Pölten University of Applied Sciences. He is currently working as an information security researcher at the Institute of IT Security Research, who specialises in privacy, network and web security. He was the lead software & security engineer for the usable privacy project "upribox" as well as a developer of “MiningHunter”, a framework for analysing cryptojacking.
Lukas Daniel Klausner, Institute of IT Security Research, St. Pölten University of Applied Sciences, Austria
Lukas Daniel Klausner is a mathematician and computer scientist working in security, privacy, data science and science and technology studies at the St. Pölten University of Applied Sciences. He graduated sub auspiciis from TU Wien with a doctoral degree in mathematics. His current interests include critical algorithm studies, ethics and biases in algorithms, mathematical foundations of machine learning and the intersection of STEM and HASS.
Sebastian Schrittwieser, Josef Ressel Center TARGET, St. Pölten University of Applied Sciences, Austria
Sebastian Schrittwieser was awarded his doctorate at TU Wien in 2014. His dissertation revolved around the topic of code analysis and obfuscation. Since 2015, Sebastian heads the Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks, which explores novel techniques for detecting and mitigating targeted attacks on IT infrastructures. He is a full-time permanent professor (FH) and scientific head of the Institute of IT Security Research at St. Pölten UAS. His main research interests are static code analysis, code obfuscation, malware detection, and digital forensics.
References
Sherly Abraham and InduShobha Chengalur-Smith. An Overview
of Social Engineering Malware: Trends, Tactics, and Implications.
Technol. Soc., 32(3):183–196, 2010.
Alexa Internet, Inc. Alexa Top 1,000,000 Sites. 2019.
Yao-Ping Chou, Shi-Jinn Horng, Hung-Yan Gu, Cheng-Ling Lee, Yuan-
Hsin Chen, and Yi Pan. Detecting Pop-Up Advertisement Browser
Windows Using Support Vector Machines. J. Chin. Inst. Eng.,
(7):1189–1198, 2008.
Tobias Dam, Lukas Daniel Klausner, Damjan Buhov, and Sebastian
Schrittwieser. Large-Scale Analysis of Pop-Up Scam on Typosquatting
URLs. In Proceedings of the 14th International Conference on Availability,
Reliability and Security, ARES ’19, pages 53:1–53:9, New York,
NY, United States, 2019. ACM.
Artem Dinaburg. Bitsquatting: Dns hijacking without exploitation.
(presented at BlackHat Security 2011), 2011.
Benjamin Edelman. Large-Scale Registration of Domains with Typographical
Errors. (unpublished), 2003.
Dara B. Gilwit. The Latest Cybersquatting Trend: Typosquatters, Their
Changing Tactics, and How to Prevent Public Deception and Trademark
Infringement. Wash. U. J. L. & Pol’y, 11:267–294, 2003.
Saul Hansell. As Consumers Revolt, a Rush to Block Pop-Up Online
Ads. The New York Times, page C00001, 19 Jan 2004.
Tobias Holgers, David E. Watson, and Steven D. Gribble. Cutting
Through the Confusion: A Measurement Study of Homograph Attacks.
In Proceedings of the Annual Conference on USENIX ’06 Annual
Technical Conference, Annual Tech ’06, pages 261–266, Berkeley, CA,
United States, 2006. USENIX Association.
Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen,
Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and
Manos Antonakakis. Hiding in Plain Sight: A Longitudinal Study of
Combosquatting Abuse. In Proceedings of the 2017 ACM SIGSAC Conference
on Computer and Communications Security, CCS ’17, pages
–586, New York, NY, United States, 2017. ACM.
Baojun Liu, Chaoyi Lu, Zhou Li, Ying Liu, Haixin Duan, Shuang
Hao, and Zaifeng Zhang. A reexamination of internationalized domain
names: The good, the bad and the ugly. In 48th IEEE/IFIP International
Conference on Dependable Systems and Networks, DSN 2018,
pages 654–665, Washington, DC, United States, 2018. IEEE Computer
Society.
Majestic-12 Ltd. Majestic Million. 2019.
Najmeh Miramirkhani, Oleksii Starov, and Nick Nikiforakis. Dial One
for Scam: A Large-Scale Analysis of Technical Support Scams. In
th Network and Distributed System Security Symposium, NDSS 2017,
pages 1–15, Reston, VA, United States, 2016. Internet Society.
Rami M. Mohammad, T. L. McCluskey, and Fadi Abdeljaber Thabtah.
Predicting Phishing Websites Using Neural Network Trained with
Back-Propagation. In Proceedings of the 2013 World Congress in
Computer Science, Computer Engineering, and Applied Computing,
WORLDCOMP’13, pages 682–686, 2013.
Rami M. Mohammad, Fadi Abdeljaber Thabtah, and Lee McCluskey.
Predicting Phishing Websites Based on Self-Structuring Neural Network.
Neural Comput. Appl., 25(2):443–458, 2014.
Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, and
Wouter Joosen. Soundsquatting: Uncovering the Use of Homophones
in Domain Squatting. In Information Security, ISC 2014, Lecture Notes
in Computer Science 8783, pages 291–308, Cham, Switzerland, 2014.
Springer International Publishing.
Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven
Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and
Giovanni Vigna. You Are What You Include: Large-Scale Evaluation
of Remote JavaScript Inclusions. In Proceedings of the 2012 ACM
Conference on Computer and Communications Security, CCS ’12,
pages 736–747, New York, NY, United States, 2012. ACM.
Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet,
Frank Piessens, and Wouter Joosen. Bitsquatting: Exploiting Bit-Flips
for Fun, or Profit? In Proceedings of the 22nd International Conference
on World Wide Web,WWW’13, pages 989–998, New York, NY, United
States, 2013. ACM.
Tianrui Peng, Ian Harris, and Yuki Sawa. Detecting Phishing Attacks
Using Natural Language Processing and Machine Learning. In 12th
IEEE International Conference on Semantic Computing, ICSC 2018,
pages 300–301, Washington, DC, United States, 2018. IEEE Computer
Society.
Julian Rauchberger, Sebastian Schrittwieser, Tobias Dam, Robert Luh,
Damjan Buhov, Gerhard Pötzelsberger, and Hyoungshick Kim. The
Other Side of the Coin: A Framework for Detecting and Analyzing
Web-Based Cryptocurrency Mining Campaigns. In Proceedings of the
th International Conference on Availability, Reliability and Security,
ARES 2018, pages 18:1–18:10, New York, NY, United States, 2018.
ACM.
Shelly Rodgers and Esther Thorson. The Interactive Advertising Model:
How Users Perceive and Process Online Ads. J. Interact. Advert.,
(1):41–60, 2000.
Mike Schiffman. Farsight Security Global Internationalized Domain
Name Homograph Report Q2/2018. (unpublished), 2018.
David Sharek, Cameron Swofford, and Michael Wogalter. Failure to
Recognize Fake Internet PopupWarning Messages. Proc. Hum. Factors
Ergon. Soc. Annu. Meet., 52(6):557–560, 2008.
