Typosquatting for Fun and Profit: Cross-Country Analysis of Pop-Up Scam

Keywords: phishing, typosquatting, scam, web security


Today, many different types of scams can be found on the internet. Online criminals are always finding new creative ways to trick internet users, be it in the form of lottery scams, downloading scam apps for smartphones or fake gambling websites. This paper presents a large-scale study on one particular delivery method of online scam: pop-up scam on typosquatting domains. Typosquatting describes the concept of registering domains which are very similar to existing ones while deliberately containing common typing errors; these domains are then used to trick online users while under the belief of browsing the intended website. Pop-up scam uses JavaScript alert boxes to present a message which attracts the user’s attention very effectively, as they are a blocking user interface element.

Our study among typosquatting domains derived from the Majestic Million list utilising an Austrian IP address revealed on 1219 distinct typosquatting URLs a total of 2577 pop-up messages, out of which 1538 were malicious. Approximately a third of those distinct URLs (403) were targeted and displayed pop-up messages to one specific HTTP user agent only. Based on our scans, we present an in-depth analysis as well as a detailed classification of different targeting parameters (user agent and language) which triggered varying kinds of pop-up scams. Furthermore, we expound the differences of current pop-up scam characteristics in comparison with a previous scan performed in late 2018 and examine the use of IDN homograph attacks as well as the application of message localisation using additional scans with IP addresses from the United States and Japan.


Download data is not yet available.

Author Biographies

Tobias Dam, Institute of IT Security Research, St. Pölten University of Applied Sciences, Austria


Tobias Dam received a master’s degree in Information Security from the St. Pölten University of Applied Sciences. He is currently working as an information security researcher at the Institute of IT Security Research, who specialises in privacy, network and web security. He was the lead software & security engineer for the usable privacy project "upribox" as well as a developer of “MiningHunter”, a framework for analysing cryptojacking.

Lukas Daniel Klausner, Institute of IT Security Research, St. Pölten University of Applied Sciences, Austria


Lukas Daniel Klausner is a mathematician and computer scientist working in security, privacy, data science and science and technology studies at the St. Pölten University of Applied Sciences. He graduated sub auspiciis from TU Wien with a doctoral degree in mathematics. His current interests include critical algorithm studies, ethics and biases in algorithms, mathematical foundations of machine learning and the intersection of STEM and HASS.

Sebastian Schrittwieser, Josef Ressel Center TARGET, St. Pölten University of Applied Sciences, Austria


Sebastian Schrittwieser was awarded his doctorate at TU Wien in 2014. His dissertation revolved around the topic of code analysis and obfuscation. Since 2015, Sebastian heads the Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks, which explores novel techniques for detecting and mitigating targeted attacks on IT infrastructures. He is a full-time permanent professor (FH) and scientific head of the Institute of IT Security Research at St. Pölten UAS. His main research interests are static code analysis, code obfuscation, malware detection, and digital forensics.


Sherly Abraham and InduShobha Chengalur-Smith. An Overview

of Social Engineering Malware: Trends, Tactics, and Implications.

Technol. Soc., 32(3):183–196, 2010.

Alexa Internet, Inc. Alexa Top 1,000,000 Sites. 2019.

Yao-Ping Chou, Shi-Jinn Horng, Hung-Yan Gu, Cheng-Ling Lee, Yuan-

Hsin Chen, and Yi Pan. Detecting Pop-Up Advertisement Browser

Windows Using Support Vector Machines. J. Chin. Inst. Eng.,

(7):1189–1198, 2008.

Tobias Dam, Lukas Daniel Klausner, Damjan Buhov, and Sebastian

Schrittwieser. Large-Scale Analysis of Pop-Up Scam on Typosquatting

URLs. In Proceedings of the 14th International Conference on Availability,

Reliability and Security, ARES ’19, pages 53:1–53:9, New York,

NY, United States, 2019. ACM.

Artem Dinaburg. Bitsquatting: Dns hijacking without exploitation.

(presented at BlackHat Security 2011), 2011.

Benjamin Edelman. Large-Scale Registration of Domains with Typographical

Errors. (unpublished), 2003.

Dara B. Gilwit. The Latest Cybersquatting Trend: Typosquatters, Their

Changing Tactics, and How to Prevent Public Deception and Trademark

Infringement. Wash. U. J. L. & Pol’y, 11:267–294, 2003.

Saul Hansell. As Consumers Revolt, a Rush to Block Pop-Up Online

Ads. The New York Times, page C00001, 19 Jan 2004.

Tobias Holgers, David E. Watson, and Steven D. Gribble. Cutting

Through the Confusion: A Measurement Study of Homograph Attacks.

In Proceedings of the Annual Conference on USENIX ’06 Annual

Technical Conference, Annual Tech ’06, pages 261–266, Berkeley, CA,

United States, 2006. USENIX Association.

Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen,

Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and

Manos Antonakakis. Hiding in Plain Sight: A Longitudinal Study of

Combosquatting Abuse. In Proceedings of the 2017 ACM SIGSAC Conference

on Computer and Communications Security, CCS ’17, pages

–586, New York, NY, United States, 2017. ACM.

Baojun Liu, Chaoyi Lu, Zhou Li, Ying Liu, Haixin Duan, Shuang

Hao, and Zaifeng Zhang. A reexamination of internationalized domain

names: The good, the bad and the ugly. In 48th IEEE/IFIP International

Conference on Dependable Systems and Networks, DSN 2018,

pages 654–665, Washington, DC, United States, 2018. IEEE Computer


Majestic-12 Ltd. Majestic Million. 2019.

Najmeh Miramirkhani, Oleksii Starov, and Nick Nikiforakis. Dial One

for Scam: A Large-Scale Analysis of Technical Support Scams. In

th Network and Distributed System Security Symposium, NDSS 2017,

pages 1–15, Reston, VA, United States, 2016. Internet Society.

Rami M. Mohammad, T. L. McCluskey, and Fadi Abdeljaber Thabtah.

Predicting Phishing Websites Using Neural Network Trained with

Back-Propagation. In Proceedings of the 2013 World Congress in

Computer Science, Computer Engineering, and Applied Computing,

WORLDCOMP’13, pages 682–686, 2013.

Rami M. Mohammad, Fadi Abdeljaber Thabtah, and Lee McCluskey.

Predicting Phishing Websites Based on Self-Structuring Neural Network.

Neural Comput. Appl., 25(2):443–458, 2014.

Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, and

Wouter Joosen. Soundsquatting: Uncovering the Use of Homophones

in Domain Squatting. In Information Security, ISC 2014, Lecture Notes

in Computer Science 8783, pages 291–308, Cham, Switzerland, 2014.

Springer International Publishing.

Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven

Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and

Giovanni Vigna. You Are What You Include: Large-Scale Evaluation

of Remote JavaScript Inclusions. In Proceedings of the 2012 ACM

Conference on Computer and Communications Security, CCS ’12,

pages 736–747, New York, NY, United States, 2012. ACM.

Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet,

Frank Piessens, and Wouter Joosen. Bitsquatting: Exploiting Bit-Flips

for Fun, or Profit? In Proceedings of the 22nd International Conference

on World Wide Web,WWW’13, pages 989–998, New York, NY, United

States, 2013. ACM.

Tianrui Peng, Ian Harris, and Yuki Sawa. Detecting Phishing Attacks

Using Natural Language Processing and Machine Learning. In 12th

IEEE International Conference on Semantic Computing, ICSC 2018,

pages 300–301, Washington, DC, United States, 2018. IEEE Computer


Julian Rauchberger, Sebastian Schrittwieser, Tobias Dam, Robert Luh,

Damjan Buhov, Gerhard Pötzelsberger, and Hyoungshick Kim. The

Other Side of the Coin: A Framework for Detecting and Analyzing

Web-Based Cryptocurrency Mining Campaigns. In Proceedings of the

th International Conference on Availability, Reliability and Security,

ARES 2018, pages 18:1–18:10, New York, NY, United States, 2018.


Shelly Rodgers and Esther Thorson. The Interactive Advertising Model:

How Users Perceive and Process Online Ads. J. Interact. Advert.,

(1):41–60, 2000.

Mike Schiffman. Farsight Security Global Internationalized Domain

Name Homograph Report Q2/2018. (unpublished), 2018.

David Sharek, Cameron Swofford, and Michael Wogalter. Failure to

Recognize Fake Internet PopupWarning Messages. Proc. Hum. Factors

Ergon. Soc. Annu. Meet., 52(6):557–560, 2008.

ARES 2019 workshops