5 research outputs found
Large-Scale Analysis of Pop-Up Scam on Typosquatting URLs
Today, many different types of scams can be found on the internet. Online
criminals are always finding new creative ways to trick internet users, be it
in the form of lottery scams, downloading scam apps for smartphones or fake
gambling websites. This paper presents a large-scale study on one particular
delivery method of online scam: pop-up scam on typosquatting domains.
Typosquatting describes the concept of registering domains which are very
similar to existing ones while deliberately containing common typing errors;
these domains are then used to trick online users while under the belief of
browsing the intended website. Pop-up scam uses JavaScript alert boxes to
present a message which attracts the user's attention very effectively, as they
are a blocking user interface element.
Our study among typosquatting domains derived from the Alexa Top 1 Million
list revealed on 8255 distinct typosquatting URLs a total of 9857 pop-up
messages, out of which 8828 were malicious. The vast majority of those distinct
URLs (7176) were targeted and displayed pop-up messages to one specific HTTP
user agent only. Based on our scans, we present an in-depth analysis as well as
a detailed classification of different targeting parameters (user agent and
language) which triggered varying kinds of pop-up scams.Comment: 9 pages, 11 figure
PhishReplicant: A Language Model-based Approach to Detect Generated Squatting Domain Names
Domain squatting is a technique used by attackers to create domain names for
phishing sites. In recent phishing attempts, we have observed many domain names
that use multiple techniques to evade existing methods for domain squatting.
These domain names, which we call generated squatting domains (GSDs), are quite
different in appearance from legitimate domain names and do not contain brand
names, making them difficult to associate with phishing. In this paper, we
propose a system called PhishReplicant that detects GSDs by focusing on the
linguistic similarity of domain names. We analyzed newly registered and
observed domain names extracted from certificate transparency logs, passive
DNS, and DNS zone files. We detected 3,498 domain names acquired by attackers
in a four-week experiment, of which 2,821 were used for phishing sites within a
month of detection. We also confirmed that our proposed system outperformed
existing systems in both detection accuracy and number of domain names
detected. As an in-depth analysis, we examined 205k GSDs collected over 150
days and found that phishing using GSDs was distributed globally. However,
attackers intensively targeted brands in specific regions and industries. By
analyzing GSDs in real time, we can block phishing sites before or immediately
after they appear.Comment: Accepted at ACSAC 202