1,280 research outputs found
Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse
Domain squatting is a common adversarial practice where attackers register
domain names that are purposefully similar to popular domains. In this work, we
study a specific type of domain squatting called "combosquatting," in which
attackers register domains that combine a popular trademark with one or more
phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first
large-scale, empirical study of combosquatting by analyzing more than 468
billion DNS records---collected from passive and active DNS data sources over
almost six years. We find that almost 60% of abusive combosquatting domains
live for more than 1,000 days, and even worse, we observe increased activity
associated with combosquatting year over year. Moreover, we show that
combosquatting is used to perform a spectrum of different types of abuse
including phishing, social engineering, affiliate abuse, trademark abuse, and
even advanced persistent threats. Our results suggest that combosquatting is a
real problem that requires increased scrutiny by the security community.Comment: ACM CCS 1
Recommended from our members
Evaluating the resilience and security of boundaryless, evolving socio-technical Systems of Systems
Assessing the Privacy Benefits of Domain Name Encryption
As Internet users have become more savvy about the potential for their
Internet communication to be observed, the use of network traffic encryption
technologies (e.g., HTTPS/TLS) is on the rise. However, even when encryption is
enabled, users leak information about the domains they visit via DNS queries
and via the Server Name Indication (SNI) extension of TLS. Two recent proposals
to ameliorate this issue are DNS over HTTPS/TLS (DoH/DoT) and Encrypted SNI
(ESNI). In this paper we aim to assess the privacy benefits of these proposals
by considering the relationship between hostnames and IP addresses, the latter
of which are still exposed. We perform DNS queries from nine vantage points
around the globe to characterize this relationship. We quantify the privacy
gain offered by ESNI for different hosting and CDN providers using two
different metrics, the k-anonymity degree due to co-hosting and the dynamics of
IP address changes. We find that 20% of the domains studied will not gain any
privacy benefit since they have a one-to-one mapping between their hostname and
IP address. On the other hand, 30% will gain a significant privacy benefit with
a k value greater than 100, since these domains are co-hosted with more than
100 other domains. Domains whose visitors' privacy will meaningfully improve
are far less popular, while for popular domains the benefit is not significant.
Analyzing the dynamics of IP addresses of long-lived domains, we find that only
7.7% of them change their hosting IP addresses on a daily basis. We conclude by
discussing potential approaches for website owners and hosting/CDN providers
for maximizing the privacy benefits of ESNI.Comment: In Proceedings of the 15th ACM Asia Conference on Computer and
Communications Security (ASIA CCS '20), October 5-9, 2020, Taipei, Taiwa
Adversarial behaviours knowledge area
The technological advancements witnessed by our society in recent decades have brought
improvements in our quality of life, but they have also created a number of opportunities for
attackers to cause harm. Before the Internet revolution, most crime and malicious activity
generally required a victim and a perpetrator to come into physical contact, and this limited
the reach that malicious parties had. Technology has removed the need for physical contact
to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio
- …