Inexpensive and simple domain name registrations foster a wide variety of abuse. One of the most common abusive registration practices is typosquatting, where typosquatters register misspelled variants of existing domain names to profit from users' typing mistakes. Making the matter worse, typosquatters frequently rely on advertisement networks to monetize user traffic, often exposing users to malicious and illicit content. Leveraging multifaceted large-scale measurement infrastructures, we demonstrate in this dissertation that typosquatting is a widespread issue which plays an important role in concert with other illicit traffic sources in exposing users to malice. Based on our measurement studies, we show how we can develop detection tools and leverage registration policies to reduce typosquatting and other abusive domain registrations.
Supporting our assertions about the extent and abuse of typosquatting, we design and implement three measurement infrastructures that lead to novel findings about typosquatting and related malicious domain registrations. First, to understand the extent of typosquatting, we study typosquatters who target less popular domain names. We find millions of typosquatting domains missed by previous research. Building on our findings, we create a classifier which can decide if a potentially typosquatting domain name is truly typosquatting or if it is just accidentally close to a target domain.
Second, we study how typosquatters send users to advertisement networks for profit. To gain a deeper understanding of the advertisement infrastructure redirecting users to malicious landing pages, we build a system that can emulate different types of users, can understand cloaking and blocking behavior and can reconstruct redirection chains. We find that typosquatters often share monetization strategies with ad-based URL shortening services and illicit movie streaming sites by redirecting users to the same malevolent landing pages. We also observe that miscreants differentiate users based on the device used and that using too few IP addresses can significantly decrease the number of abusive pages discovered. We develop a classifier, not specific to typosquatting and based only on features related to the redirection chain traversed by users, that can be leveraged to show warnings to users when a redirection is likely dangerous.
Furthermore, as DNS abuse is not specific to the HTTP protocol, we study how users' private emails are exposed to typosquatters. We find that 1,211 typosquatting domains receive in the vicinity of 800,000 emails per year and that millions of registered typosquatting domains have MX records pointing to only a handful of mail servers potentially enabling the collection of emails on a larger scale.
Finally, we develop a policy analysis framework based on the domain registration ecosystem finding that domain registration policies could have an essential role in complementing current detection based approaches to fight typosquatting and malicious domain registrations.
|Commitee:||Antonakakis, Manos, Bauer, Lujo, Sekar, Vyas|
|School:||Carnegie Mellon University|
|Department:||Electrical and Computer Engineering|
|School Location:||United States -- Pennsylvania|
|Source:||DAI-B 82/2(E), Dissertation Abstracts International|
|Subjects:||Computer Engineering, Computer science, Information Technology|
|Keywords:||Computer Security, DNS, Domain Names, Squatting, Typosquatting|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be