Internet users are at increasingly at risk of credential theft, malware infection and more as cyber criminals have come up with a new way of creating fake versions of real websites.
Rather than the tried-and-tested method of deploying false websites of known brands but with common spelling errors or switching characters, dubbed ‘combosquatting’, this new trick sees criminals register domains that combine a popular trademark with one or more phrases.
For example, attackers might register the name of a well-known bank with ‘-security.com’ added on the end and send out links in a phishing email, hoping to fool unwary customers.
Users see the familiar bank name in the URL and could be convinced that it is legitimate and click through, with the result being credentials being phished, a malware infection or their computer becoming part of a botnet.
The malicious domains even included some which had previously been registered by the companies themselves, combining words with their trademarks. However, for reasons unknown, the registration of these legitimate sites were allowed to expire, allowing attackers to take them over in a combosquatting attack.
In a study of 468 billion DNS requests using a six-year data set, researchers at the Georgia Institute of Technology found 2.7 million combosquatting attack domains centred around 268 of the most popular trademark domain names.
The study, Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse has been presented at the ACM Conference on Computer and Communications Security in Dallas, Texas.
It might seem like a very simple attack, but it is apparently successful for cyber criminals.
“This is a tactic that the adversaries are using more and more because they have seen that it works,” said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology.
“This attack is hiding in plain sight, but many people aren’t computer-savvy enough to notice the difference in the URLs containing familiar trademarked names.”
See also: What is phishing? How to protect yourself from scam emails and more
The study found that combosquatting is around one hundred times more common than typosquatting – where attackers register domains of brands, but with spelling errors.
“The result was mind-blowing. We found orders of magnitude more combosquatting domains than typosquatting domains, for instance,” said Panagiotis Kintis, a Georgia Tech graduate research assistant and an author of the study.
He warns that the nature of the attack gives malicious actors almost an infinite number of options when registering domains – especially as it can be so cheap.
“The space for combosquatting is almost infinite because attackers can register as many domains as they want with any variation that they want. In some cases, registering a domain can cost less than a dollar.”
While many phishing sites go offline as quickly as they go online, researchers found that combosquatting domains appear to be left active for far longer, with nearly 60 percent of the abusive domains examined in operation for almost three years.
Meanwhile, the number of combosquatting domains registered grew every year between 2011 and 2016, indicating attackers are very aware of the success they can have using this technique.
“Users unfortunately have to be better educated than they are now,” said Antonakakis.
“Organizations can provide training in the on-boarding process that takes place for new employees, and they can protect their network perimeters to prevent users from being exposed to known combosquatting domains. More needs to be done to address this growing cybersecurity problem.”
The study was conducted by researchers at Georgia Tech and Stony Brook University with the support of U.S. Department of Defense agencies, the National Science Foundation and the U.S. Department of Commerce.
READ MORE ON CYBER CRIME