Detecting Typo squatting Domains

Mishari Almishari [email protected]

http://www.ics.uci.edu/~malmisha

Problem Definition & Goals

  Typo-squatting refers to the act of intentionally registering domain names that are typographical errors of other well-known domain names to hijack their traffic, for traffic monetization, malicious,…etc.

Goals:    Develop a methodology for automatically identifying typo squatting domains Quantify the amount of traffic hijacked by typo-squatters Develop a system that reduces access to typo-squatting domains

Detection Methodology

 For a domain to be typo-squatting domain it must satisfies two criteria:   Typo of a well-known target domain  edit distance function  more than 50% are false positives Hijacking Intention  Dominant hijacking indicator is ads-listing (parked domain 88.5%)  Developed a machine learning classifier to identify parked domain (accuracy 96%)

Measurements

 Use 8-month DNS traces of UCI name resolvers to measure hijacked traffic  Given a 500 well-known popular domains, we found 1,786 typo-squatting domains  Total hits to those domains are 23,989  15%(12%) of squatting domains were not detected by Google (Yahoo) typo correctors

System Implementation

 Integrate with Mozilla Firefox 2.0.0.9 as an add-ons extension  Typo-squatting domains are detected on the fly  Overhead is small  For 100 typo domains, avg is 53 ms  For 100 typo domains that are not squatting domains avg is 79 ms