Figure - uploaded by Nikolaos Pitropakis
Content may be subject to copyright.
a list of combosquatting domain names related to Advanced Persistent Threats (APT). These domains were found
Source publication
Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.]com, youtu...
Similar publications
Introduction: The relationship between childhood trauma and the risk of psychosis is well
established. However, the mechanisms of the relationship are still unknown. We investigated whether two factors involved in the risk of psychosis – self-disturbances and aberrant salience – mediate the relationship between childhood trauma and psychotic-like e...
Background: Cannabis use in young people is common and associated with psychiatric disorders. However, the prospective link between cannabis use and bipolar disorder symptoms has rarely been investigated. The study hypothesis was that adolescent cannabis use is associated with hypomania in early adulthood via several potential etiological pathways....
The domain name system (DNS) is a crucial backbone of the Internet and millions of new domains are created on a daily basis. While the vast majority of these domains are legitimate, adversaries also register new hostnames to carry out nefarious purposes, such as scams, phishing, or other types of attacks. In this paper, we present insights on the g...
Citations
... We note that our keyword matching technique involves concepts related to combosquatting [5], which refers to domain squatting involving combinations of trademarks and other terms. While combosquatting employs dictionary words, our approach can be characterized as a dictionary technique combined with mangling rules for generating keyword variations, focusing on a wider set of keywords associated with major global events, such as city name, year, and terms like "tickets" and "olympics" for the Olympic Games. ...
In this study, we conducted a comprehensive longitudinal measurement study of domain names associated with major global events.We aimed to understand the registrants’ motives, usage, and abuse of these domain names. We specifically focused on the Olympic Games since they attract sustained attention from when the venue is announced to the event’s conclusion. Our study focused on the Tokyo, Beijing, and Paris Olympics. Our three-year investigation revealed that the number of Olympic-related domain name (ODN) registrations increased concurrently with the postponement of the 2020 Tokyo Olympics and the diplomatic boycott of the 2022 Beijing Olympics. Furthermore, we discovered a substantial increase in the number of ODNs used for malicious websites just before the games. Many ODNs related to the regional nature of each game were acquired, and several ODNs required close attention from a security perspective.
... These tools are commanded with their command and control (C2) servers for data exfiltration and other predefined objectives. Threat actors conceal their C2 domains by combosquatting the domains of popular trades (Kintis et al. 2017) or by typosquatting of popular domain names (Szurdi et al. 2014). ...
In today’s cyber warfare realm, every stakeholder in cyberspace is becoming more potent by developing advanced cyber weapons. They have equipped with the most advanced malware and maintain a hidden attribution. The precocious cyber weapons, targeted and motivated with some specific intention are called as Advanced Persistent Threats (APT). Developing defense mechanisms and performing attribution analysis of such advanced attacks are extremely difficult due to the intricate design of attack vector and sophisticated malware employed with high stealth and evasive techniques. These attacks also include advanced zero-day and negative-day exploits and payloads. This paper provides a comprehensive survey on the evolution of advanced malware design paradigms, APT attack vector and its anatomy, APT attack Tactics, Techniques, and Procedures (TTP) and specific case studies on open-ended APT attacks. The survey covers a detailed discussion on APT attack phases and comparative study on threat life-cycle specification by various organizations. This work also addresses the APT attack attribution and countermeasures against these attacks from classical signature and heuristic based detection to modern machine learning and genetics based detection mechanisms along with sophisticated zero-day and negative day malware countermeasure by various techniques like monitoring of network traffic and DNS logs, moving target based defense, and attack graph based defenses. Furthermore, the survey addresses various research scopes in the domain of APT cyber-attacks.
... The anatomy and ecosystem of evolving phishing campaigns have been extensively studied, including 1 varying evasion techniques [25,31,41,54,60] used to avoid detec-tion, 2 phishing kits [7,10,23,33,45,69,70]that support effective scams, and 3 communication channels are used to exfiltrate user credentials [10,23,49]. In response to the evergrowing volume of phishing attacks worldwide, the Anti-Phishing Working Group (APWG) [2] has been established to aggregate known phishing domains and URLs from varying organizations. ...
... Ecosystem and Techniques of Phishing Campaigns. The phishing attack ecosystem has been well understood [25,31,41,46,54,60] including 1 phishing techniques to circumvent the current phishing detection systems and to lure more victims to phishing campaigns, and 2 new phishing detection mechanisms to effectively identify them. Particularly, Oest et al. [46] measured the end-to-end life cycle of a phishing campaign. ...
The ever-increasing phishing campaigns around the globe have been one of the main threats in cyber security. In response, the global anti-phishing entity (
e.g
., APWG) collectively maintains the up-to-date blacklist database (
e.g
., eCrimeX) against phishing campaigns, and so do modern browsers (
e.g
., Google Safe Browsing). However, our finding reveals that such a mutual assistance system has been remaining a blind spot when detecting geolocation-based phishing campaigns. In this paper, we focus on phishing campaigns against the web portal service with the largest number of users (42 million) in South Korea. We harvest 1,558 phishing URLs from varying resources in the span of a full year, of which only a small fraction (3.8%) have been detected by eCrimeX despite a wide spectrum of active fraudulence cases. We demystify three pervasive types of phishing campaigns in South Korea: i) sophisticated phishing campaigns with varying adversarial tactics such as a proxy configuration, ii) phishing campaigns against a second-hand online market, and iii) phishing campaigns against a non-specific target. Aligned with previous findings, a phishing kit that supports automating the whole phishing campaign is prevalent. Besides, we frequently observe a hit-and-run scam where a phishing campaign is immediately inaccessible right after victimization is complete, each of which is tailored to a single potential victim over a new channel like a messenger. As part of mitigation efforts, we promptly provide regional phishing information to APWG, and immediately lock down a victim’s account to prevent further damages.
... However, such data is not as rich in information as proxy/HTTP DNS logs, which not only contain individual DNS queries and responses, but also timing information. Despite these limitations, we are able to extract important data and characteristics as described in Section 3. Previous research utilizes this data feed to uncover the behavior of domains in the wild and also detect malicious domains [44,45]. In this work, we use the following three record types from pDNS: ...
... Squatting. Some phishing domains are also known to use squatting techniques [45,69] to trick more victims by mimicking legitimate domains by embedding known popular "brand" names such as paypal or apple in the domain name. To understand the relevance of squatting techniques in our datasets, we use squatphish [78] to detect squatting domains in our datasets. ...
... • Combosquatting designates the attempt to borrow the characteristics of a brand domain name by combining new words to the brand name. The combosquatting does not imply a spelling deviation of the original brand, on the contrary, it requires that the original domain name remains intact [10]. Example : "westernunionsucks.com" ...
In 2019, a study conducted by Palo Alto Networks revealed 20 domain names that are largely cybersquatted by attackers. However, media never stopped reporting phishing and identity theft attacks held by third party entities that rely on domain names to mislead Internet users. Domain names are listed in public lists based on their behavior. These lists objectively evaluate the reputation of a domain name. Black lists contain domain names that have previously committed suspicious acts, whereas white lists include the most popular and trustworthy domain names. For a long time, this listing technique has been used as a reactive approach that has the major limitation of responding lately to attacks. Nowadays techniques tend to be much more proactive, they operate before any attack occurs. In this paper, we give a literature review of proactive malicious domain name detection techniques that use only lexical features of domain names. These features are available, privacy preserving and they highly improve detection results. This review covers twelve recent works that report highly good performance classified according to a new taxonomy of malicious domain name detection methods. Moreover, it introduces a new criterion for comparing performance based on targeted maliciousness and discusses limitations of existing work and new emerging research directions.
... The Passive DNS dataset could be also utilized to roughly estimate domain activities [30,39], including their popularity (query volume) and lifetime (intervals between the first and last occurrence). ...
... As the unique resource identifier in DNS, it raises the security threats of visual phishing. Although previous studies have analyzed the visual phishing attacks of IDN [1,9,22,30,39,46,56,57], the threat has not been well investigated with emoji domains. Below, we provide a quantitative analysis to evaluate the feasibility of emoji domain phishing. ...
... Continuous expansion of domain space led to the security risk of domain squatting [20,46,59]. Besides homograph IDNs, deceptive domains could be constructed by typos [1,43,57], flipping a bit [46], using a hyphen to connect related keywords [30], the sound similarity [45], or even the longlength of domain name [9]. Previous studies demonstrated that newly released TLDs may be exploited to create look-alike domain names of popular brands [5,17,19,20,33]. ...
Emoji domains, such as
(xn–i-7iq.ws), are distinctive and attractive to registrants due to their eye-catching visuals. Despite its long history (over 20 years), little has been done to understand its development status and security issues. In this paper, we identify 54,403 emoji domains from 1,366 TLD zone files and a large-scale passive DNS dataset. And then, we correlate them with auxiliary data sources like domain WHOIS records. It allowed us to conduct by far the most systematic study to characterize the ecosystem, and retrieve multiple valuable insights. On one hand, the scale of emoji domains is constantly expanding in the wild, with dozens of ccTLD registries actively promoting registering domains with emoji characters and domain owners configuring emoji characters in sub-level domains. And emoji domains may act as promotional portals, as web requests are usually redirected to other websites. Besides, emoji domains are also leveraged to provide disposable email services, pornography or gambling pages, and even the distribution of malware. On the other hand, the concern is that the community still lacks best security practices in supporting and parsing emoji domains. Through empirical studies, we demonstrate that inconsistencies in rendering emoji characters can be exploited to launch visual phishing domain scams. Meanwhile, mainstream implementations may incorrectly parse or trans-code emoji domains, resulting in the security threat of traffic hijacking. Our study calls for standardization and best security practices for applications to handle emoji domains securely.
... To date, this vulnerability has been considered in the context of dangling DNS and IP use-afterfree. Common amongst these vulnerabilities and our considered space is that vulnerabilities are exploited via squatting on the resource, a concept that has received ongoing attention in the security community (e.g., combo squatting [31], typo squatting [32], file squatting [33], and skill squatting [34], among others). Motivated by the generality between these topics, we name this superset attack space cloud squatting. ...
Public clouds provide scalable and cost-efficient computing through resource sharing. However, moving from traditional on-premises service management to clouds introduces new challenges; failure to correctly provision, maintain, or decommission elastic services can lead to functional failure and vulnerability to attack. In this paper, we explore a broad class of attacks on clouds which we refer to as cloud squatting. In a cloud squatting attack, an adversary allocates resources in the cloud (e.g., IP addresses) and thereafter leverages latent configuration to exploit prior tenants. To measure and categorize cloud squatting we deployed a custom Internet telescope within the Amazon Web Services us-east-1 region. Using this apparatus, we deployed over 3 million servers receiving 1.5 million unique IP addresses (56% of the available pool) over 101 days beginning in March of 2021. We identified 4 classes of cloud services, 7 classes of third-party services, and DNS as sources of exploitable latent configurations. We discovered that exploitable configurations were both common and in many cases extremely dangerous; we received over 5 million cloud messages, many containing sensitive data such as financial transactions, GPS location, and PII. Within the 7 classes of third-party services, we identified dozens of exploitable software systems spanning hundreds of servers (e.g., databases, caches, mobile applications, and web services). Lastly, we identified 5446 exploitable domains spanning 231 eTLDs-including 105 in the top 10,000 and 23 in the top 1000 popular domains. Through tenant disclosures we have identified several root causes, including (a) a lack of organizational controls, (b) poor service hygiene, and (c) failure to follow best practices. We conclude with a discussion of the space of possible mitigations and describe the mitigations to be deployed by Amazon in response to this study.
... The resources available through the internet are voluminous and tend to be accessed through the use of Uniform Resource Locators (URLs). While this system provides a semantic and recognisable means for users to navigate pages and media on the web, it can also be subverted by malicious actors for nefarious purposes [1]. The rate at which new URLs are generated makes it problematic to rely on any defensive measure which is static in nature and unable to predict the form previously unseen malicious URLs might take. ...
Web addresses, or Uniform Resource Locators (URLs), represent a vector by which attackers are able to deliver a multitude of unwanted and potentially harmful effects to users through malicious software. The ability to detect and block access to such URLs has traditionally been enabled through reactive and labour intensive means such as human verification and whitelists and blacklists. Machine Learning has shown great potential to automate this defence and position it as proactive through the implementation of classifier models. Work in this area has produced numerous high-accuracy models, though the algorithms themselves remain fragile to adversarial manipulation if implemented without consideration being given to their security. Our work aims to investigate the robustness of several classifiers for malicious URL detection by randomly perturbing samples in the training data. It is shown that without a measure of defence to adversarial influence, highly accurate malicious URL detection can be significantly and adversely affected at even low degrees of training data perturbation.
... A combosquatting domain consists of a well-known domain with added suitable terms so that the resulting domain still looks believable, e.g., bankofamerica-security.com or secure-paypal.com [23]. A domain cannot only contain Latin letters but also letters from other alphabets, such as Cyrillic. ...
Phishing is in practice one of the most common attack vectors threatening digital assets. An attacker sends a legitimate-looking e-mail to a victim to lure her on a website with the goal of tricking the victim into revealing credentials. A phishing e-mail can use both technical (e.g., a forged link) and psychological vectors (e.g., an authoritarian tone) to persuade the victim. In this paper, we present an analysis of more than 420,000 phishing e-mails sent over more than 1.5 years by a consulting company offering awareness trainings. Our data set contains detailed information on how users interact with the e-mails, e.g., when they click on links and what psychological vectors are used in the e-mails to convince the recipient of its legitimacy. While previous studies often used lab environments, the e-mails in our data set are sent to real users during their day-to-day work so that we can study their behavior in a genuine setting. Our results indicate a continually decreasing click rate (from 19% to 10%) with progressing awareness training. We also found some psychological vectors, including an authoritative tone and curiosity, to be more effective than others to trick a user into falling for this type of scam e-mails.
... However, the security practices have not been systematically measured and consequently not fully understood. Prior work [34,36,46,51,56] has mainly focused on understanding phishing attackers, not CAs. Particularly, they aimed to fully identify phishing techniques (e.g., squatting domains) and measured usages of the techniques in the wild. ...
... In particular, what insecure practices of CAs can lead to the increase of the attacks. However, unfortunately, the majority of prior work on phishing attacks has mainly focused on understanding the phishing techniques (e.g., squatting domains) [34,36,46,51,56]. Therefore, little is known about how CAs are involved in HTTPS phishing attacks. ...
... We first employ DNSTwist [2] to generate squatting domains through typosquatting, homograph, and other techniques. In addition, we follow the same methodology that Kintis et al. [36] proposed to generate squatting domains by using combosquatting technique. First, we extract all e2LDs from our target top brands (e.g., "paypal" in "paypal.com"). ...
