Hackers are effectively using combosquatting to trick users into visiting malicious websites: Study

Hackers are using a technique known as combosquatting to trick users into visiting malicious websites. The attackers buy a domain name that sounds legitimate, but is not related to a trustworthy entity. The malicious domain usually involves a familiar name, such as a popular social networking site or a banking service, with a hyphenated word. For example, if the legitimate url is trademark.com, the malicious url will be trademark-security.com. The technique is similar to, but different from typosquatting, which uses a malicious url that users are likely to key in by mistake, such as trademrak.com.

Image: Georgia Tech

Some of the malicious urls identified by the researchers. Image: Georgia Tech

The malicious website can then be used to recruit another machine into a botnet, sell counterfeit merchandise, steal credentials normally used for a legitimate service, or infect computers with malware. The urls are distributed through spam campaigns, advertisements or show up in results of searches. According to a study presented at the 2017 ACM Conference on Computer and Communications Security by researchers from Georgia Tech, combosquatting is a growing attack strategy, with millions of malicious domains set up. The study is believed to be the first large scale scrutiny of combosquatting.

Panagiotis Kintis, first author of the study, says "We have seen combosquatting used in virtually every kind of cyberattack that we know of, from drive-by downloads to phishing attacks by nation-states. These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it."

The study showed that the practice of combosquatting was more prevalent than the better known typosquatting. Some of the malicious domains identified by the researchers included websites that at one point were owned by legitimate entities, but were allowed to expire. Without an authority to pick up "garbage" domains, the urls are up for grabs to the malicious attackers.


Published Date: Nov 01, 2017 10:23 am | Updated Date: Nov 01, 2017 10:23 am