Study Reveals Extent to Which Combosquatting is Used by Hackers

The use of combosquatting is on the rise, although until recently, the extent to which combosquatting was being used by cybercriminals was not known. However, a new study that examined more than 468 billion DNS records has revealed the practice is far more common than typosquatting. More than 100 times as common in fact.

What is Combosquatting?

Combosquatting is the use of a trademark in combination with another word in a domain. For example, take the brand Google. A cybercriminal wishing to fool users into thinking a malicious domain was legitimate and owned by Google, could try to register the domain Google-security or Google-updates. Provided those domains had not already been registered and parked by Google, or another combosquatter, those domains could be used in phishing attacks or other email and web-based attack scenarios.

The technique is similar to a better-known form of this type of attack called typosquatting. Typosquatting is the use of trademarked names that contain common typos – googel.com for instance.  Both combosquatting and typosquatting can be used for all manner of nefarious purposes. To phish for credentials for example, or in the case of retailers’ trademarks, to sell counterfeit goods. These malicious domains are commonly used to fool users into downloading malware or ransomware, or the sites are used to host exploit kits that probe for vulnerabilities and exploit them to download malicious files.

More Than 2.7 Million Combosquatting Domains Detected

The research team, comprising researchers from Georgia Tech, London South Bank University, and Stony Brook University, analyzed domains that used combinations of trademarks from 268 brands. They found that over the past six years, 2.7 million combosquatting domains had been registered. Almost 60% of those domains had remained active for more than 1,000 days and had been used for a wide range of nefarious purposes.

In contrast to typosquatting, which can usually be easily be detected if the URL or domain is carefully checked, combosquatting is different. Take a website called amazon-security. Many users may believe that such a domain is actually owned by Amazon. In many cases, these domains are. But all too often, these domains have been registered by scammers – examples provided by the researchers included disneyworldamusement.info and yahoofiles.com.

“These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it,” said study lead author, Panagiotis Kintis from Georgia Tech.

Companies can prevent the use of their brand by combosquatters by purchasing domains that combine their trademarked name with common words such as security, privacy, updates etc., but the number of variations is far too high for all but a small percentage of domains to be purchased and parked. The researchers found that many companies had purchased domains, let them lapse, only for them to be purchased by scammers. When scammers have let the domains go, they were purchased by other scammers.

The researchers suggested some organization should be responsible for preventing these domains from being re-registered by scammers and believe further research is needed and action required to tackle this growing problem.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news