letterspastebin

SoundsquattingUncoveringtheUseofHomophonesinDomainSquattingNickNikiforakisDepartmentofComputerScience,StonyBrookUniversityMarcoBalduzziTrendMicroForward-LookingThreatResearchTeamLievenDesmet,FrankPiessens,andWouterJoosenDistriNetResearchGroup,KULeuvenCONTENTSIntroduction.
1Soundsquatting.
3Terminology.
3DifferenceswithTyposquatting.
3GeneratingSoundsquattedDomains.
4Results.
7SoundsquattingEvaluation.
9CategorizationMethod.
9CategorizationResults.
9UserCharacterization.
12Sound-DependentUsers.
16LimitationsandFutureResearch.
17RelatedWork.
18Conclusion.
19References.
20Appendix.
22EthicalConsiderations.
221INTRODUCTIONDuetoitscriticalposition,DomainNameSystem(DNS)has,overtheyears,attractedmanyattackstargetingvariouspartsoftheprotocolandtheDNSinfrastructure.
Theseattackscanbegroupedintothefollowingtargetcategories:Protocolweaknesses(e.
g.
,DNScachepoisoning[14,25])VulnerableDNSserverimplementations(e.
g.
,bufferoverflowsinBIND[20])User-DNSinteractionsAmongalloftheaforementionedcategories,attacksthattargetuser-DNSinteractionsarethehardesttoeliminatesincetheyinvolveeducatingtheentirecurrentandfutureInternetpopulationratherthantechnicallycorrectingaprotocolshortcomingorasoftwarevulnerability.
OneofthewaysusersinteractwithDNSisbytypingdomainnamesintheirbrowsers'addressbar.
Attackersrealizedearlyonthatusersmakespellingmistakeswhentypingthedomainnameoftheirdesireddestinationsandstartedregisteringthese"typo-including"domainsinordertocapitalizeonpotentialincomingtraffic.
Thispracticewasnamed"typosquatting"[19,27]andtyposquattersusethesedomainsinawiderangeofunethicalandillegalways,includingshowingcompetitors'paidads[21]andexfiltratingusercredentialsthroughphishing[10].
Inadditiontotyposquatting,othervariationsofdomainsquattingsuchashomographattacks[11,16]whereinattackersabusethevisualsimilarityoftwocharactersfromdifferentcharactersetstoconstructdomainsthatlooklikeapopularauthoritativedomain'sbutleadtodifferentdestinationshavebeenproposedovertime.
Thispaperpresentssoundsquatting,adomain-squattingtechnique,thatwasuncoveredwhileresearchinggenericcybersquatting.
Soundsquattingtakesadvantageofthesimilarityofwordswithregardtosoundanduserconfusiononwhichwordrepresentsthedesiredconcept.
Theattackisbasedonhomophones(i.
e.
,setsofwordsthatarepronouncedthesamebutarespelleddifferentlysuchas{ate,eight}).
Soundsquattingdiffersfromtyposquattinginthatitdoesnotrelyontypingmistakesandthatnotalldomainscontainhomophonesandthus,notalldomainscanbesoundsquatted.
Toevaluatesoundsquatting,anEnglishhomophonedatabasewascompiledandAutoSoundSquatter(AutoSS),atoolwhich,givenalistoftargetdomains,generatesvalidsoundsquatteddomains,wasdesigned.
FortheAlexatop10,000websites,AutoSSwasabletogenerate8,476soundsquatteddomains,1,823(21.
5%)ofwhichwerealreadyregistered.
Throughaseriesofautomaticandmanualexperiments,theseregistereddomainswerecategorized.
Eventhoughhomophone-baseddomainsquattinghasnotappearedincybersquattingliterature,itsprinciplesareknownandpracticedbycybersquatters,albeitlessthantyposquatting.
Usingdataobtainedthroughcrawling,thispapershowsthatsoundsquattingisbeingusedfordisplayingadsonparkeddomains,stealingtrafficfromtargetdomains,performingaffiliatescams,conductingphishingattacks,andinstallingmalicioussoftwareonunsuspectingvisitors'systems.
Inadditiontostudyingtheuseofalready-2registeredsoundsquatteddomains,30availableoneswereregisteredandthepopulationofusersthatreachedthemwerestudied.
Amonthlyaverageof1,718requestsfromrealusersoriginatingfrom123countrieswasrecorded.
Thisshowsthatusersareindeedsusceptibletohomophoneconfusion.
Finally,sixpopularsoftwarescreenreaderswereexaminedtoshowhowtheycanallbeabusedtoperformsoundsquattingattacksagainstsound-dependentuserswhorelyontext-to-speechsoftware.
Overall,thefindingsshowthatsoundsquattingcanbeabusedinexactlythesamewayastyposquattingandthusshouldbetakenintoaccountbyownersoflargewebsiteswhowanttoprotecttheirbrandnamesandcustomers.
Insum,thispaper:Uncoversapreviouslyunreporteddomain-squattingattacktypebasedonhomophoneconfusionratherthanontypographicalmistakes,whichhasbeendubbed"soundsquatting"PresentsthearchitectureofatoolcapableofautomaticallygeneratingsoundsquatteddomainsPresentstheresultsofasystematic,large-scaleanalysisofexistingsoundsquatteddomainstargetingtheAlexatop10,000sites,highlightingtheirabuseActivelymeasurestheworldwidepopulationofuserswhomadehomophone-relatedmistakes,confirmingthevalidityandpracticalityofsoundsquattingattacksShowshowsoundsquattingcanbeusedagainstsound-dependentusers3SOUNDSQUATTINGthesoundsquatter,likegenericdomainsquatters,tomonetizevisitsinawiderangeofunethicalandillegalways.
DifferenceswithTyposquattingBeforemovingontothediscoveryandstudyofsoundsquatteddomains,itisimportanttodifferentiatesoundsquattingfromtyposquatting.
Asthetermindicates,typosquattinginvolves"typos"(i.
e.
,misspellingdomainnames,usuallyassociatedwithtypingmistakes).
In2006,Wang,etal.
,categorizedthetyposinvolvedintyposquattingintofivedifferentcategories[27].
Usingthedomain,example.
com,andtheintendedURL,www.
example.
com,theseare:Missing-dottypos:Thedotfollowing"www"isomitted(i.
e.
,wwwexample.
com)Character-omissiontypos:Acharacterisomitted(e.
g.
,www.
exmple.
com)Character-permutationtypos:Consecutivecharactersareswapped(e.
g.
,www.
examlpe.
com)Character-replacementtypos:Charactersarereplacedbyadjacentonesgivenaspecifickeyboardlayout(e.
g.
,www.
ezample.
com,where"x"wasreplacedbytheQWERTY-adjacent"z")Character-insertiontypos:Charactersaremistakenlytypedtwice(e.
g.
,www.
exaample.
com)Laterresearchontyposquattingshowsthatinadditiontotheclassesoftyposabove,ThissectionintroducesallofthenecessaryterminologiesforsoundsquattinganddescribestheworkingsofAutoSS,atoolspeciallycreatedtoautomaticallygeneratesoundsquatteddomains,indetail.
ItalsoexaminesthesoundsquatteddomainsthatAutoSSgeneratedfortheAlexatop10,000sites.
TerminologyHomophonesaresetsofwordsthathavethesamepronunciation.
Theycanbespelleddifferentlybuthavethesamemeaningsuchas{guarantee,guaranty}orspelleddifferentlyandhavedifferentmeaningssuchas{whether,weather}and{idle,idol,idyll}.
Giventhedefinitionofhomophonesabove,soundsquattingisdefinedasthepracticeofregisteringdomainnamesthatarehomophonesofauthoritativeones.
Soundsquatters,meanwhile,areindividualsororganizationsinvolvedinsoundsquatting.
Asingenericdomainsquatting,authoritativedomainsarethosethatsoundsquatterstarget.
Theseusuallybelongtohigh-trafficwebsiteswithmillionsofvisitors.
Themorelegitimatevisitorsawebsitehas,themorevisitorsarelikelytolandontheirsoundsquattingcounterparts.
Anauthoritativedomaintargetedbyasoundsquattingattackhasbeensoundsquatted.
Forinstance,anauthoritativeweathersite,weatherportal.
com,canhaveasoundsquattedcounterpartsuchaswhetherportal.
com,whichcancapturetraffictotheauthoritativedomainshouldusersmistakenlytype"whether"insteadof"weather.
"Typingthewrongwordandreachingthesoundsquatteddomainallows4domainsquattersarealsoregisteringauthoritativedomainsunderdifferent,less-populartop-leveldomains(TLDs)[4].
Inallofthecasesabove,usersintendtotypeaspecificURLbutaccidentallymistypeit,initiatingarequestforthewrongpagebeforerealizingtheymadeamistake.
Incontrast,insoundsquatting,userstypeexactlywhattheyplantoeveniftheirintendeddestinationisdifferent.
Themistakeoccursatthewordlevelratherthanatthecharacterlevelandthesubstitutedwordsarerealdictionarywordsandnotmistypes.
Confusionbetweenintendedandtypedwordsisfurtheramplifiedwhenadomaincontainsahomophonethatbelongstoasetofsame-soundingwordswiththesamemeaning.
Anexampleofthisisguarantybanking.
com,abankingwebsitedomain.
Aspreviouslymentioned,"guarantee"isahomophoneof"guaranty.
"Asofthiswriting,guaranteebanking.
comisparkedandavailableforsale.
Insuchacase,typingthe"correct"domaininvolvesmemorizingaspecificspellingratherthantranslatingaconceptintoaword.
Itisalsodifficulttopredictwhichspellingpeoplewhohearof"GuaranteeBanking"forthefirsttimewilluse.
GeneratingSoundsquattedDomainsAnysystembuilttodiscoverdomain-squattingactivityrequiresatleastthefollowingtworesources―asetoftargetauthoritativedomainsandalistofrulesandmodelstotransformauthoritativedomainsintopossiblesquatteddomains.
Intyposquatting'scase,theserulesmayincludedomainsthatusetheneighboringcharactersofeverykeyonaspecifickeyboardlayoutandthosethatapplycharacteromission,duplication,andreplacement.
Insoundsquatting,thefollowingresourcesarerequired:Authoritativedomainlist:Assumingthatpopulardomainsaretargetedmorethanlesspopularones,alistofthetop10,000InternetwebsitesaccordingtoAlexawasobtained.
Thenumberofuniquedomainscontainedinthislisthasbeenprovidedinalatersection.
Dictionary:Alsocalleda"wordlist,"thisisrequiredforextractingvalidwordsfromdomainnames.
Forinstance,givenasufficientlylargedictionaryandthedomain,youtube.
com,analgorithmcanstraightforwardlysearchforthepresenceofallwordsinthedomain,excludingtheTLD,andconcludethatitcomprisesthewords"you"and"tube.
"Transformationrules:Apartfromadictionary,adatabaseofEnglishhomophonesisalsorequired.
Ahomophonedatabasewascompiledbyscrapinghomophone.
com,awebsitededicatedtohomophones,alongwithWikipedia'slistofdialect-independenthomophones[28].
Thelistofnumbersfrom1to100alongwiththeirwordforms(e.
g.
,{9,nine})werealsomanuallyaddedtothehomophonedatabase.
AfewcommonidiomsregularlyusedinInternetslang(e.
g.
,{you,u})wereaddedaswell.
5Figure1:AutoSS'sarchitecture;givenahomophonedatabase,alistoftargetdomains,andadictionary,AutoSSoutputsalistofpossiblesoundsquatteddomainsToautomaticallygeneratesoundsquatteddomains,AutoSS,atoolthatusestheresourcesabovetogeneratevalidsoundsquatteddomains,wascreated.
AutoSSloadsthehomophonedatabaseanddictionarytomemory.
ItthenparseseachentryintheAlexalistofwebsitestoisolatethemaindomainfromthedomainextensionandpossiblesubdomainsandpaths.
Dashesinresultingstringsareperceivedasindicatorsofwordseparation(e.
g.
,search-results.
comissplitinto"search"and"results"withouttheaidofadictionary).
Domainswithoutdashesrequireperformingastringsearchforthepresenceofeverywordinthedictionary.
Whilethisisarelativelyfastprocess,theresultingsetofcandidatewords(CWs)requiressubstantialprocessingmainlybecauseofthepresenceofaccidentalwords.
Thisandotherissuesandthetechniquesusedtoautomaticallydetectandresolvethemarediscussedinmoredetailbelow.
Word-in-wordremoval:Considerthedomain,linkedin.
com,andthehomophoneset{in,inn}.
Ideally,thetoolshouldjustdiscoverhomophonesof"linked"and"in.
"However,atypicaldictionarysearchwilldiscoverthewords"in,""ink,""inked,""ked,""link,"and"linked.
"Theobviousnextstepwouldbetodeleteallwordsthatarecontainedinothers.
Theissue,however,isthatwhilethewords"in,""ink,""inked,""ked,"and"link"areallcontainedintheword"linked,"removingtheword"in"fromthelistofCWsiswrongsinceitexistsonitsownaftertheword"linked.
"Doingsowouldalsofailtogenerate6soundsquattedversionssuchaslinkedinn.
com.
Tosolvethisproblem,AutoSSwasconfiguredtoworkinthefollowingmanner:Wheneverapairofwords{a,b}isfoundwhereaisincludedinb,bisreplacedbyanotherstringofequallengthinthedomainname.
Afterward,thedomainnameissearchedagainforthepresenceofa.
Ifaisstillfound,thenaisnotdeletedfromthesetofCWs.
Assuch,intheexample,thepairofwords{in,linked}inlinkedin.
comistransformedto______in.
com.
Sincetheword"in"isstillfoundinthedomainname,itisnotremovedfromthelistofCWs.
Beforeproceeding,AutoSSalsorecordstheindexoftheword'slocationinthetransformeddomainintheWordIndexcomponentsothatwhenwordsarereplacedbytheirhomophoneslater,thetoolreplacestheappropriate"in,"avoidingresultssuchaslinnkedinn.
com,whichdoesnotconformtothedefinitionofsoundsquattingsince"linnked"isneitheravaliddictionarywordnorahomophoneofanyotherword.
Attheendofthisprocess,thelistofCWsislimitedto{linked,in}(i.
e.
,CW'inFigure1),whichisthedesiredoutcome.
Accidentalwordremoval:ThismodulereceivesthepossiblymodifiedsetofCWsfromtheWord-in-WordRemovalmoduleandattemptstoidentifyandremoveaccidentalwordsfromthelist.
Considerthedomain,leaseweb.
com,whichbelongstoaWeb-hostingserviceprovider.
Theidealwordbreakdownwouldbe{lease,web}.
Usingthedictionaryandselectivelyremovingwordsinwords,AutoSSdiscoversthewords"lease,""sew,"and"web.
""Sew"isincludedsinceitisadictionaryword,whichaccidentallyappearsinthedomainname,formedbythelasttwolettersoftheword"lease"andthefirstletteroftheword"web.
"ThisproblemwaspartiallysolvedbyattemptingtoexhaustivelycreatepermutationsofCWs,including:Thisprocesscontinuesuntileitherthepermutationperfectlymatchesthetargetdomainname(i.
e.
,CW"inFigure1)orthecomputationtimesoutduetotheexponentialnatureofpermutations.
Iftimerunsoutbeforethemoduleisfinished,AutoSSfallsbacktotheCWlistafterword-in-wordremoval.
Homophonereplacement:Inthismodule,AutoSSusesthesetofCWsdiscoveredbypreviousmodulesandgeneratesnewdomainsbyreplacingonehomophonewithanother.
ThemodulequeriesthehomophonedatabaseforeachCW.
Foreachhomophonediscovered,thesystemgeneratesanewsoundsquatteddomainbyreplacingtheCWwithahomophone.
Themoduletakesintoaccountinformationfoundinthewordindextoreplacetherightwords.
AutoSSalsohasa"Level"parameterthatspecifiesthenumberofconcurrenthomophonereplacementsfordomainnameswithmorethanonehomophonediscovered.
Consider7thecaseofthepiratebay.
se,apopularTorrenttracker.
AutoSSwilldiscoverthehomophones{the,thee}and{bay,bey}.
Whilethesecanbeusedtocreatethesoundsquatteddomains,theepiratebay.
seandthepiratebey.
se,athirddomaincanbegeneratedbyreplacingbothatthesametime(i.
e.
,theepiratebey.
se).
Forthisstudy,Level2wasusedtolimitAutoSStoamaximumoftwohomophonereplacementsatatimeevenifadomaincontainsmorethantwohomophones.
Whileahigherlevelwouldsignificantlyallowmorecombinationsandgeneratemoresoundsquatteddomains,threeormorehomophonemistakesinasingledomainnamearebelievedunlikelytooccur.
AutoSSlimitations:DuetotheflexibilityoftheEnglishlanguageandthefreedomitaffordswithregardtowordplay,AutoSS'stechniquesforisolatingwordsindomainnamesarenecessarilyheuristicbased.
AlatersectionestimatesthenumberoffalsepositivesAutoSSgeneratesandbrieflydiscussespossiblewaystolowerthisnumber,whichcanbepursuedinfutureresearch.
ResultsFromtheAlexalistoftop10,000Internetwebsites,weextracted9,926PublicSuffix+1domains.
Giventhesedomainsandthehomophonedatabase,whichcontains2,913wordswith1,337homophonesets,AutoSSextractedatotalof6,418homophones.
BecausetheparameterwassettoLevel2,AutoSSgenerated8,476soundsquatteddomains.
Interestingly,67.
3%ofthemdidnothavehomophones.
Thehighest-rankingdomainthathadhomophoneswasyoutube.
com,forwhichAutoSSgeneratedthesoundsquatteddomains,yewtube.
com,ewetube.
com,andutube.
com.
Thedomainwiththehighestnumberofhomophoneswaswearehairy.
com,ranked5,663intheAlexalistofwebsites.
Ithad12differenthomophones,resultingin32differentsoundsquatteddomains.
Fromthe1,337setsofhomophones,568(42.
48%)wereusedatleastoncetogenerateasoundsquatteddomain.
Table1showsthetop10homophonesetsusedbyAutoSSontheAlexalistofwebsites.
HomophoneSetsAutoSSUsedMostontheAlexaTop10,000WebsitesHomophoneSetNumberofTimesUsed{2,two,to,too}735{1,one,won}300{ere,air,aire,are,ayr,ayre,err,eyre,heir}278{four,4,for,fore}250{bi,buy,by,bye}2238HomophoneSetsAutoSSUsedMostontheAlexaTop10,000WebsitesHomophoneSetNumberofTimesUsed{do,dew,due,doe,dough}208{whirled,whorled,world}156{yew,you,ewe,u}150{cite,sight,site}134{0,zero,-xero}134Thiswasanexperimentalvalidationofwhatwasintuitivelyexpected―thenumberofsoundsquatteddomainsanauthoritativedomainhasdependsmoreonitsowner'schoiceofwordsandhasnothingtodowithitspopularity,atleastamongthetop10,000Alexawebsites.
Figure2correlatesawebsite'srankingwiththenumberofhomophonesfoundinitsdomainname.
Thescatterplotrevealsthatthereisnosignificantrelationshipbetweenthetwo,whichmeansthat,onaverage,low-rankingwebsitesarejustasvulnerabletosoundsquattingthanhigh-rankingones.
Figure2:Scatterplotthatshowsthelackofsignificantcorrelationbetweenawebsite'spopularityandthenumberofhomophonesfoundinitsdomainname(r=0.
019)9SOUNDSQUATTINGEVALUATIONandimagesthatlookedalikeweregroupedtogether.
Mostofthesewereparkedpages(i.
e.
,pagesthatshowads)thatweresomewhatrelevanttothedomainnamesandusuallyadvertisedthatthedomainswereforsale.
Othergroupscomprisedpageswithlittlecontent,statingthatthesiteswere"underconstruction.
"Thesemaybeplaceholderpagesownedbypopularregistrarsinformingtheirclientshowtosetupawebsiteonaregistereddomain.
Accessingsomepagesledtogenericerrorssuchasa404error.
ThecorrespondingHTMLofafewdomainsineachgroupwereexaminedandgenericHTMLandJavaScriptsignaturesthatcouldautomaticallycategorizetheremainingpagesineachgroupwerealsocreated.
Throughthisapproach,thepage-characterizingscriptseventuallyautomaticallyclassified77.
2%ofallofthedomainscrawled.
Theremaining417unclassifieddomainsweremanuallyclassifiedbyvisitingeachwebsiteandcarefullyinspectingitssourcecode,availableWhoisinformation,andanysimilarity(e.
g.
,visual,content,andaudience)withtheirauthoritativecounterparts.
CategorizationResultsCombiningtheresultsofautomaticclassificationandmanualinvestigationresultedinthefollowingcategoriesofregisteredsoundsquatteddomains:Authoritative-owneddomains:Outofthe1,823domainsstudied,155soundsquatteddomainsthatbelongedtotheownersoftheirauthoritativecounterpartswereidentified.
Inavastmajorityofcases,usersareautomaticallyredirectedtothecorrectauthoritativedomainsThissectionanalyzesexisting(i.
e.
,alreadyregistered)soundsquatteddomainsobtainedthroughaseriesofautomatedandmanualexperiments.
Italsocategorizesthemaccordingtopurpose.
CategorizationMethodAspreviouslymentioned,AutoSSwasabletogenerate8,476soundsquatteddomainsbasedontheAlexatop10,000websites.
Tofindoutifdomainsquattersarealreadyawareofhomophonesandtheprinciplesofsoundsquatting,atwo-stepprocesswasappliedtoidentifyalready-registeredsoundsquatteddomains.
First,allofthedomainsweretestediftheywouldresolvetoIPaddresses.
Adomainthatsuccessfullyresolvesisobviouslyregistered.
Althoughonethatdoesnotresolve,itmaystillberegisteredbuthasnotbeenassignedavalidIPaddress.
WhoislookupswereperformedonthesetofdomainsthatdidnotresolvetoIPaddresses.
Attemptstoregisterthemwithapopulardomainnameregistrarwerealsomade.
Attheendofthisprocess,1,823domains(i.
e.
,21.
5%ofthetotalnumberofdomainsgenerated)turnedouttoalreadyberegistered.
Toclassifytheregistereddomains,acrawlerbasedonPhantomJS[15]wasusedtovisiteachdomain,waitedfor10seconds(i.
e.
,toallowremotecontenttoload),andtookascreenshotofthepageaswellasrecordedtheHTMLandfinalURLforlaterprocessing.
ThefinalURLwasusedtodetectredirectionsfromsoundsquattedtodifferentdomains.
Asemiautomaticapproachwasusedtocategorizeeachsite.
Thescreenshotsofallofthepagesweremanuallyskimmed10withoutwarningortheappearanceofadditionaldialogs.
Redirectionalmostalwayshappensthrougha301/302HTTPresponsestatuscodealthoughuserscanoccasionallyberedirectedto1–2intermediatehosts,whichinturnredirectedthemtotheappropriatedomains.
Insuchcases,theintermediatehostsbelongedtobrand-protectingcompaniesthatmostlikelyregisteredthedomainssouserswhomademistakeswhenaccessingtheircorrectdomainswereredirectedtotheirappropriatedestinations.
Intwoinstances,theownersoftheauthoritativedomainsattemptedtoeducatetheirusersabouthomophoneconfusion.
Myfreepaysight.
com,asoundsquatteddomainfortheadultsite,myfreepaysite.
com,forinstance,greetsvisitorswithamessagepointingoutthedifferencebetweenthetwodomainswhenthelatterisvisited.
Parked/Advertising/For-saledomains:Parkeddomainshavebeenidentifiedbypriorresearchasthepreferredmeanstomonetizedomainsquatters[21,27].
Aspreviouslymentioned,thesedomainsdonotcontainrealcontent,exceptadsthatareconstructedondemandusuallybyadomain-parkingagencybasedonthewordsincludedintheirnamesandowners'preferences.
Thiscategoryalsoincludesdomainsthatshowedadseveniftheyarenotaffiliatedwithlargedomain-parkingagencies(e.
g.
,net0.
net,asoundsquattedversionofnetzero.
net)andthoselistedas"forsale.
"Insum,ad-drivendomainscomprisethelargestchunkofexistingsoundsquatteddomains(i.
e.
,954casesor52.
3%).
Affiliate-abusingdomains:Anexaminationofthesoundsquatteddomainsthatredirecteduserstotheappropriateonesrevealedthat32abusedaffiliateprograms.
Affiliateprogramspromiseddomainssmallcommissionsforeverynewcustomervisit.
Inaffiliateabuse,attackerstakeadvantageoflegitimatesites'affiliateprogramsbyappendingtheirownidentifierstothoseofunsuspectingvisitors.
Considerthedomain,mybrowsercache.
com,asoundsquattedversionofmybrowsercash.
com.
Asofthiswriting,everytimeusersvisitmybrowsercache.
com,theyareautomaticallyredirectedtohttp://www.
mybrowsercash.
com/index.
phprefid=312044.
NoticethataspecificreferreridentifierisaddedtotheURL.
Thisallowsattackerswhoregisteredmybrowsercache.
comtoearnacommissioneverytimeusersconfuse"cache"for"cash.
"Theownersofmybrowsercash.
com,meanwhile,losetheircommission.
Hit-stealingdomains:Analysisrevealed22caseswhereattackersusedsoundsquattingtocapturelegitimatewebsitetraffictofeedtotheirown"business-related"domains.
Inamajorityofcases,theauthoritativeandsoundsquatteddomainshadsimilarcontenteveniftheyhaddifferentowners.
Experimentsrevealedthatmostofthesoundsquattingtargetswereadult,onlineshopping,andtravelwebsitessuchas:Ashemailtube.
comisasoundsquattedversionofashemaletube.
com,atransvestite-orientedpornwebsite.
Visitingthesoundsquatteddomainredirectsuserstotrannydates.
com,adatingwebsitethatspecifically11caterstotransvestites.
Video-1.
com,asoundsquattedversionoftheadultvideoportal,video-one.
com,currentlyhostsanonlinesexshop.
Todomains.
ruprovidesdomain-registrationservicesandisasoundsquattedversionof2domains.
ru,alargeRussiandomainregistrar.
Gamefive.
comisasoundsquattedversionofgame5.
com,anonlinegamingsite.
Thesoundsquatteddomainwastagged"forsale"forthreeyearsbeforeitwasturnedintoanonlinegamingsite.
Textsail.
ruisasoundsquattedversionoftextsale.
ru.
Bothwebsitessellarticlesandstoriesonawiderangeoftopics.
Thiscategoryalsoincludessoundsquatteddomainsthatprofitfromthetrustworthinessassociatedwiththeirwell-knownandpopularauthoritativecounterparts.
Insuchcases,itisnotnecessaryforthecontentofthesoundsquatteddomainstomatchthatoftheirauthoritativecounterparts.
Theownersoffreemale.
hu,forinstance,isprobablyexploitingthepopularityofwell-knownHungarianemailserviceprovider,freemail.
hu,topromotetheirWebpageinthesamewaythattvto.
noabusesthepopularityofthewebsiteofNorwegianchannel,TV2,tv2.
no.
Thesoundsquatteddomainredirectsuserstoanonlinecasinowebsite.
Scam-relateddomains:Soundsquatteddomainscanalsobeusedforscams.
Sixteencaseswheresoundsquatteddomainswereusedforvariousscams(e.
g.
,fakelotteriesandsurveys)wereidentified.
Forinstance,vhone.
com,asoundsquattedversionofvh1.
com,redirectsuserstoasurveywebsitethatpromisesanopportunitytowinhigh-endelectronicsinexchangefortheirparticipation.
Usersarethentrappedinaseriesofredirectionsthatconstantlypromisemoreandmoreprizesinexchangefordivulgingmoreandmorepersonalinformationsuchastheirnames,emailaddresses,andmobilephonenumbers.
Domainsthatpromoterelateddomains:Thiscategoryincludessevensoundsquatteddomainsthatpromotematerialsrelatedtothecontenttheirauthoritativecounterparts.
Teambeechbody.
comisasoundsquattedversionofteambeachbody.
com,anonlinefitnessclubwherepeoplecansubscribeas"fitnesscoaches"andgaincommissionforsuccessfullycoachingusers.
Asofthiswriting,visitingthesoundsquatteddomainredirectsuserstothepagesofspecificcoachesinteambeachbody.
com,givingthecoachesbetterchancesofgettingselectedoverothersonthewebsite.
Inanothercase,thesoundsquatteddomain,rednovel.
com,redirectsuserstohttp://www.
lvse.
com/site/readnovel-com-3550.
html,areadnovel.
com(i.
e.
,theauthoritativedomain)pagethatcontainsasafetyscore,usercomments,andalistofsimilarwebsites.
Otherdomains:Analysisrevealedthatsixsoundsquatteddomainswereusedformaliciouspurposes(e.
g.
,toinstallmalwareandacquirepersonalinformation).
Movreel.
com,afree-of-chargemoving-streamingserviceproviderisbeingsoundsquattedbymovreal.
com.
Atafirstglance,12movreal.
comappearstobeanothermovie-streamingserviceprovider,asitasksuserstodownloadabrowserplug-in(i.
e.
,AVS_Media_Player.
exe)inodertowatchvideos.
Theplug-inis,however,maliciousanddetectedbymostsecurityvendorsasaSolimbavariant(i.
e.
,aninstallerofothermalicioussoftwareandadware).
Similarly,utube.
com,asoundsquattedversionofyoutube.
com,usesvideostosocial-engineerusersintofirstdivulgingpersonalinformationthen,dependingontheirbrowsers,installsabrowserextension.
MozillaFirefoxusersthenseeunwantedsearchresultsandpop-upmessages,apartfromrunningtheriskofbecomingpartofstatisticsgathering.
Twodomainsthatlikelyacquireprivateuserinformation,particularlyemailcredentials,werefound.
Oneoftheseisinnbox.
lv,asoundsquattedversionofthewell-knownLatvianserviceprovider'sdomain,inbox.
lv.
Bothwebsitesofferfreeemailaccounts.
Twosoundsquatteddomainswerealsoinvolvedinphishingcampaignsagainste-commerceandbusiness-relatedwebsites.
Overall,1,037(56.
88%)ofthe1,823registeredsoundsquatteddomainsweretagged"malicious.
"Outoftheremainingdomains,155belongedtotheirauthoritativecounterparts'owners;300wereownedbydifferentlegitimateorganizations;and331wereoffline,showedHTTPerrors,orwereunderconstructionwhenvisited.
UserCharacterizationInprevioussections,theregisteredsoundsquatteddomainswerecategorizedaccordingtopurpose.
Letusnowlookatuserswho,duetohomophoneconfusion,landedonsoundsquatteddomains.
Aspreviouslymentioned,AutoSSgenerated8,476soundsquattedversionsoftheAlexatop10,000websites.
Amongthem,1,823(21.
5%)werealreadyregistered,leaving6,653unregistered.
Toactivelymeasuretheglobaluserpopulationandassesstheviabilityofsoundsquattingattacks,weregisteredourownsoundsquatteddomainsandmonitoredtherequeststheyreceived.
Duetothelackofpriorsoundsquattingresearch,therewasnoobjectiveorhistoricalwaytoassesswhichamongtheunregistereddomainswouldattractmoreusersthanothers.
Assuch,thelistofavailablesoundsquatteddomainsweremanuallyexamined.
Atotalof30domainscoveringawiderangeofsoundsquattingtechniqueswerechosenforfurtherstudy.
SoundsquattedDomainsStudiedtoDetermineUserCharacteristicsAuthoritativeDomainHomophonePairSoundsquattedDomainNumberofHumanRequestsperMonththefreedictionary.
com{the,thee}theefreedictionary.
com283(39.
86%)fc2.
com{2,too}fctoo.
com165(44.
84%)jimdo.
com{do,doe}jimdoe.
com150(38.
27%)13SoundsquattedDomainsStudiedtoDetermineUserCharacteristicsAuthoritativeDomainHomophonePairSoundsquattedDomainNumberofHumanRequestsperMonthturbobit.
net{bit,bitt}turbobitt.
net132(36.
07%)leboncoin.
fr{coin,quoin}lebonquoin.
fr110(74.
32%)adserverplus.
com{ad,add}addserverplus.
com98(60.
49%)profitclicking.
com{profit,prophet}prophetclicking.
com56(48.
28%)hostgator.
com{gator,gaiter}hostgaiter.
com45(45.
92%)sitesell.
com{sell,cel}sitecel.
com44(40.
00%)discuz.
net{disc,disk}diskuz.
net43(40.
19%)tube8.
com{8,ait}tubeait.
com42(43.
30%)clixsense.
com{sense,scents}clixscents.
com40(44.
44%)a8.
net{8,eight}aeight.
net48(43.
24%)newegg.
com{new,gnu}gnuegg.
com37(36.
63%)redtubelive.
com{red,read}readtubelive.
com44(51.
76%)fiverr.
com{err,air}fivair.
com33(37.
93%)exoclick.
com{click,clique}exoclique.
com32(45.
71%)theglobeandmail.
com{mail,male}theglobeandmale.
com35(38.
46%)pastebin.
com{bin,been}pastebeen.
com35(39.
77%)ku6.
com{6,sics}kusics.
com28(33.
33%)Total1,71814Thefirstthreecolumnsofthetableaboveshow20ofthe30authoritativedomainsstudied,thehomophonepairsused,andtheirsoundsquattedversions.
Whilethreeoftargetdomainsabovecouldbeassociatedwithtyposquatting(e.
g.
,theefreedictionary.
com,therestradicallydifferfromdomainsthatresearchershave,overtheyears,associatedwithtyposquatting(e.
g.
,prophetclicking.
com).
MostofthedomainswereregisteredinDecember2012whileotherswereregisteredinMarch2013.
Topresentauniformviewoftraffic,themonthlyaveragenumberofrequestsreceivedbyeachdomainwasobtaineduntilDecember11,2013.
Alldomains,subdomains,andrequestsforspecificfilepathsresolvedtoasingleblankpagewhilerecordingeachrequest'sdetailsinasetofApachelogfiles.
Userswerenotautomaticallyredirectedtotheauthoritativedomainstheysoughttoavoidreinforcingthebehavioroftypingthewrongdomains.
Theywereinsteadmadeawareoftheirmistake.
(EthicalconsiderationsregardingtheexperimentarediscussedintheAppendix).
Thelastcolumnshowsthemonthlyaveragenumberofhumanrequestsreceivedduringtheperiodofmonitoring,alongwiththepercentageofhumanrequestsamongallrequests.
Toassesssoundsquatting'simpactonhumanbehavior,botvisitshadtobeseparatedfromhumanvisits.
Thereisnosingle,generictechniquethatcanperfectlyseparatebotfromhumanvisits.
Ifsuchatechniqueexists,attackerswouldalreadybeusingittoperfectlyevadesecurityresearchersbydetectingallhigh-interactionhoneypotsandneverpresentingthemwithmaliciouscode.
Inthispaper,requeststhathadnonstandarduseragentswereidentifiedduringthepreliminarymanualinspection.
Usingkeywordsextractedfromtheserequests,weassembledasetofninegenericidentifierssuchas"spider,""bot,"and"crawl"thatmanybotshaveincommon.
Inadditiontothesegenericidentifiers,707-specificbotsignaturesfromuseragentstring.
comwerescraped.
Asaresult,ifauseragentcontainsanyofthe716botsignaturesinthepredeterminedset,arequestwasclassifiedasa"botrequest.
"Toaccountforbotsthatdonotidentifythemselves,eachrequester'sIPaddresswasalsoqueriedbasedontheblacklistprovidedbystopforumspam.
com,adatabasewithhundredsofthousandsofIPaddressesthatbelongtoknownforum-spammingbots.
Finally,eachaddresswasqueriedbasedonalistofIPaddressesusedbywell-knownsearchenginespiders[1].
Resultsshowthatthe30soundsquatteddomainsmonitoredreceivedanaverageof1,718humanrequestspermonth.
Thetotalmonthlynumberofrequestswas4,150.
Thedomainthatreceivedthehighestnumberofhits,theefreedictionary.
com,canalsobeconsideredatyposquattingcandidateandsonaturallyattractedmoretrafficthanthedomainsthatwerejustsoundsquatted.
Apartfromrequestsforeachwebsite'smainpage,manyrequestsforsubdomainswithineachdomainwerealsorecorded.
Letusconsiderjimdo.
com,aWebapplicationthatallowsuserstocreatetheirownwebsitesandhostthemonitssubdomains.
Thejimdoe.
comlogscontainedrequestsfor176subdomainsassociatedwithpersonalwebsitessuchasawesomegrizzlybears.
jimdoe.
com,karatedojo-oppeln.
jimdoe.
com,andarmaniwoe.
jimdoe.
com,allvalidsubdomainsunderjimdo.
com.
Thesevisitsshowthateventhoughpeoplecanaccuratelytyperelativelylongandobscuresubdomains,theycanstillconfusehomophones.
GeolocatingtheIPaddressesofallrequestsshowedthat,whileusersfrom42countriescrawledthechosendomains,humanrequestsoriginatedfrom123differentcountries.
Thisshowsthatusersfromallcountriesarepronetohomophoneconfusionandthusvulnerabletosoundsquattingattacks.
15Ingeneral,eachsoundsquatteddomainreceivedbetweentwoand283humanrequestspermonth.
Whilethesenumbersarenotincrediblylargeandprobablysmallerthanthoseobtainedbypopulartyposquatteddomains,soundsquattingandtyposquattingarenotcompetingtechniques.
Theyinsteadcomplementeachotherindomainsquatters'arsenal.
Sincethisisthefirstsoundsquattingstudy,domainswithhomophonereplacementsrangingfrommorelikelytolesslikelywereregistered.
Carefulattackers,however,cantargetdomainsbetterandthusacquiremorevisitorsatlesscost.
Finally,asignificantnumberofemails(e.
g.
,socialnetworkinginvitations,productshipmentnotifications,email-account-creationcredentialnotifications,mobilephoneservicebills,etc.
)wassenttothesoundsquatteddomainsmonitored.
Itwasevidentinallcasesthattheemailsweremeanttobesenttoaccountsthatbelongedtothelegitimatedomainsthatweresoundsquattedbutweremissentduetohomophoneconfusion.
Receiptoftheseemailsfurthershowsthatbusinessesandusersareindeedvulnerabletosoundsquattingattacks.
16SOUND-DEPENDENTUSERSThissectiondescribesasoundsquattingattackthatcanvictimizepeoplewhorelyonsoundwhenusingcomputers.
AccordingtotheWordHealthOrganization,theworldcurrentlyhas285millionvisuallyimpairedpeople,39millionofwhomareblind[2].
Severelyvisuallyimpairedpeoplecannotproperlyinteractwithcomputerswithoutthehelpofassistivetechnologies.
ThetwomostpopularassistivetechnologiesforthevisuallyimpairedareBrailledisplaysandscreenreaders[9].
Bothassistivetechnologiesconvertcontentotherwise-consumedbysightintosomethingthatcanbeconsumedbytouchorsoundinstead.
Consideringthedefinitionofhomophonesandtheirrelationtosoundsquatting,anewattacktypecanclearlybeseen.
Usersthatdependonscreenreaderstoconsumecontentinemails,Webpages,socialmediamessages,orinstantmessagesarevulnerabletoaccessinglinksthatpointtosoundsquatteddomains.
Soundsquatteddomainswillbe"read"near-identicalwithauthoritativedomains,givingthevisuallyimpairednoreasonnottoaccessthelinkoffered.
WhileBrailledisplaysarenotvulnerabletothisattack,thefactthataround90%ofthevisuallyimpairedliveindevelopingcountriescombinedwiththehighcostofBrailledisplayssuggestthatduetolimitedresourcesandpossibleportabilityissues,screenreadersareusedmorethanBrailledevices.
Apartfromthevisuallyimpaired,hundredsofthousandsofsmartphoneusersusepersonalassistantsoftwaresuchasApple'sSiri,whichhastext-to-speechcapabilitieswhentheyengageinotheractivities(e.
g.
,drivingorrunning)thatmakeithardtooperatetheirsmartphones.
Totestthistheory,anemailwithtwolinks,onepointingtoyoutube.
comandanothertoyewtube.
comwassent.
Fivepopularfreescreenreaders(i.
e.
,built-inscreenreadersofWindowsXP,Windows7,andMacOSX;Linux-based,opensourceORCA[23];andThunderscreenreader[26])wereused.
AtextmessagewiththesameinformationwasalsosenttoanAndroidsmartphonewithSkyvi[5],apopularSiri-likeapplicationusedbymorethan260,000people.
Inallsixcases,thetwolinkssoundedidenticaltoeachother,whichmeansthatasound-dependentpersonwouldhavenomeanstotellalegitimatelinkfromamaliciousone.
Tofurtherexacerbatetheissue,soundsquattingattackscanalsoworkwithpseudohomophones(i.
e.
,combinationsofcharactersthatarenotrealdictionarywordsbutarepurposefullyconstructedtosoundlikerealwordssuchas{joke,joak}[24]).
Pseudosoundsquatteddomainscanbecraftedevenfortargetdomainsthatdonotcontainhomophonessuchasphacebook.
comandphaceboocc.
com).
Duetothepotentiallylargenumberofdomainvariationsandthespecificityofthisattacktype,theresponsibilityofprotectingsound-dependentusersliesinthehandsoftext-to-speechsoftwaredevelopers.
Onewayofprotectingagainstthisthreatisfortext-to-speechsoftwaretoswitchto"spellingmode"wheneveralinkisencounteredsousersknowtheyareaccessingtherightlinksandcanavoidvisitingmaliciouswebsites.
17LIMITATIONSANDFUTURERESEARCHgeneratedwererandomlysampledandeachhomophonereplacementwasmanuallyexaminedtoensurethatnoneofthedomainsarefalsepositives.
Attheendofthisprocess,80falsepositivesoutofthe424domainsinvestigated(i.
e.
,18.
9%withamarginofsamplingerror±4.
75%)wereidentified.
Whilethenumberoffalsepositivesisnotnegligible,thestudy'smainpurposewastoinvestigateapreviouslyunreporteddomain-squattingtechniqueandevaluateitspracticalityandadoptionfortheWeb.
Lackofpunctuationindomainnamesmakesidentifyingthelanguagetheyarewritteninchallenging.
Onewayaroundthisproblemistoactuallyinspectasite'smainpage,characterizeitslanguage,andassumethatitsdomainnamecontainswordsinthesamelanguage.
Theresearcherswillleavetheexplorationofthisandothertechniquestoreducefalsepositivestofuturework.
WhileAutoSSaccountsformanycornercaseswhenattemptingtoidentifywordscomprisingdomainnames,thereis,unfortunately,stillroomforfalsepositives(i.
e.
,domainsthatdonotconformtothedefinitionofsoundsquattingandtheconceptbehindit).
Forinstance,therearemanydomainsintheAlexatop10,000websitesthatdonothaveEnglishwordssuchaslaredoute.
fr,aFrenche-shop.
AutoSSusesanEnglishdictionaryandwillidentify"lare,""do,"and"ute"fromthedomainname.
Itsaccidentalwordremovalmodulewillsuccessfullycombinethesewordstoform"laredoute"andusetheminthehomophonereplacementdatabase,resultinginimprobabledomainssuchaslaredewute.
fr.
Already-availabletyposquattingsystemsdonotsufferfromsuchaproblemsincetheyoperateatthecharacterlevel[21,27]unlikesoundsquattingtoolssuchasAutoSS,whichoperateatthewordlevel.
Toestimatethenumberoffalsepositives,424(5%)ofthesoundsquatteddomains18RELATEDWORKpopularauthoritativedomains.
Itsbeginningscanbetracedbackto1999throughtheAnti-CybersquattingConsumerProtectionAct(ACPA),whichmentionedURLsthatwere"sufficientlysimilartoatrademarkofapersonorentity.
"[3]Apartfromtyposquatting,otherlesspopulartypesofdomainsquatting(e.
g.
,domainsthatabusethevisualsimilarityofcharactersindifferentcharactersets[11,16]andcapturetrafficoriginatingfromerroneousbit-flipsinuserdevices[7,22])alsoexist.
Tothebestofourknowledge,thispaperisthefirsttouncovertheuseofhomophonestoperformdomainsquattingandsystematicallystudyitsadoptionaswellasusers'susceptibilitytoattacks.
Domainsquattingisthefirstformofcybersquattingthatinvolvesregisteringdomainswithtrademarksthatbelongtootherpeopleorcompaniesbeforetheirrightfulownershavethechancetodoso[6,8,13].
Domainsquattinglaterevolvedintotyposquatting[8,21,27]ortheactofregisteringdomainsthataremistypesof19CONCLUSIONsoftwaretotricksound-dependentusersintovisitingmalicioussoundsquattingandpseudosoundsquatteddomains.
Overall,thepaper'sfindingsverifythepracticalityofsoundsquattingandshowthathomophoneconfusionshouldbeaccountedforbywebsiteownersandregistrarsaswellasincybersquattingcountermeasures.
Acknowledgment:Theresearcherswouldliketothankanonymousreviewersfortheirvaluablecomments.
ThisresearchwasfinanciallyaidedbythePreventionAgainstCrimeProgrammeoftheEuropeanUnion(B-CCENTRE);theResearchFundKULeuven;andtheEUFP7Projects,NESSoSandSTREWS.
Thispaperuncoveredanewtypeofdomainsquattingusingsimilar-soundingwordsratherthanrelyingontypographicalmistakes.
Dubbed"soundsquatting,"itdescribedasystemthatautomaticallygeneratessoundsquatteddomainsandshowedthatattackersarealreadyfamiliarwiththeconceptofsoundsquatting,abusingdomainsinwayssimilartoknowntypesofdomainsquatting.
Registeringourownsoundsquatteddomainsallowedustoshowthatitispossibleforwell-selectedsoundsquatteddomainstoattracthundredsofhumanvisitorseverymonth.
Therelationshipbetweentext-to-speechsoftwareandsoundsquattingwasalsobrieflyexamined.
Thispaperalsoshowedthatattackerscouldabusetext-to-speech20REFERENCES1.
DanielKramer.
(2011).
IPAddressesofSearchEngineSpiders.
LastaccessedSeptember24,2014,http://iplists.
com/.
2.
WHO.
(2014).
WorldHealthOrganization.
"VisualImpairmentandBlindness.
"LastaccessedSeptember24,2014,http://www.
who.
int/mediacentre/factsheets/fs282/en/.
3.
Cybertelecom.
(March5,2014).
CyberTelecom.
"Anti-CybersquattingConsumerProtectionAct.
"LastaccessedOctober8,2014,http://www.
cybertelecom.
org/dns/acpa.
htm.
4.
A.
Banerjee,D.
Barman,M.
Faloutsos,andL.
N.
Bhuyan.
(2008).
ProceedingsofIEEEINFOCOM.
"CyberfraudIsOneTypoAway.
"5.
BlueTornadoInc.
(2012).
Skyvi.
LastaccessedSeptember24,2014,http://www.
skyviapp.
com.
6.
S.
E.
Coull,A.
M.
White,T.
F.
Yen,F.
Monrose,andM.
K.
Reiter.
(2010).
IFIPSEC'10.
"UnderstandingDomainRegistrationAbuses.
"7.
A.
Dinaburg.
(July2011).
ProceedingsofBlackHatSecurity.
"Bitsquatting:DNSHijackingWithoutExploitation.
"8.
B.
Edelman.
(2003).
"Large-ScaleRegistrationofDomainswithTypographicalErrors.
"9.
EvenGroundsInc.
(2007–2013).
EvenGrounds.
"HowDoBlindPeopleUsetheComputer.
"LastaccessedSeptember24,2014,http://www.
evengrounds.
com/blog/how-do-blind-people-use-the-computer.
10.
RikFerguson.
(May21,2009).
Countermeasures.
"TvviterTyposquattingPhishingSite.
"LastaccessedSeptember24,2014,http://countermeasures.
trendmicro.
eu/tvviter-typosquatting-phishing-site/.
11.
E.
GabrilovichandA.
Gontmakher.
(February2002).
CommunicationsoftheACM,45(2):128.
"TheHomographAttack.
"12.
G.
GeeandP.
Kim.
(September2011).
"DoppelgangerDomains.
"LastaccessedSeptember24,2014,http://www.
wired.
com/images_blogs/threatlevel/2011/09/Doppelganger.
Domains.
pdf.
13.
J.
Golinveaux.
(1998–1999).
UniversityofSanFranciscoLawReview33U.
S.
F.
L.
Rev.
"What'sinaDomainName:IsCybersquattingTrademarkDilution"14.
A.
HerzbergandH.
Shulman.
(2013).
CNS'13.
"FragmentationConsideredPoisonous,or:One-domain-to-rule-them-all.
org.
"15.
A.
Hidayat.
"PhantomJS:HeadlessWebKitwithJavaScriptAPI.
"16.
T.
Holgers,D.
E.
Watson,andS.
D.
Gribble.
(2006).
ProceedingsofUSENIXATC.
"CuttingThroughtheConfusion:AMeasurementStudyofHomographAttacks.
"17.
M.
Jakobsson,P.
Finn,andN.
Johnson.
(March–April2008).
Security&Privacy,IEEE,6(2):66–68.
"WhyandHowtoPerformFraudExperiments.
"18.
M.
JakobssonandJ.
Ratkiewicz.
(2006).
WWW'06.
"DesigningEthicalPhishingExperiments:AStudyof(ROT13)rOnlQueryFeatures.
"19.
D.
Kesmodel.
(2008).
"TheDomainGame:HowPeopleGetRichfromInternetDomainNames.
"20.
R.
McMahon.
(2000).
"BIND8.
2NXTRemoteBufferOverflowExploit.
"21.
T.
MooreandB.
Edelman.
(2010).
FinancialCryptographyandDataSecurity,175–191.
"MeasuringthePerpetratorsandFundersof21Typosquatting.
"22.
N.
Nikiforakis,S.
V.
Acker,W.
Meert,L.
Desmet,F.
Piessens,andW.
Joosen.
(2013).
WWW13,989–998.
"Bitsquatting:ExploitingBit-FlipsforFun,orProfit"23.
Orca:AFree,OpenSource,Flexible,andExtensibleScreenReader.
24.
M.
S.
Seidenberg,A.
Petersen,M.
C.
MacDonald,andD.
C.
Plaut.
(1996).
JournalofExperimentalPsychology:Learning,Memory,andCognition,22(48–62).
"PseudohomophoneEffectsandModelsofWordRecognition.
"25.
J.
Stewart.
(2003).
"DNSCachePoisoning—TheNextGeneration.
"26.
ScreenReader.
net:FreedomforBlindandVisuallyImpairedPeople.
27.
Y.
M.
Wang,D.
Beck,J.
Wang,C.
Verbowski,andB.
Daniels.
(2006).
SRUTI06.
"StriderTypo-Patrol:DiscoveryandAnalysisofSystematicTyposquatting.
"28.
Wiktionary.
(May24,2014).
"ListofDialect-IndependentHomophones.
"LastaccessedSeptember24,2014,http://en.
wiktionary.
org/wiki/Appendix:List_of_dialect-independent_homophones.
22APPENDIXEthicalConsiderationsRegisteringsoundsquatteddomainsandreceivingusertraffictothemmayraiseethicalconcerns.
However,analogoustothereal-worldexperimentsconductedbyJakobsson,etal.
[17,18],webelievethatconductingrealisticexperimentsistheonlywaytoreliablyestimatethesuccessrateofattacksintherealworld.
Moreover,webelievethatourfindingswillhelpwebsitesprotecttheirbrandsandcustomers.
Thedatacollectedfortheexperimentsincludeseachrequest'stimestamp;theIPaddressofthehostperformingtherequest;domain,path,andGETparameters;anduseragentsprovidedbytheApacheWebserver.
ThisdataiscollectedbyeveryWebserverinstandardserverlogsandmanyWebdevelopersevensharethisinformationwiththirdpartiessuchasGoogleAnalyticsforthepurposeofgatheringusagestatistics.
Theserverlogswereonlyaccessibletotheauthorsofthispaper.
Similarly,theemailswereallcollectedinasingle,password-protectedemailaccountofoneoftheauthors.
Wedidnotattempttoextractanyinformationfromtheseemailsnortracetheirsenders.
GeeandKimperformedasimilarexperimentin2011,capturingemailsthroughtyposquattingdomainsandreleasedstatisticstotheresearchcommunityasademonstrationofthedangersoftyposquatting[12].
TrendMicroIncorporated,agloballeaderinsecuritysoftware,strivestomaketheworldsafeforexchangingdigitalinformation.
Ourinnovativesolutionsforconsumers,businessesandgovernmentsprovidelayeredcontentsecuritytoprotectinformationonmobiledevices,endpoints,gateways,serversandthecloud.
Allofoursolutionsarepoweredbycloud-basedglobalthreatintelligence,theTrendMicroSmartProtectionNetwork,andaresupportedbyover1,200threatexpertsaroundtheglobe.
Formoreinformation,visitwww.
trendmicro.
com.
2014byTrendMicro,Incorporated.
Allrightsreserved.
TrendMicroandtheTrendMicrot-balllogoaretrademarksorregisteredtrademarksofTrendMicro,Incorporated.
Allotherproductorcompanynamesmaybetrademarksorregisteredtrademarksoftheirowners.