by David Barnett, Jason Hayden and Elliott Champion
Introduction
In the first article of this series[1], we considered short-lived domains with names including the top ten global brand names (or variants), based on a one-month monitoring period. In this second article, we extend the study to consider trends over time, again using the domain monitoring component of CSC's 3D Domain Security and Enforcement[2] technology, based on an 18-month period from 01-May-2021 to 01-Nov-2022 - a time period that is long enough to capture any annual cycles (if present).
This new study considers only those domain names where the brand name appears at the start (so-called 'left-match' domains), as a way of focusing on the results with the highest relevance, and through the exclusion of fuzzy matches, reducing any false positives that may arise in cases where the brand name is relatively short or generic (e.g. 'visa').
In this follow-up, we also consider only those domains that are active for five days or less, with the aim of focusing specifically on 'true' domain tasting events (i.e. where the domain is dropped within the ICANN grace period), in addition to other short-lived domains, such as those that are rapidly taken down following the identification of infringing content. The previous article showed that a lifespan of five days or less actually accounts for the vast majority (1,469 out of 1,753 considered instances, or 84%) of short-lived domains. Furthermore, focusing only on these shortest-lived domains has the effect of localising each result within a short window, so trends over time can be seen more easily. Finally, this methodology allows us to neglect domains that are dropped according to normal registration and lapse processes (such as domains that expire at the end of a standard one-year registration period).
Findings
Overview
Across the top 10 global brands, 9,284 domain tasting events - where the domains were active for five days or less - were identified across the 18-month period. Figure 1 shows the total numbers of events for each brand.
Figure 1: Total numbers of domain tasting events (delay ≤ 5 days; 'left-match' domains only) in an 18-month period, by targeted brand
This analysis broadly shows the same pattern as the previous study, with the rankings of the brands also unchanged (apart from a swap in the positions of 'vuitton' and 'tencent', at the bottom of the list).
Figures 2 and 3 show the trends over time for the top five brands, by numbers of identified tasting events.
Figure 2: Daily total numbers of domain tasting events, by targeted brand
Figure 3: Monthly total numbers of domain tasting events, by targeted brand
Figures 4 and 5 show the total numbers of events, categorised by the delay between registration and drop for the domains in question. The statistics show that for most domain tasting events, the domains are active only for a very short time - with lifespans of one or two days accounting for 62% of all cases - a trend that is consistent across all brands. Across the whole domain tasting dataset, the average domain lifetime was 2.35 days. This figure is, unsurprisingly, somewhat smaller than in our previous study, where tasted domains that were active for longer periods were also included in the analysis.
Figure 4: Total numbers of domain tasting events in an 18-month period, by delay between registration and drop
Figure 5: Total numbers of domain tasting events in an 18-month period, by delay between registration and drop, and by targeted brand
Table 1 shows the top-level domains (TLDs) represented within the dataset. Again, the patterns are similar to those observed in the previous study, with the list dominated by a mixture of legacy gTLDs (generic TLDs) and new gTLDs.
| TLD |
No. domains |
% domains |
|---|---|---|
| .com | 4,642 | 50.00% |
| .shop | 968 | 10.43% |
| .xyz | 494 | 5.32% |
| .online | 432 | 4.65% |
| .net | 247 | 2.66% |
| .store | 229 | 2.47% |
| .site | 225 | 2.42% |
| .co.uk | 223 | 2.40% |
| .buzz | 209 | 2.25% |
| .club | 168 | 1.81% |
| .org | 149 | 1.60% |
| .info | 148 | 1.59% |
| .live | 129 | 1.39% |
| .pro | 120 | 1.29% |
| .top | 107 | 1.15% |
Table 1: Top TLDs within the dataset of tasted domains
Also as seen previously, the dataset incorporates a number of domains with keywords of interest. Of particular concern are those that are frequently associated with phishing activity, with popular keywords including 'verif-' (for 'verify' or 'verification'), appearing in 182 domains, 'secur-' (for 'secure' or 'security'), appearing in 180 domains, and 'login', appearing in 99 domains.
Four stories from the dataset
1. Amazon Japan domains
Overall, the dataset shows a broad decrease in the monthly total numbers of domain tasting events for the ten brands over the 18-month period (Figure 3). However, this overall pattern is dominated by the activity seen for the Amazon brand, with these two trend lines tracking each other fairly closely.
Within the Amazon activity dataset, the dominant feature is what appears to be a single coordinated campaign of tasting events (1,091 over the 18 months) relating to domains containing the brand name 'amazon' together with 'japan' or 'jp' (Figure 6). The number of such events is sufficiently large that it comprises the main driver for the overall pattern of activity for the brand as a whole (as shown by the similarity between Figure 6 and the trend-line for Amazon in Figure 3 - particularly the large peaks in the early part of the dataset).
Figure 6: Monthly total numbers of tasting events for domains containing 'amazon' at the start, together with 'japan' or 'jp'
Within this dataset, numerous sub-groups of closely related domain names can be observed, including:
- 562 domains with names of the form 'amazon-jpAAAAAA.shop', where 'AAAAAA' is a six-character string (75 domains between 06-May-2021 and 21-May-2021; 94 between 11-Jun-2021 and 18-Jun-2021; 393 between 20-Jul-2021 and 04-Aug-2021)
- 84 domains with names of the form 'amazon-jpAAAA.pro' or 'amazon-AAAAjp.pro', where 'AAAA' is a 1-4 character string (between 21-May-2021 and 19-Jun-2021)
2. Probable phishing domains
Among the wider dataset, we also see other groups of related domains whose name structure or associated keywords suggests they are intended in use for phishing activity. Some examples include:
- Several domains with names of the form 'google-site-verificationAAAAAAAA.com', where 'AAAAAAAA' is a long string of apparently random characters. These domains are likely to be spoofing the format of the configuration text used in Google's site verification process[3]. Actually, only three such domains were included in the 'formal' domain-tasting dataset, but we see larger numbers if we also include domains active for longer than five days. Across the 18-month period, 16 domains with names in the above format (including one on the .app TLD) were observed, active for between 1 and 395 days.
- 16 domains with names of the form 'apple-idXXXX-secure.com' between 16-Jun-2022 and 28-Jun-2022, 66 'apple-supportidXXXX.com' between 10-Mar-2022 and 18-Mar-2022, 295 'apple-caseidXXXX.com' between 14-Dec-2021 and 18-Mar-2022, and 55 'apple-ticketidXXXX.com' between 07-Dec-2021 and 07-Dec-2021, where 'XXXX' is a four-digit string in each case.
- Numerous Amazon domains with names containing keywords such as 'verify', 'billing', 'serv' and 'ticket', and ending with an apparently random alphanumeric string.
By definition, all domains determined as being associated with tasting events will be inactive at the point of identification, however, significant numbers of the above examples display browser warnings indicative that deceptive content was formerly present.
In general, active domain monitoring combined with timely analysis allows for the identification of active infringements (Figure 7), which is the basis of domain- and brand monitoring. Accordingly, by combining analysis of tasted domains with ongoing domain monitoring, it is possible to identify similar examples while still live, and thereby confirm the nature of their use. This methodology is key to identifying trends in the name structures of malicious domains, which can help to drive brand protection and defensive domain registration initiatives.
Figure 7: Examples of potential fraudulent or malicious sites with names incorporating the Visa (top) and Amazon (bottom) brands, registered (respectively) four and one days prior to analysis
3. Google SEO domains
A spike of tasting activity for the Google brand was identified on 23-Feb-2022, comprising 51 domains with names beginning 'googleseo', across the UK extensions .uk, .co.uk, and .org.uk. This batch of domains may be associated with a search engine optimisation project, possibly with the intention of determining which domains attract high volumes of traffic. Such analysis has been noted as one of the 'classic' goals of domain tasting[4].
4. Facebook .top domains
The domain tasting dataset includes 18 domains of the format 'facebookcomXXXXXX.top', where 'XXXXXX' is a long numeric string, covering the period from October 2021 to June 2022 (plus an additional 16 such domains that were active for longer periods, of between 7 and 22 days). Additionally, the start of what may be a new pattern was also observed on 31-Aug-2022, with the drop of a tasted domain of the form 'facebookdomainverificationYYYY.top', where 'YYYY' is an alphanumeric string. The nature of the intended use of these domains is unclear, but .top is one of the domain extensions previously identified as being most frequently associated with malicious activity (at position 18 in our overall list[5]).
Discussion
This deeper-dive analysis has shown that domain tasting continues to be a popular tactic for registrants and is used for much wider purposes than simply cybersquatting and monetising domain names (e.g. using pay-per-click links), and determination of levels of web traffic.
Of particular concern are those domains actively used for fraudulent purposes, and the analysis shows that at least a significant proportion of tasted domains are likely to be used for phishing and other brand infringements.
It is also clear, through the identification of coordinated groups of similar domain names, that certain types of domain use are closely associated with domain tasting specifically, rather than more traditional cycles of domain registration and lapse, making study of domain tasting a key component of a wider brand protection initiative in its own right.
CSC's Domain Security and Enforcement technology incorporates functionality to make this type of analysis possible, through the identification of a range of domain registration activity events (registrations, re-registrations and drops), and the ability to monitor a range of different brand variants and association with relevant keywords.
References
[1] https://www.cscdbs.com/blog/patterns-and-trends-in-domain-tasting-of-the-top-10-global-brands/
[2] https://www.cscdbs.com/en/brand-protection/brand-monitoring-services/domain-name-monitoring/
[3] https://developers.google.com/site-verification/v1/getting_started
[4] https://www.techopedia.com/definition/15657/domain-tasting
[5] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/
This article was first published on 24 January 2023 at:
https://www.cscdbs.com/blog/trends-over-time-in-domain-tasting-of-the-top-10-brands/
Re-published on 1 February 2023 at:
https://www.linkedin.com/pulse/patterns-trends-domain-tasting-top-ten-global-brands-david-barnett/
.jpg)
No comments:
Post a Comment