Wednesday, 8 February 2023

Hyphenated-domain infringements

Introduction

In this latest study, I consider domain-name infringements consisting of close matches to official brand websites, but differing only in the addition of a hyphen within the domain name. This follows on from previous studies looking at highly-convincing deceptive URLs, such as those utilising exact matches, homoglyphs or fuzzy matches[1], or hostname-based infringements[2]. An example of this type of infringement being used for fraudulent purposes was identified in November 2022, for a financial-services brand. The scam comprised a phishing attack utilising a SMS message as the attack vector; a mock-up of the SMS message (represented using the fictitious brand financebrand.com) is shown in Figure 1.

Figure 1: Mock-up of an SMS phishing message utilising a hyphenated-domain infringement

The scam - which utilises the infringing domain name financebran-d.com - has been cleverly designed to take advantage of the tendency of mobile SMS clients to split URLs after the '-' symbol, thereby creating the appearance of the official domain name (financebrand.com) split across a line-break with a breaking-hyphen (as is seen in the other text at the start of the message).

Methodology

To investigate the popularity of this type of infringement, I considered domain registration activity in which the domain name is an exact match to the name of any of the top ten most valuable brands in 2022 according to Interbrand[3], but including a hyphen between any pair of adjacent characters (e.g. for Google, I searched for 'googl-e', 'goog-le', 'goo-gle', 'go-ogle' and 'g-oogle')[4]. The analysis encompasses new registrations ('N'), re-registrations ('R') and drops (domain lapses) ('D') (collectively referred to as 'events').

In practice, the types of variation considered in this study would be covered by the 'fuzzy' match category included within sophisticated domain monitoring technologies, when simply searching for the brand string itself.

Findings

The dataset included 252 distinct domain registration activity events for the brand variations under consideration, representing 140 distinct domain names (of which 83 were still registered as of the time of analysis[5] - i.e. those for which the most recent event was not a 'D'). The breakdown of these domains by targeted brand and TLD is shown in Figures 2 and 3.

Figure 2: Breakdown of the 140 distinct hyphenated domain variants by targeted brand

Figure 3: Breakdown of the 140 distinct hyphenated domain variants by TLD

Of the 140 domain names, only 14 (10%) are explicitly registered to the associated brand owner (where the domains are registered and whois information is available), with the remainder registered to third parties and/or utilising privacy-protection services or having redacted information. 11 of the 14 officially owned domains have been configured to re-direct to the main brand website (with the other three not resolving to any live site).

The following is a summary of the characteristics of the 126 remaining sites:

  • 27 (21%) are configured with active MX records, indicating that they have been configured to be able to send and receive e-mails, and could potentially be used for phishing attacks.
  • One (no longer live) displays a browser warning indicating that dangerous content was formerly present.
  • Two are configured to re-direct to the corresponding official brand website.
  • The remainder display a range of content types, as shown in Figure 4.

Figure 4: Overview of content types on the 126 non-official domains in the dataset

Of the 73 possible permutations of .com domains (i.e. those with the greatest potential for confusion with the primary official .com site for the respective brand in question), 30 are present in the dataset, of which only 9 are registered to the brand owner, and 9 are configured with active MX records (of which only one is officially owned). 

Figure 5 shows examples of some of the unofficial sites within the overall dataset found to resolve to live content of potential concern.

Figure 5: Examples of live sites hosted on hyphenated domain-name variants targeting the Nike (top), Amazon (middle), and Microsoft (bottom) brands

Summary and recommendations

The analysis shows that the registration of hyphenated domain-name variants targeting the most valuable brand names, by entities other than the brand owners, is a significant issue and may be growing (as 24 of the 71 third-party domains for which creation dates are available were registered in 2022, compared with 17 in 2021, 6 in 2020, and 24 across all earlier years). 

Around one in five of the domains are configured with active MX records, and of the domains resolving to live content, a range of types of site content were identified. These include examples where web traffic is misdirected to third-party content, and others where the sites are being monetised through the inclusion of pay-per-click links or offers to sell the domain name. This indicates that not only do these domains present the potential for convincing attack vectors in phishing activity, but they may also be taking advantage of misdirected traffic arising from mis-typed search queries or browser requests. It is also noteworthy that the list of top TLDs within the dataset includes a number of new-gTLDs, many of which have previously been noted as being popular with infringers[6,7,8,9].

These findings highlight the importance for brand owners carrying out proactive and comprehensive programmes of brand monitoring and enforcement, to identify and takedown infringing third-party content. Additionally, brand owners may wish proactively to consider defensively registering hyphenated variants of their core domain names, to prevent them being registered by third parties for fraudulent or infringing use.

References

[1] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[2] https://www.linkedin.com/pulse/exploring-domain-hostname-based-infringements-david-barnett/

[3] https://interbrand.com/best-global-brands-2022-download-form/; the brands are: Apple, Microsoft, Amazon, Google, Samsung, Toyota, Coca-Cola, Mercedes-Benz, Disney, Nike

[4] N.B. I exclude from this study any variants where the hyphen appears in the same location as a hyphen or space in the brand name itself (i.e. 'coca-cola' and 'mercedes-benz'), since these are considered exact matches to the brand name, rather than hyphenated variants. I do, however, consider the existence of variants such as 'coca-col-a' and 'cocacol-a'.

[5] All observations correct as of 22-Nov-2022

[6] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/ 

[7] https://circleid.com/posts/20210908-credential-hinting-domain-names-a-phishing-lure

[8] https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/ 

[9] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

This article was first published on 8 February 2023 at:

https://www.linkedin.com/pulse/hyphenated-domain-infringements-david-barnett/

at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Phishing trends 2024 - and a look at some new data for domain threat quantification

Overview This year's annual phishing report by Internet technology consultants Interisle [1] has provided a number of key insights into...