Detecting Typo-squatting Domains

1. Detecting Typo-squatting Domains Mishari Almishari malmisha@ics.uci.edu http://www.ics.uci.edu/~malmisha

2. Problem Definition & Goals • Typo-squatting refers to the act of intentionally registering domain names that are typographical errors of other well-known domain names to hijack their traffic, for traffic monetization, malicious,…etc. • Goals: • Develop a methodology for automatically identifying typo-squatting domains • Quantify the amount of traffic hijacked by typo-squatters • Develop a system that reduces access to typo-squatting domains

3. Detection Methodology • For a domain to be typo-squatting domain it must satisfies two criteria: • Typo of a well-known target domain • edit distance function • more than 50% are false positives • Hijacking Intention • Dominant hijacking indicator is ads-listing (parked domain 88.5%) • Developed a machine learning classifier to identify parked domain (accuracy 96%)

4. Measurements • Use 8-month DNS traces of UCI name resolvers to measure hijacked traffic • Given a 500 well-known popular domains, we found 1,786 typo-squatting domains • Total hits to those domains are 23,989 • 15%(12%) of squatting domains were not detected by Google (Yahoo) typo correctors

5. System Implementation • Integrate with Mozilla Firefox 2.0.0.9 as an add-ons extension • Typo-squatting domains are detected on the fly • Overhead is small • For 100 typo domains, avg is 53 ms • For 100 typo domains that are not squatting domains avg is 79 ms