Four hosts are behind one in two typosquatting attacks against the top 500 websites, research has found.
The hosts and their fellow fraudsters had registered domain names mimicking three-quarters of the internet's 500 most popular websites, say University of Leuven researchers Pieter Agten, Wouter Joosen, and Frank Piessens, who together with Stony Brook University bod Nick Nikiforakis studied typosquatted domains for seven months to produce the first longitudinal study of its kind.
The authors found "... up to 50 percent of all typosquatting domains can be traced back to just four typosquatting page hosters," the crew wrote in the paper Seven Months’ Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse.
"In particular we reveal that, even though 95 percent of the popular domains we investigated are actively targeted by typosquatters, only few trademark owners protect themselves against this practice by proactively registering their own typosquatting domains."
A small fraction of those typosquatted domains -- such as gooogle.com for google.com -- were registered by the legitimate website in a bid to foil typosquatters.
All told 13,526 malicious typosquatting were found hosting bad content.
Huffington Post, American Express, and Bloomberg scored gold registering a combined 138 defensive typosquat domains, almost as many as the 132 malicious typosquats targeting Adult Friend Finder.
Two of the three banks in the top 500 list - HDFC and ICICI - did not use defensive typosquats, creating a gold mine for phishers. Bank of America registered potential typosquats.
Crims were engaged in affiliate abuse, slinging phony redirects to legitimate sites and earning cash in the process, such as the still-active ma5ch.com which steals and then redirects lonely hearts to match.com, or hostgatkr.com which earns cash by slinging stolen hits to hostgator.com.
"As such, the owners of the authoritative domain will now have to pay an affiliate commission to the typosquatter, for a visit that should have been theirs in the first place," the authors said.
Typosquatted domains are classified as such in part due to the altering of one character for a visually-similar substitute (such as "l" for "1") known as a Damerau-Levenshtein distance, or due to the likelihood for a spelling mistake on QWERTY keyboards, dubbed the "fat-finger distance".
Some 900GB of data was collected containing 3.4 million pages and 424,278 corresponding WHOIS records. ®