What Is Combosquatting and How It Can Trick You into Trusting Malicious URLs
Our readers have often scoffed on "general population" for being naive enough to fall for phishing attacks, predominantly through clicking on random links and attachments. But, attackers continue to remain successful in their efforts, adapting more creative solutions that may just make you fall for their tricks too.
While we may like to believe we are always cautious of the links we click on, giving the right permissions to the apps, and so on and so forth, the web is so full of these malicious elements that it is no longer possible to stay forever-secure. In a hurry? You forgot to check the your bank's URL and bingo! You just handed over your financial credentials to a criminal hacker.
Researchers have revealed that after using legitimate looking emails to trick users, attackers are now deploying websites with real-like URLs. And no, there are no typos involved here. Dubbed as combosquatting, criminals register domains that add just a little to the popular URLs. For example, they could register www.yourbankname-security.com or www.security-yourbankname.com tricking a user who may have just glanced to make sure that the bank name is there and looks familiar but didn't remember what exactly the URL usually looks like.
"This is a tactic that the adversaries are using more and more because they have seen that it works," Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology said. "This attack is hiding in plain sight, but many people aren't computer-savvy enough to notice the difference in the URLs containing familiar trademarked names."
Researchers from Georgia Tech and Stony Brook University conducted the latest study presenting it at today's 2017 ACM Conference on Computer and Communications Security (CCS). Their work - considered to be first large-scale study of combosquatting - has been supported by the US Department of Defense, the National Science Foundation, and the US Department of Commerce.
Combosquatting is different from typosquatting and far more successful
Combosquatting is a comparatively newer technique that was preceded by typosquatting, in which attackers would register variations of popular domains typed incorrectly. For example, www.yourbnakname.com or www.faecbook.com, etc.
However, combosquatting has been increasingly used by attackers due to its high success rate and no apparent typos in the text. In a six-year data set, researchers found over 2.7 million combosquatting domains for 268 popular trademarks. They added that combosquatting domains were 100 times more prevalent than typosquatting domains. Unlike normal phishing sites that go offline after a campaign period, combosquatting domains were discovered active for nearly three years.
Researchers wrote that combosquatting is more successful since it adds familiar terms in the URLs (like security with bank URLs) that unwary users may not notice at first glance. "We have seen combosquatting used in virtually every kind of cyberattack that we know of, from drive-by downloads to phishing attacks by nation-states," Panagiotis Kintis of Georgia Tech wrote.
"These attacks can even fool security people who may be looking at network traffic for malicious activity," the researcher added. "When they see a familiar trademark, they may feel a false sense of comfort with it."