By Akamai Technologies
The prevalence of malicious actors imitating brand websites on a daily basis is a significant threat to online security. In real life, such an operation would be challenging to execute, but the internet provides a platform for threat actors to create convincing, well-designed look-alike sites, often using cybersquatted domains that are a close approximation of the original brand’s domain.
Cybersquatted domains are registered and used by nefarious actors to profit from the goodwill of a brand or name they do not own. This practice, also known as domain squatting or URL hijacking, is a common tactic in campaigns that seek to install ransomware through malvertising, perpetrate phishing attacks, or steal personal identities. As such, cybersquatting represents a serious threat to individuals and organizations alike, highlighting the need for heightened online security measures.
Cybersquatting is a serious issue with various types of malicious activity prevalent in the online space. Table 1 below highlights the variations of cybersquatting with reference to the imaginary brand safebank[.]com. A recent study conducted by Akamai in 2022 revealed that combosquatting is the most significant threat of all cybersquatting techniques. This technique involves adding a keyword to a brand’s domain, allowing attackers to infiltrate the system and steal sensitive information. What’s alarming is that malicious actors increasingly use combosquatting as part of their attack vector, making it more popular than other types of cybersquatting. Additionally, the study found that combosquatting generates the most DNS queries, which represent potential victims visiting malicious domains. This finding underscores the severity of the issue, emphasizing the need for individuals and organizations to be vigilant about their online security measures.
Cybersquatting variants
| Variant | Description | safebank[.]com example |
| Combosquatting | A keyword is added to the brand domain | safebank-security[.]com |
| Typosquatting | Addition, removal, or replacement of a character | safebqnk[.]com |
| Bitsquatting | Random ASCII bit flip | sagebank[.]com |
| IDN homograph | Using similar-looking characters | sǎfebank[.]com |
| Dotsquatting | Insert one or more dots | sa.febank[.]com |
Table 1: The variants of cybersquatting
Combosquatting outranks typosquatting in terms of both number of active domains and click-throughs, making it today’s biggest cybersquatting threat. Combosquatting domains are 100 times more prevalent than typosquatting domains. Despite this, it seems that typosquatting — not combosquatting — is the variant getting most of the attention in research, blogs, and magazines.
Keywords in combosquatting
The fact that a link contains a brand name does not make it safe. Nothing is stopping anyone from registering domain names containing trademarked brand names. It’s clear that the attacker’s goal here is to trigger a fast, emotional response in the user, rather than a rational one. Combining the brand with a keyword seems like a sensible way to achieve this. Keywords are meant to invoke certain feelings. For example, keywords like verification, account invoke feelings of safety and authority. Similarly, now and alert invoke urgency.
Sometimes keywords are appended to a brand by a hyphen, and sometimes they are concatenated directly. The former keywords are easy to find — we just need to split a domain name by hyphen, as hyphens are natural delimiters. The directly concatenated keywords, however, introduce a much larger challenge. They require a variety of knowledge points such as language, localized brands, and even browsing behaviour. Keyword overlaps are a common example of this.
Table 2 below lists the top 10 combosquatting keywords by popularity rank. You can find the comprehensive top 50 list in GitHub.
| Rank | Keyword |
| 1 | Support |
| 2 | Com |
| 3 | Login |
| 4 | Help |
| 5 | Secure |
| 6 | www |
| 7 | Account |
| 8 | App |
| 9 | Verify |
| 10 | Service |
Table 2: The top 10 combosquatting keywords in order of popularity
The analysis reveals that attackers often use “support” as a keyword to create convincing URLs that trick victims into providing sensitive information.
This underscores the need to be vigilant when accessing support pages online and verify the site’s legitimacy before sharing personal information. The prevalence of this tactic highlights the importance of businesses adopting proactive measures to safeguard their brand and customers from malicious attacks.
Cybersquatting is a pervasive threat with limitless potential applications, targeting victims that span from individual consumers to large multinational corporations. The vast range of targets makes it difficult to quantify the total damage that it is causing. In addition, cybersquatting campaigns are significantly underreported, often receiving media attention only after a large entity has been affected. The financial incentives of cybersquatting, both in large-scale and smaller incidents, make it critical to conduct regular analysis to improve our understanding of attacker behaviour. By gaining greater insights into their methods and motivations, we can develop more effective countermeasures to mitigate the impact of cybersquatting and protect both individuals and organizations from the serious consequences of these attacks.
(The article is authored by Akamai Technologies, and the views expressed in this article are their own)
