Strider Typo-Patrol:
Discovery and Analysis of Large-Scale, Systematic Typo-Squatters
First Posted:
12/16/2005
Last Updated:
03/07/2006
Project Summary:
·
In the Strider Typo-Patrol
project, we develop an automated scanning system for discovering and analyzing
typo-squatting domains. We show that a large number of such domains are parked
with domain parking services
to take advantage of their effective contextual-ads infrastructures. We also
show that, by analyzing the ads-fetching traffic sent from typo domains to
parking services, we are able to identify major typo-squatters and domain
parking services that are heavily involved in large-scale, systematic
typo-squatting, as well as those that are
serving adult ads on typos of children’s web sites.
·
It is very important to note that not all parked
domains are typo-squatting domains; many of them are legitimate, generic domain names. In fact, some
domain parking services actively ban all trademarks and typos of trademarks
from their system and are rigid about those rules.
News
Article
·
“MS Research:
Typo-Squatters Are Gaming Google,” http://www.eweek.com/article2/0,1895,1903695,00.asp
·
UPDATE (12/28/2005): Since the release of the
Strider Typo-Patrol data on 12/16/2005 and the eWEEK news
article on 12/19/2005, some of the questionable
advertisements served on typo-squatting domains of children’s
web sites (see Screenshots
G1-G7) have been removed, while other questionable ads remain active
(see Screenshots
O1-O7). Also, most of the anchor domains parked with oingo.com have been removed. (See the December
traffic drops at http://research.microsoft.com/Typo-Patrol/Major_Anchors.htm.)
Terminology
·
Example of
“Domain Parking Services Powered by Others”: http://sedoparking.com (sample domains: http://disneychannell.com & http://disneycannel.com)
·
Examples of “Domain
Parking Services with Contextual-ads Infrastructure”: http://www.google.com/domainpark
(sample domains: http://dissneychannel.com &
http://disneychqnnel.com); http://www.oversee.net/domainsponsor.html
(sample domains: http://disneycahnnel.com & http://disneychannrl.com)
·
Typo-squatters and
domain parking services share the profits from serving advertisements on
typo-squatting domain pages. Advertisers pay for these ads that are shown to
web users after they experience typo traffic hijacking. Target web sites
potentially have their brand names or trademarks utilized in this scheme.
·
Some domain parking
services are target web sites as well.
·
Some
target web sites are advertisers as well, effectively paying for the ads
shown on the domains that typo-squat them.
·
Sometimes the typo-squatter and the parking service are the same
company.
Overview and Preliminaries
·
One billion web users
are collectively making a huge number of URL typos everyday. Imagine that a
typo-squatter hijacks 15% of all typo traffic. That’s equivalent to
owning a very popular (virtual) web site in terms of the amount of traffic that
can be used to drive advertising revenue. For users who dislike typo-squatting,
they may not know the identities of the typo-squatters and the domain parking services
that are actually behind the squatting; all they know is which advertisers appear on the typo pages. Those
advertisers are paying money for this experience.
·
The Strider Typo-Patrol System is an extension of
the Strider HoneyMonkey
Exploit Detection System. It is part of our ongoing effort in providing
automatic and systematic web scans to discover and investigate questionable web
sites in order to protect Internet users. The primary goal of Strider
Typo-Patrol is to understand the practice of typo-squatting and to protect the
Internet from typo-squatting-based exploits (see the eWeek.com news
article on malware infection through googkle.com typo-squatting).
·
So far, we have not found any
exploit sites hosted on typo-squatting domains. But we have developed a method
to automatically discover major typo-squatters that are performing large-scale,
systematic typo-squatting. On this page, we describe one example for which our
method is most effective to illustrate the basic ideas.
·
Almost all of the potential typo-squatting domains
reported in the tables on this page are registered to the same
company (see background information below) and parked with the same domain-parking
server oingo.com.
Analyses of other large-scale typo-squatters and parking services are more
difficult due to the lack of similar systematically-discoverable structures
(see others). It is
important to note that, due to the multi-layer redirection structure, parking
service providers may not be aware of the potential typo-squatting activities
performed by the owners of parked domains. The Strider Typo-Patrol System can
therefore help domain-parking service providers monitor the domains parked with
them for questionable behaviors that may be violating their policies
or subject to trademark
complaints.
·
Background
information: multiple domain name disputes involving the same company
o
UPDATE (01/21/2006): Most of the WhoIs records that had
“Registrant: Unasi” seemed to have been changed to
“Registrant: Domaincar”.
o
“Typosquatters Target
Anti-Virus Vendors,” http://www.eweek.com/article2/0,1895,1860661,00.asp
o
“Serial typo-squatters
target security firms,” http://news.zdnet.com/2100-1009_22-5873001.html
o
National
Arbitration Forum Decisions
1.
State Farm Mutual Automobile
Insurance Company v. Unasi Management, Inc., http://www.arb-forum.com/domains/decisions/472028.htm
2.
Morgan Stanley v. Unasi Inc., http://www.arb-forum.com/domains/decisions/529514.htm
3.
Amazon.com, Inc. V. Unasi Inc., http://www.arb-forum.com/domains/decisions/542437.htm
4.
Hyatt Corporation and Hyatt
International Corporation v. Unasi Inc., http://www.arb-forum.com/domains/decisions/545021.htm
5.
Jaclyn Smith and Jaclyn Smith
International, Inc. v. Unasi, Inc., http://www.arb-forum.com/domains/decisions/522853.htm
o
WIPO
Arbitration and
1.
Deutsche Telekom
AG v. Unasi Management Inc., http://arbiter.wipo.int/domains/decisions/html/2005/d2005-0423.html
2.
Gianfranco Ferre’ S.p.A. V. Unasi Inc., http://arbiter.wipo.int/domains/decisions/html/2005/d2005-0622.html
3.
Red Bull GmbH v. Unasi Management
Inc., http://arbiter.wipo.int/domains/decisions/html/2005/d2005-0304.html
4. Jafra Cosmetics, S.A. de C.V. v.
Unasi Inc., http://arbiter.wipo.int/domains/decisions/word/2005/d2005-0926.doc
·
All “potential
typo-squatting domains” studied in this project are based on the five
programmatic typo-generation models described below. Whether they are
“actual typo-squatting domains” may be a subjective matter in some
cases.
·
Some potential typo-squatting
domains move around between domain parking services or between anchor domains
over time (see an example in Table 1). Also, some parking
services have been cleaning up their ads since this page was made public. So we
have marked the data-collection dates for the presented data and, for
typo-squatting pages that serve questionable content (e.g. [1], [2]),
we have also recorded all request/response traffic and screenshots.
Strider Typo-Patrol Methodology
·
Step #1: Generating Potential Typo-Neighborhood: given a target domain name, a potential typo-neighborhood consists of potential
typo-squatting domain names generated based on the following five programmatic
typo-generation models
|
|
Typo-generation
Model |
Example
Target Domain |
Potential
Typo-squatting Domain |
Ads Content
Served from |
|
1 |
Missing-dot typos |
|||
|
2 |
Character-omission typos |
[WhoIs] http://hrrypotter.com (Removed) |
||
|
3 |
Character-permutation
typos |
[WhoIs] http://NYTmies.com (Removed) |
||
|
4 |
Character-replacement
typos |
[WhoIs] http://WashingtonPosr.com
(Removed) |
http://apps5.oingo.com/apps/domainpark/domainpark.cgi?s=washingtonposr.com&dp_lp=24&dp_lp=7&cid=DTRG7965&dp_p4pid=oingo_inclusion_xml_06&dp_format=1.3 |
|
|
5 |
Character-insertion typos |
[WhoIs] http://gkoogle.com (Removed) |
http://apps5.oingo.com/apps/domainpark/domainpark.cgi?s=gkoogle.com&dp_lp=24&dp_lp=7&cid=DTRG7965&dp_p4pid=oingo_inclusion_xml_06&dp_format=1.3 |
·
Step #2: Automatic Scanning: recording Cross-domain
Auto-visit (
·
For example, http://kimpssible.com redirected to this
·
UPDATE: After the above links
were mentioned in the
eWEEK news article, two things changed: http://kimpssible.com no
longer has disnryland.com in the XDAV URL; and Client ID cid=DTRG7F6V was changed to cid=DTRG7965.
·
You can use the Fiddler HTTP Debugging Proxy (https://www.fiddlertool.com/fiddler/)
to manually monitor and investigate the
·
Step #3: Identifying Anchors: parked domains that aggregate traffic to enable
scalable and systematic typo-squatting
·
For example, (1) http://kmpossible.com [WhoIs], (2) http://kimmpossible.com [WhoIs], (3) http://kimossible.com [WhoIs], (4) http://kimposssible.com [WhoIs], and (5) http://kimpssible.com [WhoIs] all
redirected to the parked anchor domain
http://disnryland.com [WhoIs], which in
turn redirects to this
·
UPDATE: After the above links
were mentioned in the eWEEK news
article, three things changed: the five typo domains no longer
redirect to disnryland.com; the questionable ads on http://disnryland.com were
removed; and Client ID cid=DTRG4295
was changed to cid=DTRG7965.
·
In some cases, typo-squatters were apparently using
anchors to provide an additional level of indirection/isolation to
“trick” parking services into serving questionable ads. For
example,
·
http://flasphlayer.com
redirected to the anchor http://freexxxlinks.us
(see screenshot); http://NationalGeographicc.com redirected to http://playbov.com.
·
UPDATE: After the above
information was posted, both redirections were removed around Dec. 21, 2005.
References
·
“Serial typo-squatters
target security firms,” http://news.zdnet.com/2100-1009_22-5873001.html
·
“Beware
cybersquatters,” http://www.networkworld.com/net.worker/columnists/2005/1107gaskin.html
·
“Beware How You
Google,” April 27, 2005, http://www.eweek.com/article2/0,1895,1790348,00.asp
·
“Typosquatters Target Anti-Virus
Vendors,” http://www.eweek.com/article2/0,1895,1860661,00.asp
·
Wikipedia: “Domain
Parking”, http://en.wikipedia.org/wiki/Domain_parking
·
Applied Semantics, http://Oingo.com
·
Google AdSense for domains, http://www.google.com/domainpark/
·
AdSense for Domains Trademark
Complaint Procedure, http://www.google.com/tm_complaint_afd.html
·
“Google wins typosquatting
ruling,” http://www.theregister.co.uk/2005/07/11/google_ruling/;
“Arbitrators Back Google in Fight Against ‘Typo
Squatter’,” http://www.technewsworld.com/story/44535.html;
Google Inc. v. Sergey Gridasov, http://www.arb-forum.com/domains/decisions/474816.htm.
·
“Truth in Domain Names Act
of 2003,” http://www.cybertelecom.org/dns/truth.htm
·
“Typo-squatter sued by
FTC,” http://www.demys.net/news/2002/05/02_May_27_zuccarini.htm
·
“Cyberscam Targeted by
FTC,” http://www.ftc.gov/opa/2001/10/cupcake.htm
·
“Large-Scale Registration
of Domains with Typographical Errors,” http://cyber.law.harvard.edu/people/edelman/typo-domains/
·
“Cybersquatter Fined
$100,000 Per Domain Name,” http://www.gigalaw.com/articles/2000-all/isenberg-2000-11a-all.html.
·
“Google AdSense For Domains
Program Overdue For Reform,” http://blog.searchenginewatch.com/blog/051220-153537
·
“Typogoogling,” http://www.f-secure.com/weblog/archives/archive-122005.html#00000743
·
“… typosquatting domain “f-sekure.com” is showing Google Ad Sense
ads that we pay for, pointing to our Client Security promotion site.”
·
“Google might clamp down on
typo-squatting,” http://domainnamewire.com/2005/12/20/google-might-clamp-down-on-typo-squatting/
·
“… MySpac.com
recently sold for $31,600, MypSace.com sold for $35,100…”
Typo-Patrol Results
·
Table 1: Potential Typo-squatting of 30 Popular Sites (early
December 2005 results)
·
Selected from http://www.alexa.com/site/ds/top_sites?ts_mode=lang&lang=en
·
Anchors used to aggregate traffic across multiple
target domains are highlighted.
|
Target Popular Domain |
Sample Typo Domain Funneled through Anchor |
Parked Anchor Domain (Removed) |
# Typo Domains Funneled |
Other Typo Domains |
|
www.AdultFriendFinder.com |
www.AdultFriensdFinder.com (Removed) |
braziliansexmovies.com |
12 |
AdultFriemndFinder.com, AdultFriendFinfder.com, AdultFriendFins |