StriderLogo

 

Strider URL Tracer with Typo-Patrol

Please send feedback, bug reports, and suggestions to tppatrol@microsoft.com.

 

·        Introduction

When a user visits a web site, her browser may be instructed to visit other third-party domains without her knowledge. Many third-party domains are heavily visited, but they have remained mostly behind the scenes for the past decade. In recent years, some of the third-party domains have become increasingly involved in activities that raise security, privacy, and safety concerns. The Strider URL Tracer is a tool designed to bring them to the spotlight. Given a URL, the Tracer reveals all third-party domains that are contacted. Given a set of URLs to scan, the Tracer highlights those third-party domains that are most contacted. In particular, the tool includes a Typo-Patrol feature that, given a target website URL, automatically generates and scans its typos and highlights those domain parking services that have a large number of typo-squatting domains in their programs. The tool also provides a domain blocking feature to allow parents to protect their children's online activities by blocking those domains that are serving adult ads on typo-squatting domains of children's websites.  

 

·        Quick Start

·        Save and Load Scan Results

·        Typo-Patrol

·        Domain Patrol

·        IE History Patrol

·        Ads Accountability

·        Domain Blocking

·        Domains Parked with Different Services

·        Privacy Patrol: Web Beacons

·        Privacy Patrol: Cookies

·        FAQ

 

 

·        Quick Start

 

Step #1: Launch the URL Tracer from IE’s “Tools” menu (see below)

·         Alternatively, launch the Tracer from Windows StartàAll ProgramsàMSR Strider URL Tracer, or by pressing the IE button with a Strider logo, if available.

Step1_Tools

 

 

Step #2: Scan a web site and use the “URL Scan History” view

·         To scan a web site, type its URL into the Tracer Address bar and click the “Scan Site” button (located next to the Address bar). The URL Tracer will start up a new instance of Internet Explorer to scan the site.

For example, try typing “doisney.com” (note the extra “o”) into the Address bar and pressing the “Scan Site” button. You should see results similar to the below displayed in the “URL Scan History” view. (If doisney.com has been deactivated, you can choose another one from this list: http://research.microsoft.com/URLTracer/O.htm.)

Step2_doisney_oingo

 

·         As you can see, the Tracer scanned doisney.com and added details of the scan to the URL Scan History. The above shows that doisney.com instructed your browser to visit several third-party domains including: appliedsemantics.com (owned by Google), casalemedia.com (owned by Casale Media), and oingo.com (owned by Google according to WhoIs).

Ø  If you have toolbars or web accelerators installed or if your machine has been infected with spyware, they sometimes generate additional third-party domain traffic.

Also, note that casalemedia.com is colored red in the above list.  This indicates that the web site placed a “cookie” on your machine which will allow it to track your future visits to other sites that also redirect your browser to casalemedia.com.

 

Step #3: Scan multiple web sites and use the “Top Domains” view

·         To see multiple web sites redirecting traffic to the same third-party domain, type duisney.com into the Address bar and press “Scan Site”. (If duisney.com has been deactivated, you can choose another one from this list: http://research.microsoft.com/URLTracer/O.htm.)

·         Hit the “Top Domains” button (the second one from the left) and you will see that both typo domains fetched pop-up ads from casalemedia.com and fetched domain-parking ads (i.e., the ads listing in the previous screenshot) from oingo.com. Note that the third-party domain appliedsemantics.com is missing from the duisney.com scan due to browser caching. We recommend cleaning up browser cache before each scan in order to capture the full set of third-party URLs.

Step4_TopDomains_oingo

 

 

Step #4: Batched scanning using the “Scan List” view

·         Hit the “Clear” button (marked “X”) to erase current scan results (from both “URL Scan History” view and “Top Domains” view).

·         Press the “View Scan List” button (see below).

ScanList_cut

·         Copy the following six typo-domain URLs, paste them into the Scan List window, and hit the green-triangle “Scan” button. (We highly recommend running batched scans from a virtual machine or a non-mission-critical machine.)

http://wwwslashdot.org

http://www.slaashdot.org

http://www.slahsdot.org

http://www.slahdot.org

http://wwwlslashdot.org

http://www.slashdoit.org

·         Watch the status bar at the bottom and wait for all scans to finish and all pop-up scan windows to close. Explore the “URL Scan History” view to see which companies are involved in each domain (see below). If you don’t want to wait, once all scan windows stabilize, you can click on the blue-square “Stop” button to force all scan windows to close.

Step7_TypoPatrol_ScanHistory

·         Switch to “Top Domains” view to see that third-party domains that are involved with more typo domains are highlighted at the top.

Step8_TopDomains

 

 

Back to the top

 

 

·        Save and Load Scan Results

·         You can save the scan results (in an XML file) by pressing the “Save…” button (see below). Later on, you can load the results back by using the “Load” button located next to the “Save…” button

SAVE_cut

 

 

 

Back to the top

 

 

·        Typo-Patrol

 

Step #1: Pre-patrol cleanup

·         Clear both the “URL Scan History” view and the “Scan List” view.

·         Double-check the “Blocked Domains” view to make sure it’s empty.

Step #2: Typo generation

·         Type, for example, “WashingtonPost.com” into the Address Bar and hit the “Generate Typos” button. The tool should switch to the “Scan List” view and display hundreds of algorithmically generated typos of “WashingtonPost.com”.

Step #3: Typo-Patrol

·         If you hit the green-triangle “Scan…” button now, the tool will scan all the generated typo domains, which is the default. You can use mouse left-clicks and the Ctrl key to select, for example, the first four typo domains from the list and hit the “Scan…” button. (The default settings are: a new domain is scanned every seven seconds and each scan window stays up for 60 seconds. Click on “Scan Settings…” to change these defaults.)

Ø  See http://research.microsoft.com/URLTracer/Parked_Domains.htm#WaPo for more scan results.

·         Once all four pop-up scan windows stabilize, hit the blue-square “Stop” button.

Step #4: Analysis and investigation

·         Switch to “Top Domains” view to see which companies are more involved (see below, on the left). Hit the “Save…” button, change “Save as type” to “Top Domain Report (*.txt)” (see below, on the right), type in a file name, and hit the “Save” button to save a typo-patrol report in plain text.

 

Back to the top

 

 

·        Domain Patrol

 

Step #1: Pre-patrol cleanup

·         Clear both the “URL Scan History” view and the “Scan List” view.

·         Double-check the “Blocked Domains” view to make sure it’s empty.

Step #2: Domain patrol

·         Copy and paste the following four non-typo domains into the “Scan List” view and hit the green-triangle “Scan…” button.

http://wwwMicrosoftWindows.com

http://MicrosoftServer2003.com

http://MicrosoftInternetExplorer6.com

http://MicrosoftOutlook.com

Ø  Such domains can be obtained from the WhoIs database, reverse IP lookups, DNS zone files, services that monitor new domain registrations, etc. See, for example:

“Hey, TYPE-YOUR-CREDIT-CARD-NUMBER-HERE.COM is available for registration!,” http://www.f-secure.com/weblog/archives/archive-032006.html#00000845, March 30, 2006.

Step #3: Analysis and investigation

·         Once the scan is done, switch to the “Top Domains” view to see which companies are involved in this non-typo, cybersquatting activity.

Domain-Patrol_MS

 

 

 

Back to the top

 

·        IE History Patrol

·        Press the “Internet Explorer History” button (see below) to display a read-only copy of your browser history. Use mouse left-clicks and the Ctrl key to select URLs, right-clickà”Add to Scan List”, and press the “Scan…” button to do patrol.

IE_History

·        If in the meantime you have used other IE windows to do more browsing, you can press the “Refresh” button (see below) to refresh the IE History view.

Refresh

 

 

Back to the top

 

 

·        Ads Accountability

·        From the “URL Scan History” view or the “Top Domains” view, double-click on any third-party URL (not domain) to see which company is responsible for which ads. For example, the screenshot below shows that, by double-clicking on the highlighted URL, one can determine which company is responsible for serving these questionable ads on this extra-“p” typo of the children’s website http://neopets.com.  

Ads_Navigate

 

·        Sometimes ads are displayed by complex scripts and cannot be easily re-displayed by clicking on the URLs. In such cases, you can try temporarily blocking all-but-one third-party domains to zero in on the responsible party.

·        URLs associated with HTTP Post requests cannot be replayed correctly because data in the Post body is not recorded and replayed.

 

Back to the top

 

·        Domain Blocking

·        If you find any third-party domain that repeatedly serve questionable ads, you can right-click on that domain and choose “Block <DomainName>.com” (see below) or type its domain name into the Address Bar and click “Block Domain”; it should appear in the “Block Domains” view, the third button from the left. You can unblock a domain by right-clicking on it in the “Block Domains” view and selecting “Unblock…”. Domain blocking applies to all IE instances that are started after the blocking list is updated.

Ø Note that advertising is an important part of Internet economy. We recommend blocking only those irresponsible advertising companies.

Block

·        Another domain blocking scenario is for parents to open the “Internet Explorer History” view, use mouse left-clicks and the Ctrl key to select one or more URLs, and either right-clickà”Block selected domains” or right-clickà”Generate typos for selected domains” and then from the “Scan List” view, select one or more typo domains, and right-clickà”Block selected domains”.

 

Back to the top

 

 

·        Domains Parked with Different Services

·        Scan the list below to familiarize yourself with the look-and-feel of all kinds of parked domain pages. You can experience more parked domains by scanning the following lists: O.htm, DI.htm, S.htm, N.htm, Q.htm, H.htm, M.htm, Z.htm, T.htm, W.htm.

 

http://washingtoinpost.com

http://www.washingtonpoost.com

http://washingotnpost.com

http://washingtinpost.com

http://washingtonmpost.com

http://washingtonopst.com

http://waahingtonpost.com

http://waswhingtonpost.com

http://wwwcraigslist.org

http://www.MSNh.com

http://www.Microsofrt.com

http://wwwnytimes.com

http://www.nyttimes.com

http://www.nytimews.com

http://www.nyitmes.com

http://www.nytimesl.com

http://birtneyspears.com

http://www.britneypsears.com

http://www.bankofasmerica.com

http://www.bankofametrica.com

http://www.souhtwest.com

http://www.nyties.com

http://www.Weahter.com

http://BusinessWee.com

http://www.Micrisoft.com

http://www.wqellsfargo.com

http://www.cojmcast.net

http://doisney.com

http://duisney.com

http://slashdoit.org

http://slahsdot.org

http://wwwslashdot.org

http://slahdot.org

http://neoppets.com

 

Back to the top

 

·        Privacy Patrol: Web Beacons

·        Check web pages that use beacons to see if they properly display privacy statements that reveal the use of web beacons. Check the Web Analytics companies that collect browsing activities through web beacons to see if they provide proper privacy notices that explain how the collected data may be used, correlated, and shared. In general, any third-party URLs can serve as web beacons.

 

Back to the top

 

 

·        Privacy Patrol: Cookies

·        Web sites that use first-party cookies or third-party cookies are highlighted in red (see below). If you are concerned about cookie-based cross-site tracking, right-click on a third-party domain and choose “Go to NAI Members Ad Network Opt Out Site” to see if the advertiser provides a cookie opt-out option. (Or you can directly visit the opt-out page at http://www.networkadvertising.org/consumer/opt_out.asp.)

Final_Cookie_OptOut

 

Back to the top

 

·        FAQ

o   Q: How do I slow down the speed of typo-patrol if my machine is not powerful enough to catch up?

A: Click on “Scan Settings”; increase “Wait time between sites”, click “Done”.

 

o   Q: How do I clean the IE cache before scanning each typo domain so that all third-party traffic is captured?

A: Click on “Scan Settings”; select “Clear Internet Explorer cache before each scan”.

 

 

Back to the top