In the current panorama of digital threats, cybersquatting represents an illicit activity aimed to hijack domain names that correspond to trademarks or famous personalities. Over time, this threat has evolved into the phenomenon known as typosquatting: a threat based on typing errors made by users when entering a URL into their browser. The attackers, called (typosquatters), register domains that contain spelling errors compared to legitimate domains, taking advantage of people's inevitable oversights. This kind of attack is particularly effective when the reference domain is frequently visited because even a small percentage of user typing errors generates a significant flow of traffic to typosquatted sites.
Typosquatted sites are web sites whose domain name are similar to legitimate domain name, and can host a wide range of content aimed to generate profits through advertising and often containing malicious elements and/or redirects to malicious websites. Usually, the attackers exploit typosquatted sites to conduct attack campaigns, such as phishing, or even to steal sensitive user information. Prior research [1] indicates that a considerable percentage, ranging from 10% to 20%, of manually entered URLs contain errors. For instance, an average user who erroneously inputs the URL of a popular website has a 1 out of 14 probability of landing on a typosquatted domain [1]. The consequences of typosquatting are profound and far-reaching. Companies suffer not only from traffic declines but also from subsequent financial losses, while users remain persistently vulnerable to potential online scams. Despite the wealth of studies conducted in this domain [2], and the presentation of several prototype anti-typosquatting tools in the past, there exists a lack of practical and effective solutions available to the general public, particularly those offering real-time assistance to users. This paper presents the TypoAlert extension for chrome-based browsers and shows how combining multiple anti-typosquatting methods into an integrated framework is possible in order to implement an effective detection tool against typosquatting. Remarkably, as our methods are not machine learning-based, they do not require cycles of training on input datasets; thus the maintenance effort of TypoAlert is reduced to the bare minimum. Moreover, we assessed the effectiveness of TypoAlert on an appropriate set of domain names. Section 2 summarizes some previous studies on typosquatting and highlighting the necessary background information. Section 3 briefly presents our typosquatting detection methodology and illustrates the experimental results obtained during the evaluation and validation phase. Section 4 presents the chrome-based extension, its features and how it works. Section 5 draws the conclusions and indicates some future research directions.
The general term cyber-typosquatting might refer not just to domain name typosquatting but also to package typosquatting [3] and to other forms of typosquatting, like exploitation of typing errors in mobile app names, social media names, etc. Typosquatting remains a widespread and persistent practice, primarily due to the lack of effective solutions to prevent it [1]. Research on the topic can be roughly categorized in: (i) general analyses; (ii) company-centric antityposquatting proposals; and, (iii) user-centric anti-typosquatting research.
General studies. The study presented in [4] identified over 8800 registered domains within typographic variations compared to popular domain names and more than 90% of these redirected to sexually explicit content often designed to make it hard to shut down the offending content.
Initially, it was believed that shorter URLs were more susceptible to typosquatting [5], however, [6] indicated that domains with longer names share a similar probability of being subject to typosquatting.
Similarly, the popularity of domain names was originally seen as a factor related to typosquatting [5]. This assumption has also been revisited; indeed, a shift in typosquatters' behavior has been identified in [7]: around 95% of typosquatted domains now targets lesser popular domains.
During the years, various models for generating typosquatted domains have been proposed. Five primary models have been identified [8]: Missing-dot typos, Character-omission typos, Character-permutation typos, Character-substitution typos, and Character-duplication typos. A subsequent study [9] scrutinizes registered domains whose name has been generated according to each of the five described models, evaluating their saturation. This work also provided valuable insights into the level of awareness regarding various typo domain generation models among distinct online entities. As shown in [9], both malicious and defensive registrations mirror the saturation trends. This implies that both attackers and defenders share a similar perception regarding the typosquatted domains deemed worthy of registration.
Existing models were extended by introducing additional approaches in [10]. These include: (i) 1-mod-inplace: involves in replacing all domain name characters, one at a time, with every possible letter of the alphabet; (ii) 1-mod-deflate: entails removing, one at a time, all characters from the domain name; (iii) 1-mod-inflate: involves adding a character to the domain name, systematically considering all possible characters.
All these generation models are based on the Levenshtein distance (also known as edit distance) [11,12]. This metric allows to quantify the similarity between two strings, and is thus a crucial parameter for evaluating the similarity of typo domains to the original domain. However, when considering the character permutation generation model, the more appropriate reference is the Damerau-Levenshtein distance [13] which differs from plain Levenshtein distance by incorporating the operation of transposition between characters, in addition to insertion, deletion, and substitution operations. In [2] it is highlighted that 99% of typosquatted sites exhibit a Damerau-Levenshtein distance of one from their target domains.
The pioneer Strider Typo-Patrol tool [8] is meant for discovering large typosquatting campaigns. It employed a multifaceted approach, incorporating (i) a Typo-Neighborhood Generator to produce sets of URLs with potential typos, (ii) a Typo-Neighborhood Scanner to actively analyze domains and record information such as third-party URLs and page content, and (iii) a Domain-Parking Analyzer for in-depth analysis of typosquatted domains. The same work proposed Strider URL Tracer, an instrument meant to allow website owners to monitor typosquatted domains targeting their sites. A comprehensive and relatively recent analysis of typosquatting domain registrations within the .com TLD can be found in [7]. The analysis was conducted using the Yet Another Typosquatting Tool (YATT).
Another approach was provided in the now defunct iTrustPage Firefox extension [14], which provided automated identification of legitimate web pages, utilizing user input and external sources such as search engine results, including whitelists and local caches. A browser extension called The Anti Typosquatting Tool (ATST) was proposed in [1]. It provided several features such as: (i) a User Customized Local Repository for monitoring popular domains, (ii) an Edit-distance Computation Module employing the Damerau-Levenshtein distance for typosquatted domain checks, and (iii) a User Customized Local Repository Update Module for dynamic updates based on user interactions. The Stop URL Typo-squatting (SUT) approach, proposed in [5], addresses the broader issue of detecting phony websites, whose domain name is not necessarily typosquatted. This solution integrates autonomous modules for: (i) network-level criteria that assesses URL features (called SUT-net module) (ii) and site popularity assessment that leverages Google search results to evaluate domain legitimacy (called SUT-pop module).
Another tool that is also worth mentioning is TypoWriter [15], which anticipates most likely domain variations using Recurrent Neural Networks trained on DNS logs. Unfortunately, at the time of writing, all the above mentioned tools are no longer available on the web.
Behind our developed Chrome-based extension there is a detection algorithm that aims to classify the type of the web domain at hand. Our tool aims to integrate several anti-typosquatting techniques and to provide real-time monitoring, detection and filtering software. We also included additional detection features meant identifying as detection of domain names which are registered, yet are not used and/or intended for bad uses called parked domains. The detection process starts taking in input a domain name π and, after analysis, π is classified. The output is one of the following categories: NotTypo (π is not a typosquat), ProbablyNotTypo, ProbablyTypo, Typo, ProbablyTypoPhishing, TypoPhishing, TypoMalware, and is built according to a score (av, alert value) and to the value of a phishing indicator (ph) which are both obtained as outcomes of the evaluation step.
A pre-filtering step is achieved by considering two lists: a blacklist (BL) and a whitelist (WL). The blacklist leverages the BlackBook list, an historical (black)list of malicious domains created as part of the periodic automated heuristic check (i.e. WHOIS, HTTP, etc.) of newly reported entries from public lists of malicious URLs [16]. The BlackBook blacklist is used to check whether the domain at hand is considered malware; if so, the domain is marked as a π π¦πππ πππ€πππ domain.
Let vd be the domain name eventually reached from π after following a potential chain of redirects. If π β π πΏ or vd β π πΏ, we give to π the minimum alert value, i.e. 0, classifying it as NotTypo. The WL list is constructed using a Top Domain Repository (TDR), giving at the same time the capability of adding more domains using the User Domain Repository (UDR); this latter can be populated directly by using the web page related to the developed extension. The WL is a list that can be reasonably assumed to be reliable and authentic built considering the top domains provided by Data4Seo [17]. Data4Seo website allows to export data concerning the top 1000 national web domains for each of the 74 distinct nations available and also the 1000 web domains with the highest ranking worldwide. We added to π πΏ all top domains present on Data4Seo website (for a total of around 32000 distinct domain names) and the user added trusted domains. TDR cannot be modified by the user, which can however customize the complementary UDR, which is initially empty.
Afterwards, we build a set πΆπ of candidate targets. πΆπ is built by considering each element having DL-distance equals to 1 from π taken from: (i) π πΏ, (ii) the top 10 domain names resulting by querying a search engine with π as the search keyword and whenever available, (iii) the domain name dym ("Did you mean?" domain), i.e. the domain name suggested by the search engine at hand as the inferred correct search keyword.
Once the πΆπ list is built, the evaluation step starts by computing the Parking Alert (PARKA) indicator which is set to either 0 or 1 according to an analysis based on a set of keyphrases, in different speaking languages, usually present in parked web pages. Then for each element ππ‘ β πΆπ we evaluate the Top 10 Alert (T10A) indicator, the Did You Mean Alert (DYMA) indicator and the Phishing Alert (PHA) indicator.
The T10A indicator considers the result list obtained by querying the input domain π on a search engine; we compute the T10A ππ‘ score. This indicator returns: (i) 1 if π is present in the resulting list; (ii) -1 if π is not present in the resulting list; (iii) 0 in all other cases.
The DYMA indicator is based on the concept of domain popularity, and it exploits the suggested Last but not least, there is the PHA ππ‘ indicator that evaluates the similarity degree between the web page related to the input domain π and the web page related to ππ‘. This evaluation is carried out using fuzzy hashing [18] and returns the score value 0 or 1.
Based on the above indicators, the alert value ππ£ is computed as follows:
where
Along with ππ£ we obtain the phishing alert (πβ) value as PHA ππ‘ * where ππ‘ * is one of the arguments for which ππ£ |πΆπ is reached and for which PHA is maximal, i.e.
Finally, in the last step (see Figure 1) we label π according to ππ£ and πβ: for ππ£ = 0, we assign the label π ππ‘π π¦ππ; for ππ£ = 1, we assign the label π πππππππ¦π ππ‘π π¦ππ; for ππ£ = 2 we assign either the label π πππππππ¦π π¦ππ or π πππππππ¦π π¦πππ βππ βπππ depending on the value of πβ, respectively if 0 or 1; for ππ£ = 7 we assign the label π π¦πππ πππ€πππ while for any value ππ£ β [3,6] we assign either π π¦πππ βππ βπππ if πβ = 1 or π π¦ππ if πβ = 0.
To assess the effectiveness of the classification techniques which TypoAlert is based on, we conducted an evaluation utilizing a purposely constructed dataset, named π π, including a set of potential typosquatted domains. To build the ground truth, each domain π β π π has been manually analyzed and classified as being or not a typosquatted domain. Then we compared the results with the outcomes achieved by our classifier.
To build the π π dataset we started from the set π ππ, comprising the top 1000 websites globally ranked on Google, as per DataForSEO [17]. We extracted a subset of 300 domains by uniformly sampling π ππ and using the open source tool ail-typo-squatting [19], we built a set containing all domain names having a Damerau-Levenshtein distance from π's name which is equal to 1. Then we extracted a subset of all domain names π such that (i) π was actually registered in a DNS at the time of construction of the dataset; and (ii) there was an active web server responding (directly or indirectly) to HTTP(S) requests made to π. Finally, we obtained π π . The final dataset TS includes potential 5106 typo domains.
During the evaluation phase we conducted an analysis on the tool accuracy and we compared it with ground truth obtained manually. During the manual classification we labelled domains as (i) Typo: designated for domains considered malicious; (ii) NotTypo: assigned to either a legitimate domain or a domain that redirects to the legitimate domain. Note that, to mitigate the role of human subjectivity in manual annotations, we opted for building binary ground truth values. However, since TypoAlert produces a score value between 0 and 7, data have been validated by mapping our scores to ground truth. We consider an aggregation threshold π‘, and we build a family of binary classifiers each denoted by the two classes π ππ‘π π¦ππ π‘ = {π₯ β π π | π (π₯) < π‘}, and π π¦ππ π‘ = π π β π π¦ππ π‘ . We identified the classifier that maximizes the TPR/FPR Ratio (True positive rate divided by False Positive Rate), as the one obtained for π‘ = 2. The Receiver Operating Characteristic (ROC) curve shows the trade-off between True Positive Rate and False Positive Rate of each classifier built among various score thresholds, as depicted in Figure 2a. Figure 2b depicts the confusion matrix for π‘ = 2, where 5060 over 5106 domains with a 99.0% of domains were correctly classified.
We took several design choices in developing TypoAlert. First things first, as our software would be a browser extension, we have chosen to support all Chrome-based browsers.
TypoAlert aims to improve the user experience in browsing the web without being pervasive for the users. To carry out this goal, TypoAlert, once installed in the browser, shows as the only visible additional feature, an icon in the dedicated extension section. This icon changes its color based on the web site present on the active tab. These colors have been chosen to give users a rapid evaluation measure of the domain kind they are visiting and may vary according to the Figure 3 Different result values returned by analysis involve different (or none) alert notification. If the extension's analysis indicates a label among ProbablyTypo, Typo, TypoPhishing, Probablyty-poPhishing or TypoMalware (colors from yellow to dark red), an alert appears, warning the user about the detected severity level. When the analysis returns π ππ‘π π¦ππ or π πππππππ¦π ππ‘π π¦ππ no alert is given and the user is allowed to visit the related web page, in this case the TypoAlert icon becomes either Green or Green-Yellow.
If a typosquatting attempt is detected, the extension's icon becomes red and an alert about the domain classification is shown. In Fig. 4a it is depicted the alert that appears when the domain π is a typo and it is visited for the first time. It was highlighted before that the Phishing Alert indicator evaluates if a web domain is malicious and aims to conduct a phishing attack. If the Phishing Alert indicates that a web domain is a possible phishing web domain, the user is notified using a specific pop-up alert highlighting this special kind (malicious) of the web domain. Moreover, we inserted in the extension a caching mechanism that helps in avoiding multiple evaluations about the same site. Domain names classified as typosquatted are retained in the extension cache. If a domain name π has been classified as typosquatted in the last 30 days the web page of π is blocked and replaced by a notification page as depicted in Fig. 4b. Users can always access the extensions options and add misclassified domains to the verified user whitelist, excluding them from the analysis.
In this paper we presented TypoAlert, a tool for detecting typosquatted sites that, combining some of the known simplest yet provably effective practices, is able to detect a relevant number of typosquatted domains. The validation phase proves the effectiveness of the approach. As future work, we are planning to enrich TypoAlert with features that tackle typosquatting from an even more user-centric perspective, in the spirit of dynamic skins [20]. TypoAlert hase been released under LGPL license and it can be downloaded from https://github.com/aleviscomi/typoalert.
This work was partially supported by projects SERICS (PE00000014) and FAIR (PE0000013) under the MUR National Recovery and Resilience Plan funded by the European Union -NextGenera-tionEU.
A. Viscomi) https://blefari.xyz/ (F. Blefari); https://angelo.furfaro.dimes.unical.it/ (A. Furfaro); https://www.mat.unical.it/ianni/ (G. Ianni) 0009-0000-2625-631X (F. Blefari); 0000-0003-2537-8918 (A. Furfaro); 0000-0003-0534-6425 (G. Ianni)