CERT-SEI
CERT/CC Blog

Domains That Are Typos of Other Domains

By Jonathan Spring on 08/15/2013 | Permalink

Hello, this is Jonathan Spring. I’ve been investigating the usage of domains that are typos of other domains. For example, foogle.com is a typo of google.com, and it’s a common one since ‘f’ is next to ‘g’ on the standard keyboard. The existing hypothesis has been that typo domains would be used for malicious purposes. Users would commonly mistype the domain they are going to, and some of the less scrupulous domain owners could take advantage of this to trick them or infect their computers.

In this case, the hard work of finding the typos was done for me. Some kind external collaborators from CrySyS lab provided a large list of all the domains that are typos within the com zone file; the particular sample was from March 15, 2013. CrySys identified 4.7 million likely domains out of the 108 million domains in the com zone file. These are typos of the 520,000 most common .com domains, according to Alexa.  It’s common for an organization to register several common misspellings of its own domain and redirect the users to the correct site. Checking for this, 2.3 million typos seem to be outside the control of the owner of the original domain—they are truly typos that we’d expect to be malicious, but this simply does not appear to be the case.

The original, real domains that are in the Alexa top 520,000 are more likely to appear on black lists than the typos of them. I compared the Alexa domains and the true typo domains to 12 black lists from various sources. In each case, the Alexa domains are more likely to host malicious activity. Note that the percentage of domains from the Alexa “most popular .com domains” is always higher than the percentage of typo domains. The details are in the following table.

Black List # of Typo Domains on List Percentage of Typo Domains # of Popular Domains on List Percentage of Popular Domains
ch.abuse

0

0.000000%

0

0.0000%

com.malwaredomainlist

6

0.000256%

13

0.0025%

com.malwaredomains

61

0.002599%

131

0.0250%

hostkarma.junkemailfilter.com

26

0.001108%

46

0.0088%

IID

72

0.003068%

59

0.0113%

multi.surbl.org

367

0.015637%

501

0.0956%

multi.uribl.com

8876

0.378177%

76019

14.5086%

net.malwarepatrol

10

0.000426%

39

0.0074%

phish2.mcafee.com

784

0.033404%

18511

3.5329%

rbl.mcafee.com

862

0.036727%

12905

2.4630%

rbl2.mcafee.com

7379

0.314395%

99188

18.9305%

To check a black list, we look for anything that was on that list during the first quarter of 2013. I have a longer repository of the domains listed on Google’s Safe Browsing, and the results show a similar trend. Safe Browsing distinguishes between a match due to malicious content or attempts at phishing. The following table shows the results for Google Safe Browsing from May 1, 2011 – July 31 2013.

 

Malware Malware%

Phish

Phish%

Alexa

9990

1.907%

27

0.005153%

True Typos

3720

0.1585%

125

0.005329%

All Typos

17485

0.3716%

272

0.005781%

There are several possible causes for this pattern, and several of them are uninteresting. I think I can rule out most of the uninteresting ones, though. For example, it is possible that the typo domains are just newer and haven’t had a chance to be listed. This is also not the case. A quick look at the zone file from January 3, 2013 shows us that the typo domains are also more stable than the popular domains. More of the domains popular on March 15 were registered recently than the typo domains. 92.2% of the Alexa domains were in the zone file in January, while it had 95.2% of the typo domains. So stability or life time is probably not a confounding factor here.

I also looked at the name servers that host the most typo domains. There are 10 name servers for which most of the domains they host are typos of other domains—for these name servers, between 20-80% of their domains are typos. So are these name servers more likely to be malicious? Perhaps the other typos are used for something else, but surely the folks whose business seems to be hosting typo domains must be using them for some nefarious purpose, right? The opposite seems to be true. The typo domains hosted on these 10 name servers seem to be even less likely to appear on a black list. The average percentage of these name servers’ domains on any of the black lists is 0.051%.

My hypothesis for the real reason is that the typo domains are not worth compromising, while compromise is likely the cause of the popular domains appearing on black lists. Since there are so many typo domains, I assume they are making money. They are probably profiting from advertising revenue from screen views, which is ostensibly completely legal, although the owners of the actual site the user meant to type would probably be displeased by the loss of revenue. Because of this, they also have a strong interest in keeping typo domains clean of violent malicious activity so that they can continue syphoning off ad revenue.

If you have other hypotheses for why these typo domains are on black lists so less often, send your comments to us at netsa-contact@cert.org, and use the subject “RE: typo domain hypotheses.”

Topics: Research , Vulnerability Analysis , Vulnerability Discovery