Detection of Cybersquatted Domains

Patrick Frischknecht. Detection of Cybersquatted Domains. Masters thesis, University of Bern, July 2021. Details.


Domain names, or short domains, are memorable identifiers for websites, however their affiliation is not always clear. Cybersquatters register domains that closely resemble existing ones or well known trademarks for their own profit and therefore misuse the trust of a brand. The focus of this thesis is to support security personnel in the accurate detection of cybersquatted domains. Our goal is to identify such domains that have been crafted in bad faith based on the content present on the website, and therefore effectively reduce the number of websites that would otherwise require a manual review. We developed a tool based on logo matching with image hashing that can, given a target domain, report cybersquatted domains in global-scale domain lists that consist of several hundred million entries. For our case study we selected the websites of nine well known luxury and apparel trademarks from the Forbes Top 100 most valuable brands list that we fed to our tool. We performed a manual evaluation on more than 5 000 reported websites to determine whether the automatically assigned label, harmless or malicious, was correct. We realized that cybersquatting is still a relevant issue for selected brands as they try to protect themselves against this threat. Furthermore, we could identify 1 433 domains that host malicious content, including 639 fake web shops. Finally, we realized that image hashing algorithms are preferably not used in such scenarios, because logos on squatted domains are altered in a way that causes large differences in their similarity scores although they remain visually similar. We conclude that logos are indeed a typical feature used in many websites of cybersquatted domains and that our tool can report domains missed by existing tools and services.

Posted by scg at 26 July 2021, 7:15 pm link
Last changed by admin on 21 April 2009