2

One big threat out there is typosquat domains. For example instead of: steamcommunity.com some malicious actor will register the domain stearncornmunity.com and set up his fake steam login.

Why do companies not buy these "fake domains" to prevent them from being used in phishing and just redirect them to their main page? Is that such a big hassle? I believe there are tools out there that will be able to generate similar-looking links.

Wouldnt this be a great method to make the web safer for everyone?

schroeder
  • 123,438
  • 55
  • 284
  • 319
birdd
  • 41
  • 2

4 Answers4

9

They are just too many domains to register. The domain name steamcommunity has 14 characters. Users could:

  • Leave out one letter (+14 domains)
  • Miss a key and type the letter left or right from it instead (+28 domains)
  • Miss a key half-way and hit the key next to it as well (hsappens to mre all the timew). This can be the left one or the right one, and either the intended or the additional character can be first, so +56 domains
  • Switch the order of two letters, for which there are 12 possibilities in this case.
  • Intentional replacement of similar characters as frequently done by phishers, like in the example. Replace o with 0 or rn with m or adding a -. There are 5 places where one could do that in the above domain name, and they would need to cover all possible combinations. So 2 to the power of 5 minus 1 = 31 additional domains. And I haven't even talked about punycode yet.

So we got not one but 142 domains to manage now.

Oh, and of course we don't just need the .com. We also need all the other top level domains. We need all the country-codes, the generic TLDs .com, .net, .org, and I heard they added a couple new TLDs in the past years. How many are there now? Can't be that many, right? Let's check... ONE THOUSAND FIVE HUNDRED AND TWO?!? Please, IANA, you guys got to learn how to say "No".

And domains are not entirely self-managing. Making sure all those domains work, are paid for, are securely configured and have up-to-date certificates is a job which takes several person-hours each year.

And for some of these domains there might be a legitimate use-case of someone else. Perhaps I want to create a community for scientists and enthusiasts in the STEM field called stemcommunity.com? Too bad, I can't have it, because Valve wants it (actually, someone else already grabbed that domain and is offering it for $3,095). That means Valve would need to constantly negotiate for domains which are similar enough to theirs. Another money-sink and time-sink, and time is money.

So bottom line, it's simply not practical.

Especially considering that most users no longer type in domain names completely. They just enter the approximate name of the website into their browser address bar, and let their default search engine add the rest. So the most efficient measure against typosquatting is something any decent tech company is going to do anyway: Good search engine optimization.

Philipp
  • 48,867
  • 8
  • 127
  • 157
3

Many of the big or not so big corporations rely on brand monitoring companies to perform this kind of job (and often to manage their domain portfolio as well). Some Internet security outfits also specialize in domain/DNS intelligence, and provide services that overlap with brand management.

It's not possible to register every possibly infringing domain name (which would be a costly proposition) but besides doing the "obvious" like securing your brand name in the main extensions + some obvious typos, you can still, to some extent, monitor new domain registrations and detect names that look like typos of your brand, or otherwise look suspicious (for example your brand name followed by some keyword).

The main sources would be:

  • zone files (for the TLDs/ccTLDs that make them available).
  • certificate transparency logs

The bottom line is that new registrations are monitored to the extent of what is possible. Violations can and are enforced through different means, like private mediation, UDRP or court of law.

Trademark issues are not always clear-cut, black and white cases, so each domain has to be assessed on its own merits. In practice, it's very possible that brand owners will not do anything as long as the offending domain name is not being used for a nefarious purpose. Enforcement of TM rights has to be prioritized too, it's not always possible nor desirable to go after every offender.

The reason is that many offending/borderline domain names are registered by people with naive intentions (ignorance of TM law), or cybersquatters who expect some kind of compensation (finder's fee"), but whose actions do not pose an immediate danger to the brand owner. The domain name can still be put in a monitoring list once its existence is known, and the situation can change depending on how it is used.

Not to mention that web browsers have phishing protection mechanisms nowadays, that can help defeat attacks. Malicious domain names tend to be short-lived because they get reported, and suspended.

Kate
  • 6,967
  • 20
  • 23
3

Companies do regularly buy-up domains that are similar to theirs (as pointed out in the comments and other answers), but it is untenable for a company to buy-up every domain could be mistaken for theirs in a typo.

The real solution to this problem is to move away from password based authentication on the web, and towards more secure methods of authentication, such as WebAuthN, FIDO, SRP, public key authentication, etc., where the victim does not disclose anything useful to the attacker if the victim inadvertently lands on the attacker's site and tries to login.

mti2935
  • 19,868
  • 2
  • 45
  • 64
2

There is an infinite number of cousin domains for every genuine domain (between typosquatting (like steamcomunity.com and staemcommunity.com), combosquatting (extra words like steamcommunity-us.com), doppelgangers (missing dots like wwwsteamcommunity.com), homographs (like 5teamcommunity.com for ASCII, stearncommunity.com for keming, and steаmcommunity.com for IDN), alternate suffixes (like steamcommunity.com.am and steam.community), and more). Most large companies register a plethora of defensive domains to prevent this, but there are always iterations that they failed to account for.

One famous case of infinite combosquatting is from 2000, when Verizon tried to register every possible domain that criticizes them, such as verizonsucks.com. A 2600 Hacker Quarterly print article enumerated the whole list, but it doesn't seem to be online (here's a comment that lists some of them). To demonstrate that such defensive registrations could never be comprehensive, 2600 also registered verizonreallysucks.com, which got decent news coverage.

When Verizon sued, 2600 not only won but also registered a new domain: VerizonShouldSpendMoreTimeFixingItsNetworkAndLessMoneyOnLawyers.com.

2600 has done this with General Motors as well, registering FuckGeneralMotors.com and pointing it at ford.com. Ford sued and lost.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44