Understanding the effectiveness of typosquatting techniques

Abstract

The nefarious practice of Typosquatting involves deliberately registering Internet domain names containing typographical errors that primarily target popular domain names, in an effort to redirect users to unintended destinations or stealing traffic for monetary gain. Typosquatting has existed for well over two decades and continues to be a credible threat to this day. As recently shown in the online magazine Slate.com [19], cybercriminals have attempted to distribute malware through Netflix.om, a typosquatted variant of the popular streaming site Netflix.com that uses the country code top-level domain (ccTLD) for Oman (.om). While much of the prior work has examined various typosquatting techniques and how they change over time, none have considered how effective they are in deceiving users. In this paper, we attempt to fill in this gap by conducting a user study that exposes subjects to several uniform resource locators (URLs) in an attempt to determine the effectiveness of several typosquatting techniques that are prevalent in the wild. We also attempt to determine if the security education and awareness of cybercrimes such as typosquatting will affect the behavior of Internet users. Ultimately, we found that subjects tend to correctly identify typosquatting which adds characters to the domain names, while the most effective techniques to deceive users involves permutations and substitutions of characters. We also found that subjects generally performed better and faster at identifying typosquatted domain names after being thoroughly educated about them, and that certain attributes such as Age and Education affect their behavior when exposed to them.