Soundsquatting Unraveled: Homophone-based Domain Squatting

The Domain Name System (DNS) plays a vital role in the operation of the Internet. Over the years, it has been a primary target for malicious users looking for vulnerabilities in its protocol and infrastructure.
Some examples include cache poisoning attacks, vulnerable DNS server implementations, and bogus user interactions.

Taking advantage of users’ spelling mistakes

Misspelled domain names in the browser’s address bar are a common user mistake, which attackers were quick to take advantage of. Attackers register the “squatting” or misspelled version of victim domains in order to capitalize on the potential incoming traffic. They eventually use these domains for a wide range of unethical and illegal ways, which may include exfiltration of user credentials through phishing.

A well-known form of domain squatting is typosquatting, which involves exploiting typographical misspellings of domain names (i.e., typos) to collect traffic. For example, an authoritative domain like www.example.com may have errors like missing dots, omission and insertion of characters, and permutation and replacements of character.

What is soundsquatting?

While typosquatting is a well-understood threat, throughout the course of our research on various squatting techniques, we uncovered a previously unseen domain-squatting attack that we named soundsquatting. Soundsquatting takes advantage of the sound similarity of words and the user’s confusion of which words represent the desired concepts. The attack is based on homophones, i.e., sets of words that are pronounced the same but are spelled differently, (e.g., ate, eight). This makes soundsquatting heavily different from typosquatting, in that it does not rely on typing mistakes.

Homophones can be spelled differently but have the same meaning, such as {guarantee, guaranty} or spelled differently and have a different meaning, such as {whether, weather} and {idle, idol, idyll}.

For instance, assuming weatherportal.com, an authoritative weather site, a soundsquatter can register the domain whetherportal.com, in order to capture the traffic of users who mistakenly type the word “whether” instead of “weather”.

The confusion between the intended word and the typed one is further amplified when a domain contains a homophone with the same meaning. Consider guarantybanking.com, a domain belonging to a banking website, and its soundsquatted version guaranteebanking.com. It is difficult to predict, if a person hears about “Guarantee Banking” for the first time, which spelling he/she will choose to use.

Using experimental data that we built through automatically soundsquatting the top 10,000 sites in Alexa, we were able to identify 1,823 active soundsquatting domains currently used by malicious users for different purposes, such as:

  • Displaying ads on parked domains
  • Stealing traffic from licit domains
  • Performing affiliate scams
  • Conducting phishing attacks
  • Installing malicious software on unsuspecting visitors.

In addition to studying the use of already-registered soundsquatting domains, we registered 30 soundsquatting names and studied the population of users that reached our domains, recording a monthly average of 1,718 requests from real users, originating from over a hundred countries. This proves that users are indeed susceptible to homophone confusion.

In the paper, we also examine six popular software screen readers and show how they can all be abused to perform soundsquatting attacks against sound-dependent users who rely on text-to-speech software.

To summarize, we discovered soundsquatting, new type of domain-squatting attack based on homophones. During our investigation, we also unearthed malicious users employing the said attack for a wide-arrayed of purposes. To learn more about soundsquatting, read our research paper Soundsquatting: Uncovering the Use of Homophones in Domain Squatting.

Trend Micro protects users from this threat via its Smart Protection Network which has web reputation service that actively monitors possibly malicious soundquatting domains.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Soundsquatting Unraveled: Homophone-based Domain Squatting

Read more: Soundsquatting Unraveled: Homophone-based Domain Squatting

Story added 16. October 2014, content source with full text you can find at link above.