Microsoft Research has released a new tool to help pinpoint large-scale typo-squatters that are known to be gaming pay-per-click domain parking services.
The company’s Cybersecurity and Systems Management group recently released a prototype of Strider URL Tracer with Typo-Patrol version to keep tabs on a sophisticated typo-squatting scheme that uses multilayer URL redirection to make money from Google’s AdSense for domains program.
The tool is designed to seek out and block mistyped versions of domain names–www.frod.com instead of www.ford.com, for example.
Typo squatters are companies that exploit slips of the fingers by registering for mistyped versions of popular URLs. Some typo domains are parking lots for pay-per-click and syndicated advertising, according to a Microsoft research paper published alongside the tool. The group’s researchers found that a mere six services have a presence on between 40 and 70 percent of active typo domains.
Yi-Min Wang, who heads up the group’s work in Redmond, Wash., said URL Tracer can be used as a parental control tool to block inappropriate ads from being served from Web sites that are set up to deliberately lure kids who accidentally misspell a popular domain.
One live example, Wang said, is the way the virtual pet site at NeoPets.com has been targeted by typo-squatters to serve pornographic-themed ads if it is misspelled. One such misspelling, neoppets.com, is currently serving ads promising naked photos of Britney Spears or other adult images.
In addition to serving up ad links, typo squatters deliver pop-ups and pop-unders, and can redirect surfers to the intended domain. Often, the users are never even aware that they have visited a third-party site. As a result, many legitimate companies have been blamed for pop-ups advertising porn.
On top of this, companies may end up paying out for the advertising that leads customers to sites they were already aware of and trying to reach.
He said the group analyzed typo-squatting on 50 popular children’s sites and found more then 7,000 typo-domains. About 2,685 of those domains were active, and a total of 110 were serving questionable content.
Four domains redirected to adult sites directly, 36 domains contained at least one conspicuous link to an adult site, and the remaining domains displayed at least one conspicuous adult-category link to a page of adult ads listings, Wang said.
Most of the ads were being served from Oingo.com, a domain parking service that powers Google’s popular Adsense for domains program. The domain parking service is aimed at Web sites that generate more than 750,000 page views per month and, according to Google’s own boast; Adsense for domains is now powering over 3 million domain names.
This is a huge, lucrative business, Wang said, noting that the typo-squatters have been monitoring his group’s published work "on a daily basis" and have been moving domains being parking services to dodge detection.
Consumers can be at risk with typo domains. Some are used in phishing scams, which mimic the look and layout of legitimate online businesses in an effort to dupe people out of personal information such as bank passwords.
Others use wrongly typed URLs for popular children’s Web sites to lead surfers to porn sites, or to sites looking to exploit children.
The Microsoft research team described common mistakes people make when typing in a URL: missing dots (Newscom), transposition (Nwes.com), suffix replacement (News.net,) character omission (New.com), character insertion (Newws.com) and character replacement (Newz.com).
Strider URL Tracer alerts people when they are redirected to a third-party site, according to a description on Microsoft’s research Web site. It can trace pop-up advertising back to the redirecting domains that supplied them. Parents can use it to block domains that may redirect their children to porn. Companies can use it to monitor for trademark infringement or fraud.
Wang said high-traffic properties that are a constant target include MySpace.com, Slashdot, Amazon.com, Expedia, Washington Post, New York Times, Microsoft.com and DisneyChannel.com. Deliberately misspelled domains for several major banking and financial services Web sites are also a constant target, he said.
In an interview with eWEEK, Wang said URL Tracer can also serve as a typo-patrol tool used by trademark owners who want to monitor typo-domains. "It is often too expensive for target-domain owners to investigate and take actions against a large number of individual typo-domains," he said, adding that a feature built into URL Tracer can take a target domain name and automatically generate and scan its typo-neighborhood.
The tool uses five programmatic typo-generation models—deliberate missing-dot typos, character omission typos, character permutation typos, character replacement typos and character insertion typos—to pinpoint potential domain-registration structures that are being used to steal traffic from large brands.
The URL Tracer utility provides four main functionalities. It supports a "URL Scan History" view that records the time stamp of each primary URL visited and its associated secondary URLs, grouped by domains. It also supports an alternative "Top Domains" view that, for each secondary URL domain, displays all the visited primary URLs that generated traffic to it.
For every URL displayed in either of the views, the tool provides a right-click menu with two options: the "Go" option that allows the URL to be revisited (so that the user can figure out which ad came from which URL) and the "Block" option that allows blocking of all future traffic to and from that domain.
It is basically an extension of HoneyMonkey, Wang said, referring to another project within his group that helps Microsoft’s security teams find the source of zero-day exploits targeting the Windows XP operating system.
The Typo-Patrol scanner built into the tool currently consists of a network of 17 machines, each running a daemon process that monitors its own input-request queue residing in a folder on a central management machine. According to Wang, when a list of typo-domains is dropped into the queue, the daemon fetches the list and launches virtual machines to visit each domain.
The daemon copies all recorded data to the host machine, including information on all secondary URLs visited, the content of all HTTP requests and responses, and optionally a screen shot. Upon completing the scan of the entire list, the daemon copies all data to its output folder on the central management machine, Wang said.
Recorded data in the output folder is inserted into a typo-domain database for data queries and analysis.
The software is free to download from Microsoft’s Strider URL Tracer site. Windows XP and Internet Explorer 6 are required for it to work.