Check out the new USENIX Web site.


USENIX, The Advanced Computing Systems Association

SRUTI '06 Abstract

Pp. 31–36 of the Proceedings

Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting

 

Yi-Min Wang, Doug Beck, Jeffrey Wang*, Chad Verbowski, and Brad Daniels

Microsoft Research, Redmond         * PCRethinking.com


Abstract

Typo-squatting refers to the practice of registering domain names that are typo variations of popular websites. We propose a new approach, called Strider Typo-Patrol, to discover large-scale, systematic typo-squatters. We show that a large number of typo-squatting domains are active and a large percentage of them are parked with a handful of major domain parking services, which serve syndicated advertisements on these domains. We also describe the Strider URL Tracer, a tool that we have released to allow website owners to systematically monitor typo-squatting domains of their sites.     

1.      Introduction

Typo-squatting refers to the practice of registering domain names that are typos of their target domains, which usually host websites with significant traffic. The individuals or organizations who register typo-squatting domains (or typo domains) are referred to as typo-squatters. Some major typo-squatters are known to have registered thousands or more of typo domains [1,2,3].

Web traffic generated through typo-squatting is unwanted for many reasons. From the users’ perspective, such typo traffic often startles them with unexpected results, followed by an annoying barrage of pop-up and pop-under advertisements (ads). There is a documented incident where a typo domain of a popular website was serving vulnerability-exploiting scripts to install malware [4,5]. Some typo domains of children’s websites have been observed to redirect to or link to adult websites, endangering Internet safety by potentially exposing minors to harmful material [6,7].

From the business perspective, many of the typo-squatting cases involve “bad-faith” domain registrations or trademark violations [8,9,10]. Worse yet, it is not uncommon to see a typo domain displaying ads from competitors of the target-domain owner or even negative ads against the owner (e.g., investment-loss law firm’s ads on typos of brokerage firms). In other cases, some advertisers are unwillingly paying for their ads being served on typo domains of their own websites, because such traffic is intended to go directly to their sites in the first place [11].

In this paper, we describe the Strider Typo-Patrol System for discovering and analyzing typo domains. Our patrol results reveal that a large percentage of typo domains are “parked” with a handful of major domain parking services. Domain parking is a special case of advertisement syndication: while the latter attempts to serve relevant contextual ads based on the publishers’ web content, the former serves ads based on merely the domain name because parked domains typically have no content. We show that many typo-squatters are taking advantage of the domain-parking infrastructures to perform large-scale, systematic typo-squatting. However, by doing so, they also expose their typo domains to systematic discovery enabled by monitoring and analyzing ads-fetching traffic sent to the parking services.     

The paper is organized as follows. Section 2 describes how domain parking works and discusses statistics related to the amount of unwanted traffic potentially generated through typo-squatting. Section 3 presents the Strider Typo-Patrol System. Section 4 analyzes typo-patrol data and quantifies the prevalence of typo-squatting through domain parking. Section 5 describes the Strider URL Tracer designed to provide visibility and control over typo traffic. Section 6 surveys related work, Section 7 discusses remaining issues, and Section 8 concludes the paper.

2.      Understanding Domain Parking

Advertisement syndication refers to the business practice of serving ads by instructing the client-side browser software to fetch ads from an ads server and compose them with the content of the website that the user intends to visit. Syndication is typically implemented using the browser’s third-party URL mechanism: when a user visits a primary URL (hosted by the first party) either by typing the URL into the browser address bar or by clicking a link on a web page, the browser may be instructed by the content returned by the primary-URL page to automatically visit one or more secondary URLs hosted on third-party servers, without explicit knowledge or permission from the user. We refer to these secondary URLs as third-party URLs in this paper. These third-party URLs usually contain information about the primary URL so that the syndicators can serve the most relevant contextual ads based on the primary-URL page content and potentially the historical information about the visiting machine or user.

Domain parking is a special case of advertisement syndication: the primary URL is a parked domain that does not contain any real content and syndicated domain-parking ads, usually in the form of ads listings, become the main content of the page displayed to the user. In order to attract sufficient traffic for serving ads, parked domains are usually domains with well-known generic names [12] or typo domains of popular websites. See [13] for screenshots of sample domains parked with various parking services.

Next, we use two actual examples to illustrate how typo-squatting through domain parking is typically implemented using third-party URLs. When a browser visits http://disneychannell.com, it receives a response page containing a frame that loads http://www.sedoparking.com/disneychannell.com. This URL is responsible for serving the main domain-parking ads listing. The basic idea of Strider Typo-Patrol is to scan a large number of typo domains, monitor all third-party URL traffic, and group the domains by the behind-the-scenes domain parking servers in order to facilitate investigation and prioritize actions.

Some domain parking services provide additional information in their third-party URLs that enables further analysis. For example, when a browser visits http://disneyg.com, the response page contains a frame that loads

http://apps5.oingo.com/apps/domainpark/domainpark.cgi?s=disneyg.com&dp_lp=24&hl=en&dp_lp=7&cid=DTRG4295&dp_p4pid=oingo_inclusion_xml_06&dp_format=1.3

where the “cid” field appears to contain a Client ID that uniquely identifies a typo-squatter. In Section 4, we show how this information enables us to quickly discover thousands of typo domains that are registered to a well-known, serial typo-squatter [2,14].  

Domain parking services provide convenient and effective contextual-ads infrastructures that make even marginal typo domains profitable [15]. With the annual domain registration fee as low as $7.00 [16], a rule-of-thumb figure for pay-per-click programs is that a parked typo domain only needs to attract between one unique visitor every two days and two visitors per day (depending on the pay-out levels) to generate sufficient income to cover the fee. (As a reference, http://slsahdot.org records statistics of tens of hits per day.) According to alexa.com on March 12, 2006, the servers owned by the top two domain parking services identified in our study were reaching between 3,300 and 5,200 per million users daily and their servers had a traffic rank between #221 and #438. These numbers are comparable to those for popular websites such as travelocity.com (#248), orbitz.com (#315), usatoday.com (#347), and slashdot.org (#375). Although many parked domains may be generic-name domains, the fact that we were able to discover thousands of parked typo domains within a short time through simple automated searching does provide evidence that unwanted traffic due to parked typo domains could be significant.

3.      Strider Typo-Patrol System

The Strider Typo-Patrol System provides automatic scanning and systematic analysis of typo domains. It consists of three main components: a typo-neighborhood generator, a typo-neighborhood scanner, and a domain-parking analyzer.

3.1.   Typo-Neighborhood Generation

Given a target domain, we define its typo-neighborhood as the set of URLs generated from the following five typo-generation models, which are commonly used in the wild:

(1) Missing-dot typos: The “.” following “www” is removed, e.g., wwwSouthwest.com. 

(2) Character-omission typos: Characters are omitted one at a time, e.g., Diney.com and MarthStewart.com.

(3) Character-permutation typos: Consecutive characters are swapped one pair at a time, unless they are the same characters, e.g., NYTiems.com.

(4) Character-replacement typos: characters are replaced one at a time and the replacement is selected from the set of characters adjacent to the given character on the standard keyboard, e.g., DidneyWorld.com and USATodsy.com.

(5) Character-insertion typos: characters are inserted one at a time and the inserted character is chosen from the set of characters adjacent to either of the given pair on the standard keyboard (and including the given pair), e.g., WashingtonPoost.com and Googlle.com.

3.2.   Typo-Neighborhood Scanning

The Typo-Patrol scanner is an extension of our previous Strider HoneyMonkey scanner [5]. Given a typo-neighborhood list, it launches a browser to visit each domain and records all secondary URLs visited and their ordering, the content of all HTTP requests and responses, and optionally a screenshot.    

3.3.   Domain-Parking Analysis

We currently perform three types of analysis on the typo-neighborhood scan data:

(1) Given a target category and the lists of typos of target domains in the category, we analyze how heavily the category is being typo-squatted and which domain parking services are the major players. Specifically, we group the scanned typo domains by the parking services they generated third-party traffic to, and highlight those services that are behind a large number of typo domains.    

(2) Given the typo-patrol results of a trademarked target domain, we perform a similar analysis to identify those major parking services with which the trademark owner may want to file complaints. In some cases, it is more effective to go after the typo-squatters who actually purchased the typo domains than to complain to parking services which are only responsible for profiting from serving ads on those domains. We use two additional pieces of information to further divide and rank typo domains parked with a single service in order to help trademark owners prioritize their actions against typo-squatters.

The first piece of information is the Client ID field mentioned in Section 2. The second piece of information is the anchor domain that is used to aggregate traffic from multiple typo domains to simplify operations and to enable scalable typo-squatting. For example, tens of typo domains of NationalGeographic.com were “funneling” traffic through the same anchor playbov.com; typo domains LaSalleBanl.com and SovererignBank.com are sharing the same anchor baankaccount.com. We found that, in most cases, typo domains sharing the same anchor are registered to the same WhoIs registrant [17]. By grouping those typo domains that first redirect to the same anchor domain before generating traffic to the parking service, we eliminate the need to investigate each individual domains.

(3) For analyses that require searching for specific keywords (e.g., sexually-explicit keywords used in the analysis in Section 4.4), we analyze the HTTP response pages and extract all typo domains with a match.

4.      Typo-Patrol Data Analysis

We first present two kinds of analysis to assess the prevalence of typo-squatting and to identify major domain parking services that are involved: vertical analysis uses a single type of typos for a large number of target domains; horizontal analysis uses multiple types of typos for a smaller set of target domains. Then, we present a case study in which we identified thousands of typo domains owned by a well-known typo-squatter. Finally, we investigate typo domains of children’s websites that serve questionable ads.

4.1.   Missing-dot Typos of Top 10,000 Sites

For the vertical analysis, we scanned the missing-dot typos of the 10,000 most popular domains. Our result showed that 5,094 (51%) of the 10,000 typo domains were active at the time of the scan. Figure 1 ranks the top six domain parking services by the number of typo domains that serve ads from them. We make the following observations: (1) the top two parking services clearly stand out, each covering approximately 20% of active typo domains; (in addition, note that sedoparking.com uses the same ads-serving infrastructure as oingo.com according to http://www.sedoparking.com); (2) the top six parking services together account for more than half (59%) of the active domains and 30% of all the artificially generated missing-dot typo domains.

4.2.   Typo-Neighborhoods of Popular Sites and High-Risk Phishing Targets

For the horizontal analysis, we selected two sets of target domains: the first set consists of 30 of the most popular sites according to alexa.com; the second set consists of 30 high-risk targets by phishing attacks, selected from [18]. For each target domain, we scanned its typo-neighborhood composed of typo domains generated from all five typo-generation models. The two sets of results are shown in Figure 2 and Figure 3, respectively.

 

Parking service

# typos parked

 

% of active (5,094)

% of all (10,000)

#1

Information.com/

Domainsponsor.com

1,082

21%

11%

#2

Oingo.com

992

20%

9.9%

#3

Sedoparking.com

439

8.6%

4.4%

#4

Qsrch.com

227

4.5%

2.3%

#5

Netster.com

146

2.9%

1.5%

#6

Hitfarm.com

109

2.1%

1.1%

 

Total

2,995

59%

30 %

Figure 1. Top six domain parking services in the missing-dot typo-neighborhoods of top 10,000 websites

 

 

Parking service

# typos parked

% of active

(2,233)

% of all

(3,136)

#1

Oingo.com

420

19%

13%

#2

Information.com/

Domainsponsor.com

306

14%

9.8%

#3

Sedoparking.com

74

3.3%

2.4%

#4

Qsrch.com

74

3.3%

2.4%

#5

Hitfarm.com

69

3.1%

2.2%

#6

Netster.com

50

2.2%

1.6%

 

Total

993

44%

32%

Figure 2. Top six domain parking services in the typo-neighborhoods of 30 most popular websites

 

 

Parking service

# typos

parked

 

% of active (1,596)

% of all

(3,780)

#1

Oingo.com

695

44%

18%

#2

Information.com/

Domainsponsor.com

292

12%

7.7%

#3

Netster.com

66

4.1%

1.7%

#4

Sedoparking.com

60

3.8%

1.6%

#5

Hitfarm.com

37

2.3%

1.0%

#6

Qsrch.com

28

1.8%

0.7%

 

Total

1,178

67%

31%

Figure 3. Top six domain parking services in the typo-neighborhoods of 30 high-risk phishing targets

 

We make the following observations: (1) in the two sets of scans, 71% (2,233/3,136) and 42% (1,596/3,780) of the generated typo domains were active, respectively; (2) the top six parking services remain the same across all three sets of data except for minor re-ordering of rankings; (3) again, the top two parking services stand out, even more so than in Figure 1; (4) the overall numbers for the top six services remain fairly consistent: they together account for 40% to 70% of active typo domains and around 30% of all generated typos.

4.3.   Case Study: A Large-Scale Typo-Squatter

A major typo-squatter has been observed to perform systematic typo-squatting on many target domains [2,14]. But there has been no estimate of how big its typo-squatting business is. Since it has been changing its registrant name in the WhoIs records, we will refer to the company as DomainSquatter in this paper. During our investigation, it became clear that DomainSquatter was parking a lot of domains with oingo.com and it was using anchor domains heavily. By analyzing traffic aggregation through tens of anchor domains in the horizontal analysis, we were able to identify the two Client IDs used by DomainSquatter, one for the typo domains and the other for the anchors. We then extracted all scanned domains parked with oingo.com that were using those two Client IDs and used WhoIs lookups to verify that almost all of them were registered to DomainSquatter.

Figure 4 shows that, among the total of 5,094+2,233+1,596=8,923 active typo domains from the three sets of data, 2,107 (24%) were parked with oingo.com and 1,607 (18%) were registered to DomainSquatter. That is, when a user made a typo and reached an active typo domain, one in every four such domains would serve ads from oingo.com and one in every six would profit DomainSquatter if the user clicks the ads. It is also significant to note that DomainSquatter accounted for 76% of the 2,107 typo domains parked with oingo.com. It did not appear to be targeting any specific industry, as speculated in [2]: it was squatting 29 of the 30 target domains in both sets used in the horizontal analysis.

 

# owned by  Domain

Squatter

# typos parked with oingo.com

% typos parked with oingo.com

% of active

 

Figure 1

732

992

74%

14%

Figure 2

310

420

74%

14%

Figure 3

565

695

81%

35%

Total

1,607

2,107

76%

18%

Figure 4. Large-scale, systematic typo-squatting by a major typo-squatter

Since we started reporting discovered typo domains at http://research.microsoft.com/Typo-Patrol in December 2005, DomainSquatter has been de-registering most of the reported domains almost on a daily basis. First, most of the anchor domains were abandoned (see the consistent traffic drops around mid-December across multiple anchors [19]). Then, the registrant names in most of the WhoIs records were changed [14]. In total, we reported 2,182 typo domains owned by DomainSquatter (including the 1,607 domains from the three data sets). Around mid-March 2006, we rescanned those 2,182 domains and found that 1,668 (76%) of them were no longer active. Among the remaining 514 active typo domains, 355 are still parked with oingo.com and 159 are parked with others. 

4.4.   Typo-Neighborhoods of Children’s Websites

In our final set of scans, we performed typo-patrol analysis on 50 popular children’s sites. The 50 neighborhoods contained 7,094 typo domains, among which 2,685 (38%) domains were active. By parsing the HTTP responses for sexually-explicit keywords and by manually screening the recorded screenshots to locate other suspects, we found a total of 110 (4.1% of 2,685) domains that contained questionable content: four domains redirected to adult sites directly, 36 domains contained at least one conspicuous link to an adult site, and the remaining domains displayed at least one conspicuous adult-category link to a page of adult ads listings.

By analyzing the third-party URL traffic, we found that the top two domain parking services together were responsible for serving ads on 80% of those 110 typo domains: 53 (46.5%) domains parked with oingo.com and 37 (33.6%) domains parked with information.com/domainsponsor.com. Among the 53 domains, 46 were registered to DomainSquatter and an analysis of those 46 domains revealed three safety issues with domain parking.

First, typo-squatters can park an anchor domain with a sexually-explicit name such as http://freexxxlinks.us to “trick” domain parking services into serving questionable ads and then redirect typo domains of children’s websites to that anchor so that the ads are displayed to children who made a typo. For example, 20 typo domains of the children’s website http://flashplayer.com were redirected to http://freexxxlinks.us [6].

Second, sometimes domain parking services were serving adult ads even on anchor domains that do not have a sexually-explicit name, e.g., http://disnryland.com, which was an anchor for typos of http://kimpossible.com [6]. We speculate that the typo-squatter might have explicitly specified sexually-explicit keywords in order to trick the parking service’s contextual-ads algorithm into serving questionable ads.

The third issue is inherent to the fact that domain parking is a special case of advertisement syndication: given merely a domain name like gropvygirls.com [6], the algorithm may not have sufficient knowledge to determine that it is a typo domain of the children’s website groovygirls.com, and may make a mistake in deriving the keywords and result in inappropriate advertisements being displayed to children.

Soon after the troubling practice was exposed in mid-December 2005 [3], the two anchor domains http://disnryland.com and http://freexxxlinks.us that together were responsible for 26 of the 110 typo domains were removed. After the practice attracted public attention again due to our tool release in April 2006 [20], another round of ads cleaning was done to remove questionable ads.

5.      Strider URL Tracer with Typo-Patrol

Motivated by the prevalence of typo-squatting, we developed a tool, named Strider URL Tracer [21], to provide users with visibility and control over third-party traffic, which has mostly remained under the cover for the past decade.

The tracer provides four main functionalities. It supports a “URL Scan History” view that records the timestamp of each primary URL visited and its associated secondary URLs, grouped by domains. It supports an alternative “Top Domain” view that, for each secondary-URL domain, displays all the visited primary URLs that generated traffic to it. Domains associated with more primary URLs are displayed closer to the top. For every URL displayed in either of the views, the tool provides a right-click menu with two options: the “Go” option that allows the URL to be revisited (so that the user can figure out which ad came from which URL) and the “Block” option that allows blocking of all future traffic to and from that domain.

We envision the URL tracer to be used primarily in three scenarios. The first scenario is an on-demand investigation tool. When a browser user encounters any questionable content from an unknown source, she can use the “browser history patrol” feature to rescan recently visited URLs, use “Go” to determine which URL was responsible for serving the content, and use “Block” to prevent the browser from visiting that domain in the future.

The second scenario is a typo-patrol tool used by trademark owners who want to monitor typo domains. It is often too expensive for target-domain owners to investigate and take actions against a large number of individual typo domains. We have incorporated into the tool a feature that takes a target domain name and automatically generates and scans its typo-neighborhood. The trademark owner can then use the “Top Domain” view to identify those parking services that are heavily involved. This domain parking-based analysis provides an efficient and low-cost solution for the owners to file multi-domain complaints with major parking services (e.g., [22]) to request banning of typo domains from their parking programs. Together with IP address-based grouping, such analysis also facilitates grouping of multiple typo domains that are owned by the same registrant and/or hosted by the same ISP. This makes it easier for trademark owners to file multi-domain disputes against typo-domain registrants and to send multi-domain takedown notices to the hosting ISPs.

In the third scenario, the scanning and data analysis portion of Strider Typo-Patrol can be applied to non-typo questionable domains as well, which may be obtained from reverse IP lookups, DNS zone files, services that monitor new domain registrations, etc. For example, we scanned a list of 3,990 domains, all of which contain “microsoft” (without any typo) in their domain names. Our scan determined that 2,938 of them were active and the six domain parking services identified in this paper together parked 949 domains, or 32%. Again, the top two stood out: oingo.com parked 509 (17%) domains (of which 351 were linked to DomainSquatter’s Client IDs); Information.com/Domainsponsor.com parked 321 (11%) domains. This preliminary investigation reveals that certain domain parking services may be profiting directly from well-known brand names, in addition to their typos.

6.      Related Work

Domain-name typo-squatting has received increasing attention over the past few years [1,4]. However, the community’s understanding of the typo-squatting practice has been mostly based on individual cases through manual and ad-hoc investigations. Our Typo-Patrol work proposes the first automatic and systematic approach to discovering and analyzing typo domains and typo-squatters. 

The Fiddler HTTP Debugging Proxy [23] intercepts all browser traffic. It provides more powerful traffic monitoring and control capabilities than the Strider URL Tracer. But it does not provide primary-secondary associations, which are essential for typo patrol.

The domain blocking functionality already exists in a few different forms, but it has not been integrated with the browsing history as an online, on-demand feature. For example, Firefox users can use the userContent.css file to block selected domains [24] and Internet Explorer users typically use the Windows hosts files to block unwanted ads [25]. In contrast with these two mechanisms which are usually used to perform wholesale blocking of all ads, our tool allows the users to see which ad came from which domain and gives them the power to use on-demand domain blocking to discourage advertising companies from serving questionable ads without blocking legitimate ads.

Third-party URLs have been used by malicious websites to execute and install malcode on client machines [5] and by advertising and web analytics companies to implement web beacons (or web bugs) to track users’ browsing behaviors [26]. The Strider URL Tracer can be used to expose those behind-the-scenes exploiters that pretend to be advertisement syndicators, but serve vulnerability-exploiting scripts instead of ads [5]. The “Top Domain” view is particularly useful for exposing web beacons.

The homograph attack is another way to create misleading domain names of popular websites by replacing some of the characters with other visually similar ones, possibly from a different language [27]. A recent study by Holgers et al. [28] showed that currently homograph attacks are rare and not severe; like typo-squatting domains, most “homographed” domains serve advertisements.

7.      Discussions

It is important to note that the typo-squatting domains scanned by Strider Typo-Patrol are generated automatically based on a set of typo-generation algorithms. Final determination of whether they are registered in bad faith or in violation of trademark rules is up to the trademark owners, the parking services, and the domain dispute process. It is possible that an algorithmically generated typo domain happens to be another legitimate domain. 

Second, we believe that most domain parking services are legitimate advertising companies. Many of them have stated trademark policies and rules [22,29] but, until now, it has not been an easy task for them to distinguish legitimate domains from typo-squatting domains. We encourage parking services to use our tool to identify systematic typo-squatting domains in their parking programs and to identify large-scale typo-squatters among their customers.

8.      Summary

We have described Strider Typo-Patrol for automatic discovery and systematic analysis of typo-squatting domains. By scanning three sets of typo domains and analyzing their third-party URL traffic, we have identified two domain parking services that are particularly active in serving ads on at least thousands of typo domains, and found that the top six parking services are responsible for parking around 30% of all algorithmically generated typo domains and 40%~70% of the active ones. We have discovered thousands of typo domains registered to a well-known, large-scale typo-squatter, who according to our study was responsible for as many as 76% of all typo domains parked with a major parking service oingo.com [30], or 18% of all active typo domains from our scans. This typo-squatter was also responsible for a significant percentage of typo domains of children’s websites that were serving questionable ads. We have developed the Strider URL Tracer with Typo-Patrol to help provide visibility into the typo-squatting business practice and to allow owners of popular websites to monitor potential violations of their trademarks.

References

[1] Benjamin Edelman, “Large-Scale Registration of Domains with Typographical Errors,” Sept. 2003, http://cyber.law.harvard.edu/people/edelman/typo-domains/.

[2] Will Sturgeon, “Serial typo-squatters target security firms,” ZDNet, Sep. 19, 2005, http://news.zdnet.com/2100-1009_22-5873001.html.

[3] Strider Typo-Patrol, http://research.microsoft.com/Typo-Patrol.

[4] “Googkle.com installed malware by exploiting browser vulnerabilities,” http://www.f-secure.com/v-descs/googkle.shtml.  

[5] Yi-Min Wang, et al., “Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities”, in Proc. NDSS, February 2006.

[6] Screenshots of questionable advertisements, http://research.microsoft.com/Typo-Patrol/screenshots.htm.  

[7] “Truth in Domain Names Act of 2003,” http://www.cybertelecom.org/dns/truth.htm.

[8] Anticybersquatting Consumer Protection Act (ACPA), http://www.patents.com/acpa.htm, November 29, 1999.

[9] Uniform Domain-Name Dispute-Resolution Policy (UDRP), http://www.icann.org/udrp/udrp.htm.

[10] “Cybersquatter Fined $100,000 Per Domain Name,” http://www.gigalaw.com/articles/2000-all/isenberg-2000-11a-all.html, November 2000.

[11] “Typogoogling,” http://www.f-secure.com/weblog/

archives/archive-122005.html#00000743.

[12] Domain potential, https://partner.dotzup.com/flush.html.

[13] Screenshots of sample parked domains, http://research.microsoft.com/URLTracer/Parked_Domains.htm. 

[14] Numerous domain name dispute cases against Unasi, Inc., http://research.microsoft.com/Typo-Patrol/default.htm#Unasi.  

[15] Ryan Naraine, “MS Research: Typo-Squatters Are Gaming Google,” eWeek.com, December 19, 2005, http://www.eweek.com/article2/0,1895,1903695,00.asp.

[16] Bulk registration pricing, https://www.godaddy.com/

gdshop/registrar/bulkprices.asp?se=%2B&ci=176.

[17] WhoIs lookup, http://domaintools.com or http://whois.ws. 

[18] Millersmiles Phishing Scams by Targeted Company, http://www.millersmiles.co.uk/scams.php.

[19] Abandoned anchor domains for oingo-parked typo domains, http://research.microsoft.com/Typo-Patrol/Major_Anchors.htm.

[20] “Microsoft 'URL Tracer' Hunts Typosquatters,” Slashdot, http://it.slashdot.org/article.pl?sid=06/04/07/1818228&threshold=-1, April 7, 2006.

[21] Strider URL Tracer with Typo-Patrol, http://research.microsoft.com/URLTracer/.

[22] Google AdSense for Domains Trademark Complaint Procedure, http://www.google.com/tm_complaint_afd.html.

[23] Fiddler HTTP Debugging Proxy https://fiddlertool.com/fiddler/. 

[24] Blocking advertisement with the Firefox userContent.css file, http://www.mozilla.org/support/firefox/adblock.html.

[25] Blocking Unwanted Parasites with a Hosts File, http://www.mvps.org/winhelp2002/hosts.htm.

[26] Stefanie Olsen, “Ad firms set rules for Web tracking bugs,” CNET News.com, November 26, 2002, http://news.com.com/Ad+firms+set+rules+for+Web+tracking+bugs/2100-1023_3-975385.html?tag=st.ref.goo.

[27] Evgeniy Gabrilovich and Alex Gontmakher, “The Homograph Attack”, Communications of the ACM, 45(2):128, February 2002.

[28] Tobias Holgers, David E. Watson, and Steven D. Gribble, “Cutting through the Confusion: A Measurement Study of Homograph Attacks,” in Proc. USENIX Annual Technical Conference, June 2006.

[29] DomainSponsor Terms of Use, http://www.domainsponsor.com/terms.html.

[30] Google AdSense for domains, http://www.google.com/domainpark/.

 

 


 

Last changed: 17 August 2006 ljc