Search Engines - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Search Engines


MS Research: Typo-Squatters Are Gaming Google



 By: Ryan Naraine
2005-12-19
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Search Engines story.


Rate This Article:
Poor Best
Lab rats at Redmond extend the Strider HoneyMonkey exploit detection system to find a large-scale, systematic typo-squatting scheme that is gaming Google's AdSense for domains program.

Researchers at Microsoft Corp. have blown the lid off a large-scale, typo-squatting scheme that uses multi-layer URL redirection to game Googles AdSense for domains program.

The scheme was uncovered when Redmond lab rats decided to extend its HoneyMonkey exploit detection system, a project that runs automatic and systematic Web scans to investigate the seedier side of the Internet.

With the new Strider Typo-Patrol System, the Microsoft Research Systems Management Research Group was able to track down a ring of typo-squatters registering misspelled domain names and generating traffic to serve advertising from Google.

Using five programmatic typo-generation models, the researchers pinpointed a series of domain-registration structures being used by "major typo-squatters" to steal traffic from some of the biggest Internet brands, including Amazon.com, Expedia.com and Mapquest.com.

Strider HoneyMonkey: Trawling for Windows exploits. Click here to read more.

The scheme was traced to Unasi Inc., a company registered in Panama. Almost all of the misspelled URLs found are parked with Oingo.com, a domain parking server owned by Google Inc.

According to data from Microsoft, domain names are being registered with deliberate missing-dot typos, character omission typos, character permutation typos, character replacement typos and character insertion typos.

Resource Library:

For example, instead of the legitimate "www.microsoft.com," the domain "www.microsokft.com" has been registered and set up to redirect to another misspelled domain that currently serves up Google AdSense advertising for software products.

Some of the domains move around between domain parking services or between anchor domains over time as part of a "multi-layer redirection structure" that makes it difficult to trace.

The Microsoft researchers found that Web sites aimed at kids were a regular target. Several variations of Disney Channels "kimpossible.com" have been registered and all redirect to a parked anchor for the misspelled "disnryland.com." On that site, Google AdSense ads for adult content and pornography are being served.

The data from the Strider Typo-Patrol System also highlighted the use of typo-squatting in phishing attacks. Web sites belonging to Bank of America Corp., Barclays Bank PLC., Citigroup Inc. have all been targeted, with misspelled variations of domains pointing to fake banking sites with Google ads tailored to financial services.

In an interesting twist, the Google ads sometimes point back to the actual site that is deliberately misspelled, meaning that companies are paying per-click fees to the scammers.

The key to the scheme is Googles Google AdSense for domains program, which lets users split revenue from advertising served on parked domains. Google boasts that the service powers more than 3 million domain names.

However, as the Microsoft researchers point out, the use of deliberately misspelled URLs in the program may be a violation of Googles terms of service that clearly restricts "site promotion of incentive or fraudulent clicking."

Microsoft unwraps HoneyMonkey detection project. Click here to read more.

Google itself has been a target of typo-squatters. Earlier this year, the deliberately misspelled "googkle.com" domain was used to install Trojan droppers, downloaders, backdoors and spyware when an unsuspecting surfer mistyped the search giants domain name.

Google filed a complaint with the National Arbitration Forum and won the rights to several of the misspelled domain names.

Several anti-virus vendors have also seen evidence of typo-squatters making money by redirecting surfers to fake sites packed with Google AdSense ads.

More than two months after Finnish anti-virus specialist F-Secure Corp. complained that it was a favorite target of the typo-squatters, the fake sites are still up and running and serving Google ads.

So far, the researchers say they have not found any exploit sites hosted on typo-squatting domains. However, Microsoft believes the Strider Typo-Patrol System can help domain-parking service providers monitor the parked domains they are hosting for questionable behaviors.

Ben Edelman, a security researcher and Harvard University Ph.D. candidate, said Googles domain parking system is "full of very troubling registrations."

"Its not uncommon to see [misspelled] domains like bankofdamerica.com, which ultimately get all of their revenue from Google, yet which are clearly prohibited under settled trademark law," Edelman said.

"That doesnt seem to bother Google, though; Google takes the odd position that theyre not responsible for where their ads end up, even when theyre paying domain registrants to show the ads there."

Click here to read about typo-squatters targeting anti-virus vendors.

Edelman, who has written extensively on the problem of Large-Scale Registration of Domains with Typographical Errors, said Google is supporting the shady business.

"[By] dramatically increasing the revenue that cyber-squatters can earn, Google encourages the cyber-squatting business and makes marginal squatting domains profitable—further increasing the scope of this problem," he added.

"Its particularly troubling when a cyber-squatters Google ads end up promoting the very merchant whos being squatted on. Then the advertiser ends up paying for traffic on their own typos—with Google and the cyber-squatter making money as a result," Edelman said.

"All in all, Googles house is not in order here. Google has put its own profits above the rights of Web site owners. My advice to Google is to clean up its act—to think carefully about where they really want their ads to appear, and to terminate any "partners" who dont measure up."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: MS Research: Typo-Squatters Are Gaming Google
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Search Engines Articles          >>> More By Ryan Naraine
 


x}ks㶲*Q3"R%uƶ|,Lj I)l+ /=hL3S%l~h|G޻$;arsc }{Τ>w߽ ߛF0mTE[Ϡ^#N-w5 E]0eNFNv@\~}@^sFwD%x_'Щ=ѩ&€wɔi(4ߙ =/3mB}F7\3cgbھ6IE9JDqDRงGEQH} c [tV;v oT| pfL&;=a>$%%k4ًʏqGOw0{/<P;U;a-r[hP;UyaUh -\r."L{y4ɿT՝ D=iTV,w2BL b#2R!1;T*%T63-晚u@|͖|cXulAf@h ɠݢq/!_Cp`eŭFȋ #Ϟ~b>4 .ܺa?uocZV[uϙ!{֛i],$X∍YZ0wC&>dPtpXdq#}9e4nmަ[G\jrT*uT?Mp}˴&2[ѹK\/ݳ `|pdi-v5P,a*.'׽~t@.{:Qc'H|'k[oDZ.JX<%ȇ¤Tb= u P%oJ^ JPT\jGzZzO`F`%pbQUr򳩥s9\_]w2蜜_w;H>߈ekby1jPAb(`W:kԩ^tܜo/9nMI{#)|v5 0\68֪׷V7`KėvO^3Q&ںa#j庤~Fb;|io]}<>$7Yn_gs`lDiYܹ̑\yǛȃka(7F`XӀ7? iP2Z-8X@.@ש#07oZy۬) Rƒ 4Ks;j\K0[#RFp JpJq䰉c,XSl \MFo J@M2X U >YtBFͨ8 .+J""xN3 E94>BBp4k4N< YC!ʠڴb{\gfS4!E&-`;^h>[ <[ KPA}x3껍\&z(4H h&r<kIMlLJ.??6 ; G`rɝ 5y05ݻ#i`y1yjQ?]*~hs`-w= } w,߃9#z[LKx GN }p C|'s\(L7^"{"ڂ"D%  h4AǰEEN@@7;.V˥\.3=ry !sg r\B;7քRZ z)0 eVRiG]-&D7r"e.G7Kᙖ6F5oY*)GBROG4MǦnf#@jiK0Pl;ik`0Ԑ(ʲMg9@Ϲh I߱(Y@aEдBk`JAqyc]@kjwtlS̴a85)ՠmZ&4D ڛ:uVs]ˤF@k8-uc k2 FE'6`FUMR|%|rI2ۿP.MmEc7˅L4 +׬uPL g<)*[hs< ):ȭOs1r@堠T᧒rH1g0dz?Ԍ;Oq=1:37RtfZC+>q^i:[OeSZqlzQn^ӛA| ~ޮLR[kYF&ۊx A-ژ WZڄ"JMP>L2Cɣ($mU2L? 7u(= > XԂ\Te_- }d2cFUbrA)Tc%ڬY;l d AqFN͐`AFVLl9K[W),֩w⸀=".H{L)cg@>`ǟG )a!w1JoX,,qTԚLs0z q X@XĞ.Cб3|ee?. {eKKq6O;z+@oLt Dm Ǧ#|ZlB{Os=1W}Z`"o@dX)+EUqH~6=2.eX"{;gcOf:Y$ Fi.z20y8pE5  dj>'xo'<CXu~"}lm Hsm"T0|*U*U `nR@@й٩%7].KIhlT{BS7ߏ90gxWyd.3IZ+k(TT\=*ju|}s??]ex$R9tc~yZ_[ Qݩ ?ӇhO?+!v8k0{NwK\i C#]\V`eaSF=Hdod@\w. )ұ)<:M7\S j¹5`1}Y!.Ծ7)X=0` 7yഩ 9]RӲ(jdԈ̀|d0+!瞏 +ӥy ֟#gncFAafzžiJ^+5"+Q3bRThα{t;bG d,b;]xbl_=_3>(n/M3DJ1N*,7؄AT[3edjCW9.^ٸ İhwyBoKD"+>AΊ7sP  r߼Ap%6A1 ,]۠|U4Mt0c 3`}LË@5# "Y=A(SPc0<](huXiE=uufD]lУA$v)`\EpXH;m%C> P5ĺqK)+J,P_A Ұg /s_5u_&qDyC[VUeH G2gFTIHV mZ\gmoꞃj&l؞MXosPA%BGq {a/;#n7")@ހؔ:Zik.bIw :[v¼u[ XLh;ɲCXvIW4c V*J3dVV *N+ԤBVڳ$P` ۗ<0%qx*L<}zm_1{_qc{<"%ϟnC >h;IRP^{ s 0`!`T={"P?lV(b Q *s>P|oa m(/ aV*S79~.RH#$ |¯͸ D@7wZXa7&3ẉ9914/xqq`zP)o$/I4S2:;_tMb/axm$Qԕº}wmIjO{u=|\ Ыغ~xlC:(#r?DGZ}cq Ou>"u/۝ˇ׽m{zY^ٷAY=; J@FG$=ĸڈ}dvj56|v9A 72ߋO4|7.IwOeGJ:7]w9"臗Z,Y#0BwZ!ͦ vpRdqH/= B_KݹĂKÜ I*D|=d_ ,7ϐAYTth0ZSgޚQ Bb/3BߐdLZ# (ʑ=`` ɈvuJN α@$B@npkz!NU e,$+e3ғ2p&;'' <9xEщ ~KiV T t~i1ў.W` eIdkf+6I';? $ubS`ۇ;s30i!^o <%Ez:@7dj#J M5"v=O[?quσx1ðaTwJde~=m1m]$L<1GђL)dJHF=)! ˓$-I^O eq (KBK 3>e&ޞ,Hu=Ym@ybZӽK3%݋;/,-WI+L#/EiA0 'PR#A[xqP>XR4jշɫT~,Ƈ'b.Lx~@0EZ䐜zC>?uUbf=z@L{'q?Kl82UtsX6rw{B s?ݡMO6r=ICo6ϴy>% zv`蹳 =`}dž-{oCЂ'O4dkwD /'NyWz7ngm,dk.}?H/K턟isGdLg!I ɫj!_UH**s攤˾X ƣb;`@Ɍ7CGҁ;W&-3(mm3{zi-8_2{KN7+{Ub5o14L,*zj6;l-39&i ј@.u,vx54Y aAXy h79; 91<P`-ݺܭ1J "i#ĠHߙӾ4rEs _5 4:a6r*|"ZyVa? WoE[ά$g3o-(oǜxj TWe/W/__B !]sh3[a@(w#OƥG/>qlh`jox?̴afw.krw ]`x,ܦэ$U>>\6wHi~O:I b[}]%GoR\ hޠ"TV;$>b)S<YL1XoǣJ]-Pb{ ?a~4Q.&Jbg%E @[Ne6CAŤR0!R^P7Ӧft?5]_x}.1+ ӴIgsŘo9pkgs.H"x#pxxhG\ySTP2OI'V3 oHJIRo'2ȭr钤=j6u`M%zܐs3 8X춀EE+"$oʮ4V4VB435YX-<z3˻NC۹zԆkchX~v <9;%uʱL*R|)&?$C[ H؂p݈H-lVkuY@S%lI7Z&& MGd#u5\gw'azPRkb0T7w:$2[g|[R\k= 3'x\InSglBӥRwaʡUVc a8Ϸg8&iAƳ^40}_Kaq-br/*& oD%M ~y܏m-ڢ%;&ԟ:Ϗo, nlx+=ν6=phCjfo9u/`tޠѽww=^ub%M>0T,-@kFV< p>  2'Dd"s$LfE JD0"%| [R;ђ^bw yG%AJRa@\YP0`5*"Ԑ.glOl Sl⓱5–q#|>lh`CC_!Z_͗]CV9;9;9;9;_X02XCo`Yl1MfIWq<2x4p m0!HVMZ2pHhD$ibC_y;.B4Un>3 e#&G؅V@k#.WZ/~#7geܷ5:.X-[ +x ǿ9Gon_d o{[ Tҥa y;YBS9.ͤ¶/ro6`vl-1OTŋa{OzJaۅqdyΜ;mV)_j2/dGbr,}JۼC؂_NFTˬ2x$Q1 ƹ2Xg5skx([0 L7z- |py0KǠKt{k;4(PgY>k~v~^_k=[_UkYrw2$oM {8S[xz1L D17f lc"R9?ta{|e>O{: ũ߳yxި(ځ`nK9ƵVxrڞLvm`/ ZihF!i3Opl :@~XPAft~GD)f+;aiԿG)4E;Ls4}돐Su&.[{쏉;T= ? KL)`G%%C~0C_{m3駠T#=Ao,DcJ~x{ U֏;@م/=`|'XRaw9Ƕ5ܨƫcb>RX+eW$5X@:[eR] яTeQOj('OUsnJN(aZ',&JjidW}$F:tyϹgDG+h긶fa&^ 0ka("BC@ O^a)qc) kpx΃L,TNCAEy34keaɰ1fSYh`!ncb9WJ]]ϹOQ.K]ZXuZ.{f@]&^J"r\餷 G]!D^tpU9 &u0Z`6)lX+V+PTjR;rC; }yjT fG@V08 KV7L9` s"p ,TO䲈G]x#qKGF^.JZ%5Y 2ORa*d1Q PxxX bkɯ'B|>ķd1m˖C_`wk!V]K5ʮsQǣT (RfWޝj_$|'l6 Ҧ3 vl"6\%pp|#V_؄z%|#MX U``Jh56q3di<* ):x*}"ҋ0U<11t+PʲjNT\OpYIoH((]U# `xMfꞓM3taC_8s&Kp`#o{aڂ.2 }<@Ă 0y|tH ]TW 3<9:\K:Wк|U-~m#k^bʑf6)[ѹp}WJ chT`sj4Hd5B&t857>|?_iN0% aArljTH 1bNx ֭9ӈ iur6#[_j H> z+?,QY G3wأ.|>P+d/(U,%@S"V21n Q@J ͍$&\on`:>0"(S[]ă0>]q{4+۠50 01YK7`C'[UE9Y|oby` ?v'c.us x\jJIj$!Ѕ8i,)@"!9͉ )&1a]NMݗYLaP8\  +z+5'I]SP)r!xW`ǪZNAPv'Чx5nV?W.4!W)WTh 4rR!G쌆xɺk$:jp 6ZWWiuC'ݫAwI;<m[8Z?N9?>v/;W@ca/湶xQ(;OFYuavʜTδ.ͅdUh,Y384dG_14elRx#Uüz1ű2 Pl?z [u/dc+t?őt|Yb12;ZTnh9jsY}h5}V08S~s2 Nn<(('-VFy{HmAQ~'O?yny\mvF9?t/3ʡ݌埡s]"c~.`Y\d1 ϋ ȠOˌ_~OgP~Q(GF_d^f%e\]f_O/C@2U}\W_\gOoAA6A_SV9S>>eoʁ~o2ڿh&N22u S.ryA/ ȋOY射<(Cy<Ì+f/^+sk3c_?+q{uk'R+ ]Q%|A}%kgF1nvd bCa 5KPe^ۛTCGP78%Y}MJ 4tk 7b[yDYQI{R}tEI>tqLw<-cENZ9.~QxdR$8V0'fY !k3n-(s#h60 .Ñp[y剹?|k2xwi0? ۓ{ W]6tpSn&/0 0.: 7W=Mԕ\ڎvڝGfmzumePsvdmoCdx^$ٟC=G}l<-u&j\e)f(+@J~t pyigzY~8=hu^Le|xzaQd,m4Tq< 9s u8i${ VH&Y$'}p)Bcع1]ӧ h!G+ 6\zь8&,P3ebHH ZjZVrG'׈dr :〈{ӗ $`rBEKUr(RB4|GۤW)I74 yVI8asn%[z"z…~@NL6R_mR^PռD<'M~ m

j_`ԃ`wƨxMXH-̷_bM45~ɱdL(1 kEF(t#B$N*׽b$3u'{E5˺1,{ԟ#1H YY/5ptwkdIM &Ah&.5b8gKsJ'Ҧwr\豻$Vp.Q =nVUPr7!N_vO}5Wp\eC[g)2D~gF=&*P=Em- e'r}7{ /ݤd/+1bN%vm=i*i/ K7⏄wzH,g AQN|B,[Kl`yB`t0լ`*sˠvSl]@_v܅iUhHm;:ֵd2֭0kc'p'!-X|wVulϝ'8G dd9a7Cx-_u`'~"3V[sA6h4_@&s ܈}o\I #OxCr8vI W96O-  `ↈme6E5f*R8WD K1)YBAł?Qg;KC` pcQ!*]^x[9@xeѵh_੬Q;Y?] m-1k8~m=fu{+Urcdk{f:ePeXl'ᠢ׀5V`9ʒH_S(|9NQnãÍGHoǸ׬[ [ qy6`;Щ1D\ZvE9bꛦ\ ШpKTؕEld3^kgycD]Y>;Ѝ O1ngNb *φŀ𞭟{̾16 \f+1ͱOUt g)dv̅2 !γyyu~ҕ^)I_cQd+8*)ؐsk`$bO1,F Ov7@ 'Ɣ ϰ" s+2),],S'>zo.^3 {e75wHDR#.&i|Ђ! gn耵]1fBO .4W6K54Ƙ`>W{&Lۯ6 92lv* X6ˢŬ"&D0ȭ'R:tsh{h۟XsT*Ba$9R3 ⛉Eb F.t1\W04xq~aʩȩ(|m_\%hw2b5ŠbiOR<'\B/0,"6xĊ{NŹ|]r-^@:m]t?Jzfk`gg᳣~NXvQJUVnw/'+U={T7w r9̳`bhPlP B5Nbi~wۊX#iQfrYOJVJ۽wߺ"f/F ۲M*i29Z{) qE֫"mxTɉY;z[;6Nw6˄M b;d1Բ)