Researchers at Microsoft Corp. have blown the lid off a large-scale, typo-squatting scheme that uses multi-layer URL redirection to game Googles AdSense for domains program.
The scheme was uncovered when Redmond lab rats decided to extend its HoneyMonkey exploit detection system, a project that runs automatic and systematic Web scans to investigate the seedier side of the Internet.
With the new Strider Typo-Patrol System, the Microsoft Research Systems Management Research Group was able to track down a ring of typo-squatters registering misspelled domain names and generating traffic to serve advertising from Google.
Using five programmatic typo-generation models, the researchers pinpointed a series of domain-registration structures being used by "major typo-squatters" to steal traffic from some of the biggest Internet brands, including Amazon.com, Expedia.com and Mapquest.com.
The scheme was traced to Unasi Inc., a company registered in Panama. Almost all of the misspelled URLs found are parked with Oingo.com, a domain parking server owned by Google Inc.
According to data from Microsoft, domain names are being registered with deliberate missing-dot typos, character omission typos, character permutation typos, character replacement typos and character insertion typos.
For example, instead of the legitimate "www.microsoft.com," the domain "www.microsokft.com" has been registered and set up to redirect to another misspelled domain that currently serves up Google AdSense advertising for software products.
Some of the domains move around between domain parking services or between anchor domains over time as part of a "multi-layer redirection structure" that makes it difficult to trace.
The Microsoft researchers found that Web sites aimed at kids were a regular target. Several variations of Disney Channels "kimpossible.com" have been registered and all redirect to a parked anchor for the misspelled "disnryland.com." On that site, Google AdSense ads for adult content and pornography are being served.
The data from the Strider Typo-Patrol System also highlighted the use of typo-squatting in phishing attacks. Web sites belonging to Bank of America Corp., Barclays Bank PLC., Citigroup Inc. have all been targeted, with misspelled variations of domains pointing to fake banking sites with Google ads tailored to financial services.
In an interesting twist, the Google ads sometimes point back to the actual site that is deliberately misspelled, meaning that companies are paying per-click fees to the scammers.
The key to the scheme is Googles Google AdSense for domains program, which lets users split revenue from advertising served on parked domains. Google boasts that the service powers more than 3 million domain names.
However, as the Microsoft researchers point out, the use of deliberately misspelled URLs in the program may be a violation of Googles terms of service that clearly restricts "site promotion of incentive or fraudulent clicking."
Google itself has been a target of typo-squatters. Earlier this year, the deliberately misspelled "googkle.com" domain was used to install Trojan droppers, downloaders, backdoors and spyware when an unsuspecting surfer mistyped the search giants domain name.
Google filed a complaint with the National Arbitration Forum and won the rights to several of the misspelled domain names.
Several anti-virus vendors have also seen evidence of typo-squatters making money by redirecting surfers to fake sites packed with Google AdSense ads.
More than two months after Finnish anti-virus specialist F-Secure Corp. complained that it was a favorite target of the typo-squatters, the fake sites are still up and running and serving Google ads.
So far, the researchers say they have not found any exploit sites hosted on typo-squatting domains. However, Microsoft believes the Strider Typo-Patrol System can help domain-parking service providers monitor the parked domains they are hosting for questionable behaviors.
Ben Edelman, a security researcher and Harvard University Ph.D. candidate, said Googles domain parking system is "full of very troubling registrations."
"Its not uncommon to see [misspelled] domains like bankofdamerica.com, which ultimately get all of their revenue from Google, yet which are clearly prohibited under settled trademark law," Edelman said.
"That doesnt seem to bother Google, though; Google takes the odd position that theyre not responsible for where their ads end up, even when theyre paying domain registrants to show the ads there."
Edelman, who has written extensively on the problem of Large-Scale Registration of Domains with Typographical Errors, said Google is supporting the shady business.
"[By] dramatically increasing the revenue that cyber-squatters can earn, Google encourages the cyber-squatting business and makes marginal squatting domains profitable—further increasing the scope of this problem," he added.
"Its particularly troubling when a cyber-squatters Google ads end up promoting the very merchant whos being squatted on. Then the advertiser ends up paying for traffic on their own typos—with Google and the cyber-squatter making money as a result," Edelman said.
"All in all, Googles house is not in order here. Google has put its own profits above the rights of Web site owners. My advice to Google is to clean up its act—to think carefully about where they really want their ads to appear, and to terminate any "partners" who dont measure up."