How costly is that typo?

Security products are essential for enterprises, vendors and end users to survive the current network environment. Ideally, which security products are to be deployed should depend on the costs and the benefits. While the cost can be easily quantified by the money spent or the deployment and management effort, how to assess the benefit of security products remains an open question. Oftentimes, the benefit is quantified by the number of detected bugs, cleaned malware, blocked spam or stolen credentials discovered. While these are all meaningful metrics, we can’t use them to conclude the direct impact to people’s daily lives.

Take for example, credit card theft. A stolen credit card can lead to monetary loss, but that is not the only damage. Users lose valuable time updating card numbers or requesting a new card. In fact, the loss of time is more common than actual monetary loss due to the suspected low success rate of cybercrime.

To better understand the how much users are harmed, we need a good metric which can measure the time lost by cybercrime. In collaboration with researchers from University of Illinois at Chicago, we have made the first step towards this goal [1]. Specifically, our work focused on measuring the cost of typosquatting, one common but venial type of cybercrime.

Typosquatting is an attack in which the cybercriminal will register domain names similar to those of established websites (e.g., mimics, in the hopes of gleaning traffic flowing to mistyped domain names. Typosquatting has not been considered as a popular vector for violent forms of cybercrime, like malware infection:  a previous study found that the chance of encountering malware when visiting typo domains is even lower than visiting legitimate domains in Alexa top 1M sites [2]. However, the harm should not be overlooked. Users waste time in waiting for redirection to the intended sites or correcting typos. Additionally, the brand holders lose their legitimate users’ traffic.  This leads to investments in anti-typosquatting products like defensive registration and browser plugins which correct typos automatically.

In our research we looked to quantify the benefit of such investments by measuring the time lost by users and the traffic lost by brand owners as a result of typosquatting. We analyzed the web traffic from 3.1M source IPs, leveraged a novel conditional probability model to identify naturally occurring typos and measured how long it took users to arrive at their desired destination website.

Surprisingly, our result shows typosquatting only costs a typical user 1.3 seconds per typosquatting event over the alternative of receiving a browser error page. Many typosquatters actually improve the latency between a typo and its correction, probably due to the faster responses from typo domains. Regarding brand holders, their legitimate sites lose approximately 5% of the mistyped traffic over the alternative of an unregistered typo and the negative externality ratio (money losses for brand holders over revenues for cybercriminals) is 18:1, much lower than 100:1 for spam [3]. These results suggest that the harm caused by typosquatting is still modest, to both the user and the brand holder, and investment on anti-typosquatting products should be cautious.

[1] Mohammad Taha Khan, Xiang Huo, Zhou Li, Chris Kanich, “Every Second Counts: Quantifying the Negative Externalities of Cybercrime via Typosquatting”, IEEE Security & Privacy, 2015.

[2] Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, Chris Kanich, “The Long“Taile” of Typosquatting Domain Names,”USENIX Security Symposium, 2014.

[3] Justin M. Rao and David H. Reiley, “The Economics of Spam,” The Journal of Economic Perspectives, 2012.

No Comments