SUT: Quantifying and mitigating URL typosquatting

One form of profiting from the web is URL typosquatting: people register phony sites that are common mispellings of popular sites. These phony sites advertise and sell products or, in the worst case, con users into identify theft. In this work, we quantify the extent of this phenomenon, and propose, SUT, a practical countermeasure based on network metrics. We start with an initial set of 900 popular websites, and create 3 million name variations in a systematic and exhaustive way. We find that URL typosquatting is a wide-spread phenomenon and identify common practices and preferred targets of typosquatters. Second, we find that phony websites exhibit significantly different network-layer behavior, such as number of http redirections, compared to regular sites. Based on this insight, we develop, SUT, an automated approach to detect phony websites. We find that the power of SUT lies in the use of the network-layer profile of the phony sites, and less in the perceived popularity of the site. We find that SUT can identify phony websites with near perfect accuracy and recall in our controlled tests. We conclude that our approach is a promising step towards protecting users from URL typosquatting.