Extortion or Expansion? An Investigation into the Costs and Consequences of ICANN’s gTLD Experiments

  • Shahrooz PouryousefEmail author
  • Muhammad Daniyal Dar
  • Suleman Ahmad
  • Phillipa Gill
  • Rishab Nithyanand
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12048)


Since October 2013, the Internet Corporation of Assigned Names and Numbers (ICANN) has introduced over 1K new generic top-level domains (gTLDs) with the intention of enhancing innovation, competition, and consumer choice. While there have been several positive outcomes from this expansion, there have also been many unintended consequences. In this paper we focus on one such consequence: the gTLD expansion has provided new opportunities for malicious actors to leverage the trust placed by consumers in trusted brands by way of typosquatting. We describe gTLDtm (The gTLD typosquatting monitor) – an open source framework which conducts longitudinal Internet-scale measurements to identify when popular domains are victims of typosquatting, which parties are responsible for facilitating typosquatting, and the costs associated with preventing typosquatting. Our analysis of the generated data shows that ICANN’s expansion introduces several causes for concern. First, the sheer number of typosquatted domains has increased by several orders of magnitude since the introduction of the new gTLDs. Second, these domains are currently being incentivized and monetarily supported by the online advertiser and tracker ecosystem whose policies they clearly violate. Third, mass registrars are currently seeking to profit from the inability of brands to protect themselves from typosquatting (due to the prohibitively high cost of doing so). Taken as a whole, our work presents tools and analysis to help protect the public and brands from typosquatters.


  1. 1.
    Halvorson, T., Der, M.F., Foster, I., Savage, S., Saul, L.K., Voelker, G.M.: From .academy to .zone: an analysis of the new TLD land rush. In: Proceedings of the 2015 Internet Measurement Conference, pp. 381–394. ACM (2015)Google Scholar
  2. 2.
    Korczyński, M., et al.: Cybercrime after the sunrise: a statistical analysis of DNS abuse in new gTLDs. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 609–623. ACM (2018)Google Scholar
  3. 3.
    Halvorson, T., Levchenko, K., Savage, S., Voelker, G.M.: XXXtortion? Inferring registration intent in the. XXX TLD. In: Proceedings of the 23rd International Conference on World Wide Web, pp. 901–912. ACM (2014)Google Scholar
  4. 4.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)Google Scholar
  5. 5.
    Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015). Internet Society (2015)Google Scholar
  6. 6.
    Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: USENIX Security Symposium, pp. 191–206 (2014)Google Scholar
  7. 7.
    Khan, M.T., Huo, X., Li, Z., Kanich, C.: Every second counts: quantifying the negative externalities of cybercrime via typosquatting. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 135–150. IEEE (2015)Google Scholar
  8. 8.
    Nikiforakis, N., Van Acker, S., Meert, W., Desmet, L., Piessens, F., Joosen, W.: Bitsquatting: exploiting bit-flips for fun, or profit? In: Proceedings of the 22nd International Conference on World Wide Web, pp. 989–998. ACM (2013)Google Scholar
  9. 9.
    Banerjee, A., Barman, D., Faloutsos, M., Bhuyan, L.N.: Cyber-fraud is one typo away. In: IEEE INFOCOM 2008: The 27th Conference on Computer Communications, pp. 1939–1947. IEEE (2008)Google Scholar
  10. 10.
    Banerjee, A., Rahman, Md.S., Faloutsos, M.: SUT: quantifying and mitigating URL typosquatting. Comput. Netw. 55(13), 3001–3014 (2011)Google Scholar
  11. 11.
    McAfee (2019). Accessed 20 Oct 2019
  12. 12.
    Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference, General Track, pp. 261–266 (2006)Google Scholar
  13. 13.
    Stout, B., McDowell, K.: System and method for combating cybersquatting. US Patent App. 13/612,603, 3 January 2013Google Scholar
  14. 14.
    ICANN Centralized Zone Data Service (2019). Accessed 20 July 2019
  15. 15.
    ICANN-CZDS (2019). Accessed 20 Oct 2019
  16. 16.
    Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1388–1401. ACM (2016)Google Scholar
  17. 17.
    GoDaddy (2018). Accessed 20 Aug 2018
  18. 18.
    NameCheap (2018). Accessed 20 Aug 2018
  19. 19.
    Nithyanand, R., Starov, O., Gill, P., Zair, A., Schapira, M.: Measuring and mitigating AS-level adversaries against Tor. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, 21–24 February 2016 (2016)Google Scholar
  20. 20.
    Trade Mark Clearing House (2019). Accessed 29 Oct 2019
  21. 21.
    EasyList (2018). Accessed 20 Aug 2018
  22. 22.
    Google AdSense (2019). Accessed 20 Oct 2019
  23. 23.
    OpenDNS (2018). Accessed 20 Aug 2018
  24. 24.
    Virustotal (2018). Accessed 20 Aug 2018
  25. 25.
    Chen, Q.A., Osterweil, E., Thomas, M., Mao, Z.M.: MitM attack by name collision: cause analysis and vulnerability assessment in the new gTLD era. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 675–690. IEEE (2016)Google Scholar
  26. 26.
    Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote Javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 736–747. ACM (2012)Google Scholar
  27. 27.
    Wang, Y.-M., Beck, D., Wang, J., Verbowski, C., Daniels, B.: Strider typo-patrol: discovery and analysis of systematic typo-squatting. In: SRUTI 2006, pp. 31–36 (2006)Google Scholar
  28. 28.
    Vissers, T., Joosen, W., Nikiforakis, N.: Parking sensors: analyzing and detecting parked domains. In: Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015), pp. 53–53. Internet Society (2015)Google Scholar
  29. 29.
    Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 263–278 (2016)Google Scholar
  30. 30.
  31. 31.
    Domain Name Stat. Domain name registration’s statistics.
  32. 32.
    ICANN. About the program: ICANN new gTLDs.
  33. 33.
    ICANN: gTLD Applicant Guidebook, June 2012Google Scholar
  34. 34.
    Burkert, H., et al.: Accountability and transparency at ICANN: an independent review (2010)Google Scholar
  35. 35.
    Association National of Advertisers: ICANN generic top level domain developments: ANA.
  36. 36.
    Leibowitz, J., Rosch, T., Ramirez, E., Brill, J.: Consumer protection concerns regarding new gTLDs, December 2011Google Scholar
  37. 37.
    ICANN: New gTLD auction proceeds: ICANN new gTLDs.
  38. 38.
    ICANN: Base registry agreement, July 2017Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Shahrooz Pouryousef
    • 1
    Email author
  • Muhammad Daniyal Dar
    • 2
  • Suleman Ahmad
    • 3
  • Phillipa Gill
    • 1
  • Rishab Nithyanand
    • 2
  1. 1.University of MassachusetsAmherstUSA
  2. 2.University of IowaIowaUSA
  3. 3.University of Wisconsin-MadisonMadisonUSA

Personalised recommendations