Be the Phisher - Understanding Users’ Perception of Malicious Domains

Florian Quinkert, Martin Degeling, Jim Blythe, Thorsten Holz

ACM Asia Conference on Computer & Communications Security (ASIACCS), Taipei, Taiwan, June 2020


Attackers use various domain squatting techniques to create do- mains which are similar to well-known ones trying to convince users their services are legitimate. Previous work has shown that methods like typosquatting where single characters are removed or duplicated can successfully deceive users. We present a study that evaluates how well participants distin- guish malicious from benign domains before and after they learned and appplied domain squatting techniques themselves. In a multi- part survey 288 participants create 2,880 malicious domains based on common domain squatting techniques and rate both domains created by other participants and real-world phishing domains in terms of how convincing they are. Our key results show that participants have problems to identify legitimate domains as benign if they include unusual top-level do- mains, additional terms or use subdomains. Moreover, participants rated domains created by other participants higher than real-world phishing domains (average of 2.51 vs 2.85 on a scale between 1 and 5). Overall participants are more sceptic of domains, and flag more benign domains as malicious if they contain domain squat- ting characteristics after they gained practical experience creating phishing domains themselves. In particular the number of falsely classified domains that were actually benign increased from 33.66% to 46.56% after our training. Our results show that training users to act as an adversary can help to increase the effectiveness of security trainings. In addition, we recommend domain users to stop creat- ing domains for their services that make use of common domain squatting techniques, to reduce confusion for users.