Be the Phisher - Understanding Users’ Perception of Malicious Domains

Florian Quinkert, Martin Degeling, Jim Blythe, Thorsten Holz

ACM Asia Conference on Computer & Communications Security (ASIACCS), Taipei, Taiwan, June 2020


Attackers use various domain squatting techniques to convince users that their services are legitimate. Previous work has shown that methods like typosquatting, where single characters are removed or duplicated, can successfully deceive users.

In this paper, we present a study that evaluates how well participants distinguish malicious from benign domains before and after they learned and applied domain squatting techniques themselves. In a multi-part survey, 288 participants create 2,880 malicious domains based on common domain squatting techniques and rate both domains created by other participants and real-world phishing domains in terms of how convincing they are. Our key results show that participants have problems to identify legitimate domains as benign if they include unusual top-level domains, additional terms, or use subdomains. Moreover, participants rated domains created by other participants higher than real-world phishing domains. Overall, we find that participants are more sceptic of domains, and flag more benign domains as malicious, if they contain domain squatting characteristics after they gained practical experience creating phishing domains themselves. In particular, the number of falsely classified domains that were actually benign increased from 33.7% to 46.6% after our training. Our results show that training users to act as an adversary can help to increase the effectiveness of security trainings. In addition, we recommend that online services do not create domains that make use of common domain squatting techniques, to reduce confusion for users.