New system for logo-based detection of malicious domain names successfully piloted
Two hundred scam websites discovered, where trust marks and government logos were used without permission
Two hundred scam websites discovered, where trust marks and government logos were used without permission
SIDN Labs has completed two successful pilots of a new system for the logo-based detection of malicious domain names. In the pilots, the innovative LogoMotive system was used to automatically scan all 6.2 million .nl domain names for use of the Dutch national government's logo and a well-known webshop trust mark. Websites using the logo or trust mark were then analysed and classified by experts from the government and the trust mark scheme's operator. LogoMotive discovered more than two hundred sites that were using the logo or trust mark without permission. Having proved its worth in the pilots, LogoMotive will now be integrated into the SIDN BrandGuard service. A research paper describing the work has also been published.
LogoMotive was developed and prototyped by SIDN Labs last year to further suppress domain name abuse and protect .nl users against internet crime. The system automatically visits .nl websites and takes screenshots of their home pages. The screenshots are then scanned for logos and the results uploaded to a web application, so that analysts can decide whether logos are being used legitimately or for malicious purposes. To test the system's practical value, SIDN Labs ran two pilots, in which LogoMotive was used to scan the entire .nl zone. For each pilot, LogoMotive repeatedly looked at all 6.2 million .nl domain names and closely monitored new registrations.
A total of roughly 11,700 domains making use of the government logo, and about 10,600 .nl sites displaying the Thuiswinkel trust mark were detected. Analysts at the government's Public Information and Communications Service (DPC) and trust mark operator Thuiswinkel.org then manually assessed and annotated the websites. The first scan found three phishing websites displaying the national government's logo. New registrations were then monitored for two months, revealing a further three phishing scams, out of fifty-three websites using the logo. Scanning also detected 208 websites using the Thuiswinkel trust mark without permission. As well as the phishing sites, LogoMotive detected eighty-two suspect domains that displayed the government logo, but used HTTP redirects to take visitors to authentic government websites. The domains in question had names very like the names of real government domains, and the volumes of associated DNS traffic suggested that their websites attracted a steady flow of visitors. Two of the redirects led to specialist government websites, including one with a login portal for civil servants. That could have been set up in preparation for a 'spear-phishing attack' targeting specific civil servants.
One of the domain names discovered by LogoMotive could also have been used for sending fraudulent mail, since its MX records related to a dubious mail server. Despite not (yet) having been associated with abuse or featuring on block lists, redirecting domains represent a latent risk, according to researchers at SIDN Labs. Part of the problem, they say, is that domains used for spear-phishing don't always appear on block lists, because relatively few people visit them. "LogoMotive has alerted us to numerous abuses of our trust mark," says Vincent Romviel, Legal Counsel and Policy Advisor at Thuiswinkel.org. "By clamping down on unauthorised use of our trust mark, we're making the online environment safer for consumers. The pilots show that logo detection can help make the .nl domain even more secure. The technology speeds up the detection of malicious websites, suspect domain names and domain names that brand owners are unaware of, so that action can be taken where necessary."
Building on the pilot study findings, SIDN plans to integrate LogoMotive into SIDN BrandGuard – a service that alerts brand owners to potentially malicious domain names resembling their brand names or organisation names. LogoMotive integration will mean that BrandGuard subscribers benefit from logo recognition and the added protection it delivers for brands and ultimately for everyone using the .nl domain. SIDN Labs is also making the LogoMotive code available to researchers who want to undertake further studies, and to other registries that want to enable logo detection in their DNS zones. More information about the LogoMotive pilots organised by SIDN Labs in collaboration with the DPC and Thuiswinkel.org is available in a recently published blog and research paper.