Attackers use various techniques to lure victims to malicious domains. A typical approach is to generate domains which look similar to well-known ones so that a confused victim is tricked into visiting the domain. An important attack technique in practice is the impersonation of domains in the lower DNS hierarchy as subdomains of otherwise unsuspiciously looking domains, such as paypal.com.foo.example.com. In this paper, we present an in-depth, empirical measurement study of low-level domain impersonations to understand their prevalence and provide a basis for the development of corresponding countermeasures. We introduce a generic measurement approach to find and analyze such domains in phishing feeds from three large anti-phishing vendors (PhishLabs, Phishtank, and OpenPhish) covering multiple years and a data set consisting of one and a half years of certificate transparency logs (CTL). In our measurement study, we discovered more than 122,000 cases of domain impersonations detected during the last seven years in PhishLabs, almost 3,000 in Phishtank, and a couple of hundred instances in OpenPhish. Additionally, we compared the usage of low-level domain impersonation with other well-known domain squatting techniques and find that low-level domain impersonation is among the most popular squatting techniques in the wild.
