A typo and the typosquatters can catch you. It may sound like a cyberpunk thriller, but it is a real threat to cybersecurity. We explain what it is and how you can protect yourself.
What is Typosquatting?
Typosquatting uses changed or misspelled domain names to trick users into visiting fraudulent websites. Threat actors have different typosquatting techniques. Of course, they all benefit the criminals and cheat someone else. That someone else can be website visitors or the owners of the website.
The core of typosquatting is the registration of domain names. The threat actors register domain names that are very close to the real domain name they are impersonating, or they include the real name and add elements to it. If no domain name has been registered yet, you can register it. It̵
If it can be shown that the registration contains the name, product or brand of another company and is likely to mislead the public or punish the real organization, then ownership may be challenged. But that happens after registration.
Typosquatting is different from cybersquatting. Cybersquatters register domains they know or hope will be needed by other organizations in the future. The domain names are not misspelled, modified or misleading. They are normal domain names for which the cybersquatters predict an impending need.
For example, if they hear that a studio is modifying a book for the screen, they can register a domain in the book’s name. If the studio wants to create a website for its movie, it will discover that the name has already been registered. They will have to haggle with the cybersquatter to buy it, or take legal action.
Sometimes this happens by accident. One famous case involved an entrepreneur named Uzi Nissan. In the 1980s he had named several companies after himself. He registered the nissan.com domain for his computer support company in 1997. After Datsun changed their name to Nissan, they filed a lawsuit against Uzi Nissan, alleging trademark infringement and dilution, and sued for $ 10 million. The legal bickering lasted eight years. It was finally settled in 2007, in favor of Mr. Nissan, but fighting the cause cost him $ 3 million. Nissan Motors currently uses the domain name nissanusa.com.
Typosquatting is classified as a form of social engineering because it relies on two human traits.
How typosquatting works
A typosquatting attack relies on one of two human traits. One is that people mistype a domain name. The other is that people read a domain name at a glance and see what they expect to see.
People mistype things, it’s easy to do. Cyber criminals take advantage of this by registering domain names which are common spelling mistakes of real domain names. Any person who incorrectly types the domain name in a way that matches your misspelled domain name will end up on your website, not the real website. Cyber criminals often register a whole series of domain names, recording many variations in the spelling of the real domain name.
This trap works because unless the computer rejects what you just typed, you don’t know you made a typo. If you don’t notice that you typed “amzon.com” instead of “amazon.com” and you are redirected to a website similar to the Amazon landing page, you probably think you are on the real Amazon website.
There are many ways that typosquatters can take advantage of typosquatters. It’s possible:
- Mimics a login page: It collects login credentials and other personal information.
- Install malicious browser extensions: It can install malicious extensions such as keyloggers or adware in your browser.
- Download malware: Malware such as remote access trojans or keyloggers may be installed on your computer.
- Redirect traffic to competitors: People may be redirected to a competitor’s website.
- Affiliated Fraud: The fake website may redirect traffic to websites with which the typosquatters have an affiliate agreement. Websites with affiliate programs reward partners who send traffic to them. The typosquatters get paid a small amount every time they refer someone to the affiliate website. They register a large number of domain names, each based on the real domain name of the website, with a different spelling error in it. By simply redirecting that to the real website, the typosquatters make some money.
- Mimic download pages: Typosquatting websites can mimic software download sites such as open source projects. Website visitors download contaminated versions of software libraries and developer toolkits instead of the real version. The rogue toolkits and libraries are used in the development of the victims ‘own products, turning them into a distribution tool for the threat actors’ trojans, malware and backdoors.
- Promote an ideology: The typosquatting website may present the actual organization in an unfavorable, misleading, or embarrassing way. This lends itself to hacktivism.
- Extortion: The typosquatters can offer to sell the typosquatted domain name to the real owner of the domain name.
Create look-a-like links
The other form of typosquatting is registering domain names that visually resemble the real domain name. These are used in links in phishing email campaigns.
The fake domain name should look like the real domain name, so it has been carefully crafted for quick identification. The types of tricks used by typosquatters are:
- Mimic Letters: Combine letters or numbers to look like other letters. If you read it for a moment, “rnicrosoft.com” looks like “microsoft.com” and “apqle.com” looks like “apple.com”.
- Insert strange characters: This is a more subtle way of mimicking letters, with the imposing name of IDN homograph attacks. Characters such as the Greek letters alpha “α” and omega “ω” are difficult to identify in a typosquatting domain name. If you didn’t know ahead of time, these two links probably wouldn’t arouse suspicion:
- cloudsαvvyit.com: That’s not “a” in “savvy”.
- hoωtogeek.com: That’s not “w” in “how”.
- Wrong TLD: The root domain may be incorrect. Domain names like “cloudsavvyit.org” or “cloudsavvyit.net” are convincing because there are no funny characters and everything is spelled correctly.
- Add words: Words related to the content of the real site can be used to mask typosquatting domain names: “technews-howtogeek.com.”
- Delete letters: A domain name can be subtly truncated so that it still looks like a viable domain name: “cloudsavvy.com.” The ‘it’ is missing.
- Add periods: Adding dots to split the domain name is another simple change that may go unnoticed. Links are often underlined. This makes it more difficult to recognize the points inserted: “cloud.savvyit.com.”
- Delete periods: Registering a site as “wwwhowtogeek.com” can fool people by clicking a link> It contains all the expected components, just missing a dot.
These links are particularly effective with phishing campaigns because they pass one of the recommended tests. Staff are often told to hover their mouse pointer over a link in an email before clicking it. A tooltip or other message on the screen will show them the destination of the link. If that matches the body of the email and the wording in the link, it is likely to be trusted.
How to protect your organization
You may already be a victim of typosquatting. You can use dnstwister.report to check.
You can preemptively register typosquatting domain names yourself to prevent others from using those names against you.
Some ISPs offer typo protection as part of their services. If a user in your organization misspells a generic domain name or clicks a similar domain name in a link, the connection to the site is blocked. A warning page will tell them why.
Keep an eye on the website visitor numbers. If it drops suddenly, it could be an indication that some of your traffic is being siphoned to a typosquatting site.
Consider setting up and running your own in-house Domain Name System server.
Password managers do not offer to enter credentials unless they are on the real domain. Typosquatting websites won’t fool them into logging in.
Awareness is also a big part of the solution. Knowing these traps are there will help you spot them, so don’t forget to keep your staff informed.