BLOG

What do you know about typosquatting?



What is typosquatting?

Typosquatting, also called URL hijacking, a sting site, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).[1]

The typosquatter's URL will usually be one of five kinds, all similar to the victim site address (e.g. example.com):

  • A common misspelling, or foreign language spelling, of the intended site: exemple.com
  • A misspelling based on typos: examlpe.com
  • A differently phrased domain name: examples.com
  • A different top-level domain: example.org
  • Abuse of the Country Code Top-Level Domain (ccTLD): example.cm by using .cm, example.co by using .co, or example.om by using .om. A person leaving out a letter in .com in error could arrive at the fake URL's website.

Similar abuses:

  • Combosquatting - no misspelling, but appending an arbitrary word that appears legitimate, but that anyone could register. "Combosquatting is around one hundred times more common than typosquatting.": example-security.com
  • Doppelganger domain - omitting a period: financeexample.com (instead of finance.example.com)
  • Extra period: e.xample.com
  • Appending terms to name an intuitive name for a gripe site: example-sucks.com or examplesucks.com

Consider this scenario: 

You type the name of a website in your browser, but you accidentally misspell it. So instead of typing facebook.com, you type faceboo.com, or instead of typing twitter.com, you type twiter.com. In most cases, the mistake is harmless. You'll either get an error that the site can't be found, or the misspelled domain name will lead you to the correct one if the company has purchased and registered the incorrect name.

In other cases, however, that misspelled name could actually lead you to a site from a rival company or even to a malicious site. Now imagine that happening to your own organization's website. A report released Wednesday by Digital Shadows describes the sneaky process of typosquatting (purchasing and redirecting a misspelled domain name), how it's affecting websites for several presidential candidates, and how it can affect a company.

In its research into typosquatting, Digital Shadows discovered more than 550 fake election domains set up against the 19 Democrats and four Republicans running for president as well as Republican Party funding sites. Among these counterfeit but registered Internet domain names, 68% redirect to another domain, often from a rival candidate. For example, the address Tulsi2020.co redirects to marianne2020.com. The address elizibethwarren.com redirects to donaldjtrump.com. The address winrde.com, a misspelling of WinRed.com, a platform to raise funds for Republican candidates, redirects to ActBlue, a fundraising site for the Democratic Party.

However, typosquatting can also lead a user to a malicious site. In its research, Digital Shadows found that six domains affecting Democratic Party candidates Joe Biden, Tulsi Gabbard, and Andrew Yang, as well as party funding pages, redirect to Google Chrome extensions for "file converter" or "secure browsing." If downloaded and installed, these extensions can be used to infringe on voter privacy and potentially deploy malware, according to the report.

Out of the more than 550 typosquatted domains, 66 were hosted on the same IP address and possibly operated by the same person. As Digital Shadows points out, that shows how easy and fast it can be for someone to register multiple fake domains, a problem that's likely to get worse the closer we get to the November 2020 Presidential election.

"Setting up a fake domain is easy with virtually no checks from the organization selling the address," Harrison Van Riper, a research analyst at Digital Shadows, said in a press release. "It's easy for malicious actors to dupe voters and just as easy to impersonate brands and companies to commit fraud. It's a problem we see every day."

In its report, Digital Shadows provides words of advice both for voters and for organizations to protect themselves against typosquatting and fake domains.

For voters concerned about fraud:

  • Ask someone about a suspicious site. If you think a political website looks suspicious, ask your spouse, a friend, or a colleague to check the site before you make a donation or sign up for a newsletter.
  • Confirm the validity of a political website. Look at the candidate's social media page or network. Often, candidates will post or highlight their official domain names on their social media accounts.
  • Check out official donation information. If you want to donate to a certain campaign, seek out its official donation information first. Be wary of linked websites included in unsolicited emails as that's a tactic used by malicious actors to deploy phishing pages.

For organizations concerned about their own websites:

  • Buy domains that are similar to yours. Make sure to purchase them before others swoop in. Some obvious candidates are domains that are one or two letters off from your own domain.
  • Use DNSTwister. Use a tool such as DNSTwister to generate a list of currently active domains. This information can track down domains that might already be impersonating your brand and help you come up with ideas for domain names to purchase.
  • Monitor registration activity. Monitoring the registration activity of several domains can be challenging and time-consuming. But this is one of the best ways to detect possible squatting activities. "Digital Shadows' Practical Guide to Reducing Digital Risk contains several free tools and techniques which can be used to monitor for domain registration activity," Van Riper told TechRepublic. "DNS Twist (or the web-based DNSTwister) is an excellent tool for generating domain permutations, along with checking them for registration and hosting activity. Similarly, Phishing Catcher looks specifically for domains that are hosting content on similar types of domains. These can be used to keep an eye on suspicious domains to see when MX records are added, or content starts being hosted."

Ref: WIKIPEDIA, Techrepublic, image

Compiled by:

Letowon Saitoti Abdi

Senior Technical Support officer

comments powered by Disqus
Latest News

Championing Internet Freedom and Universal Periodic Review (UPR) at #FIFAfrica2019

Shifting attitudes and norms to end child marriage

Impact of the WOUGNET ICT Trainings to the rural communities



Upcoming Events
Digital Security Training
From: 01-May-2019 to: 31-May-2019 Book this event