Security Experts:

To Err is Human. To Squat is Criminal.

Maliciously Misleading Domain Names are Everywhere Online

Typos are endemic - everyone makes them.  And attackers are betting on that tendency. Who knew that rendering the name of a company’s URL slightly differently would be an effective means to launch a potentially serious chain of events?  

Instead of securityweek.com, imagine someone keyed in securitywek.com and registered it as their own domain?  What would happen is that anyone who made that easy mistake sending an email to the typo’d URL or visiting the squatted website would find their message going somewhere other than where they had intended or, worse, that their browsing session is potentially interrupted by a malicious destination. Any information exchanged, pilfered or just simply tracked could help enable more malicious attacks, the site visitor could become susceptible to misinformation or the spoofed organization could become the easy victim of fraud. 

What if the lookalike domain name was used in a phishing email, masquerading as the link to a legitimate website and encouraging the recipient to click on it?  For example, instead of Sony.com, the name was rendered as S0ny.com, where the letter ‘o’ was replaced with a zero. How many people would notice the difference?  

That’s not just a theoretical conjecture; it’s an established tactic in the world of cybercrime.  It even has a name: Domain typo-squatting.  And its growth has spawned a lobbying group – The Coalition Against Domain Name Abuse, or CADNA – to advocate for new government regulations.  That’s because the practice of typosquatting is a lot more extensive than most people realize.  According to FairWinds Partners, an internet strategy consulting group, the top five misspellings of ‘myspace.com’ each receive over three million visitors a year.  

The problem is compounded by the fact that most internet users access web sites through direct navigation – by manually keying in the address – rather than using search engines.  And there are cybersquatters ready and waiting for just about any keyboard error.  In the case of Apple’s iPhone, more than 20,000 registered domain names incorporate the word ‘iPhone’ and nearly 500 more are just a single character away from that name, many of which were registered to locations in China.  

One of the factors that makes misleading Internet users particularly easy for typosquatters is an artifact of the domain name registration process.  Domain names can be registered and dropped, risk-free and cost-free, within a five-day grace period.  That’s long enough to do significant damage.

In an experiment by the GodaiGroup back in 2011, researchers registered domain names similar to those of Fortune 500 companies and then sat back to see what happened.  Over six months, the knockoff addresses received more than 120,000 emails.  They included all sorts of sensitive information – trade secrets, business invoices, personal information of employees, network diagrams, usernames and passwords, as well as service requests.  

The damage created by typosquatting is real both in terms of money, reputation, customer confidence and public safety.  That loss it is difficult to quantify because the reporting to authorities is inconsistent and, because those who have been taken in are reluctant to admit to their error, those official records are also incomplete.  But CADNA estimates that it costs brand owners worldwide in excess of $1 billion a year.  

Sadly, two segments of the population especially prone to those sorts of keyboarding errors are children and senior citizens.  Their innocent misspellings have been a bonanza to sexual predators, counterfeit drug vendors, and anyone wanting to plant malware into a victim’s computer. 

Earlier this year, a domain name gold rush took place following Facebook’s June 18 announcement that it planned to create a new digital currency, the Libra, and a digital wallet companion, the Calibra.  Immediately following the announcement, people scrambled to register a multitude of domain name permutations to help confuse users and to infringe as much as possible on the new trademarks.  The majority of those names are currently parked and without content, although some may never come to hold any because their squatters hope to make a profit from Facebook whenever it tries to buy the name back.  

That said, there are countermeasures available to identify and avoid typosquat scams.  For one thing, it’s become common practice for businesses to preemptively buy up all the relevant domain names, including offensive ones, so that they don’t fall into the wrong hands, and then redirect them to the official website.  

But there is no substitute for vigilance.  Keep an eye out for misspellings in domain names, strange redirects, and odd-looking letters or numbers.  Be skeptical about sharing personal and financial data; always confirm you’re on the website you intend to be on before handing over personal information.  If something seems broken or strange, that may be a red flag.  And finally, if it seems implausible or too good to be true, it probably is.  Stay ahead of the game by avoiding grand claims of easy money.

view counter
Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.