Typosquatting is a form of cyber attack where threat actors register a similar, yet incorrectly spelled version of a legitimate website URL, assuming that some users will input the name incorrectly into the address bar. When users misspell the website name, they are taken to a website that is mimicking the brand of the original, where data can be stolen from visitors who do not realize they are not browsing on the legitimate website that they intended to visit.
This article will investigate this type of cyber attack and what you can do to keep your business and your customers safe.
Does typosquatting have any other names?
Yes! Typosquatting is also commonly known as URL hijacking, and can also be referred to by the names “sting site” or simply a false or fake URL. The idea is all the same. Attackers look at popular websites which involve the collection and safe use of customer data, and then leverage accidental misspellings or common errors in the website’s expected name to create similar sounding or similarly spelled domains. For example, a URL hijacking attempt against Amazon.com could be the domain Amazom.com, while the bank HSBC.com could be HBSC.com.
Is typosquatting common?
There are many famous instances of typosquatting, including a high-profile attack on Google.com, through the site Goggle.com. The website was active from 2004-2007, and caused a lot of damage. “Once it was accessed, the domain would instantly download several viruses and other malware and start to spam pop-ups, some of which contained pornographic imagery. In addition to the malware it downloaded on the victim’s computer, it used the WMF exploit to install the rogue antivirus SpySheriff. All the malware together had the potential to damage the computer severely and may require the victim to re-install their operating system, losing all of their files and data on the computer. “
Interestingly, while the site has now been taken down and similar forms blacklisted, Google has agreed that Goggle is not a misspelling of their name legally, as it is a word in and of itself.
What other forms does typosquatting take?
There are other ways that hackers can leverage the broader category of cybersquatting, but typosquatting is mainly about misspellings. The common theme of cybersquatting is that this threat attacks users who use the URL bar to search for websites, and who don’t use a search engine like Google or Bing.
When you enter the URL directly into the search bar, you need to make sure you know the exact website you’re looking for, including the TLD (top level domain). This is because some hackers will leverage similar looking domains and redirect users to a phishing website. In some cases this will be a typosquatting attack and rely on spelling errors, for example .om is the TLD for Oman, so if a user drops the c by mistake they can find themselves on a malicious website. However, in other cases there will be no spelling mistakes. Users may legitimately think they need a .com website when actually the business in question uses .co.uk or any other regional or local top level domain. In this case, eager attackers can buy another likely domain name, set up the fake website and just wait for browsers to walk right into the trap.
Other instances of cybersquatting include:
Mixing the order of words in the URL: For example, if the website in question is Bed, Bath and Beyond, the attacker might buy bathbedandbeyond.com, assuming that some users will get mixed up.
Adding punctuation to confuse browsers: For example, adding a hyphen into a website name, so that facebook.com becomes face-book.com. This can confuse users, especially those who are in a hurry.
Adding or taking away a reasonable extra word into the URL: Think about if ebay.com was ebaysell.com, or if Wikipedia.com was Wikilearn.com. These definitely sound like legitimate URL names.
Is a homographic attack the same as typosquatting?
Actually, in many ways a homographic attack is the opposite of typosquatting, but you could say that it comes under the category of cybersquatting. Here’s how it works. An attacker buys a domain that is indistinguishable to the human eye from the legitimate brand’s website. This is done with characters from other alphabets, or with something as simple as exchanging a lowercase L for a capital I. When users see this URL written down or linked from their email, they would have no reason to presume it wasn’t safe to click on.
In this way, unlike other forms of cybersquatting – homographic attacks do not rely on the user making a mistake or using the URL bar directly. In fact, using the URL bar directly is the way to avoid being taken in by a homographic attack, by going directly to the address bar and typing in the URL manually, rather than clicking on a link.
How can you protect against typosquatting?
Unfortunately, there is no easy way to protect against this kind of threat, but the best practice is to use a legitimate search engine to find the websites you need, and to never click on links from emails. We all make typos from time to time, so double check the URL if you are typing directly, and if anything seems at all unusual about the website you’re visiting (for example if it has its own typos or grammatical errors, or if the page seems poorly designed), stop and recheck the URL immediately.
If you’re worried about typosquatting attacks on your own business, which could have a devastating impact on your reputation, it can be helpful to buy similar domains yourself, redirecting them back to your own main website. Make sure to register your brand as a trademark so that if you need to take legal action against cyber attacks of this kind – you have a legal standing for your case.
Looking for more cybersecurity tips from Atera? Check out our recent webinar by our CISO, Oren Elimelech – it’s chock full of actionable ideas for keeping your business secure.