Typosquatting phishing, also known as typo-phishing or typo-scamming, is a form of phishing in which a cyber-criminal relies on users making typos when manually typing in a URL which leads them to a different website instead. More commonly, the malicious party relies on the human brain’s inability to differentiate between two similar Iooking characters when sending a phishing link. For example, while reading this definition, have you noticed that the word “looking” has been spelled incorrectly with a capital ‘i’? This is one of the techniques used by hackers when leading an innocent user to a fake site, along with a similar look and feel of the real site, to trick them into inputting sensitive information. The hacker in question may not have criminal motives, but rather uses such domains to advertise their own product or service due to the traffic to this commonly misspelled URL — a term commonly known as malvertising.
Examples of typosquatting
A typosquatted URL would look very similar to the real URL but would make use of one or more of the differences discussed in the subsequent sections.
1. A typo
Most commonly, a malicious actor would take advantage of a user’s haste when typing in the domain name and quickly pressing ‘enter’ which redirects them to a fake website in the process. One of the most famous examples of this type of typosquatting is the website “goggle.com” (meant to impersonate Google) which back when it was first registered, attempted to install malicious software on the visitor’s computer. Doubling the wrong letter or writing it multiple times is an easy typo to make when typing fast. Similarly, the attacker would replace letters with those adjacent to them on a keyboard or if they want to get the user to innocently click on it, swap one or more characters with similar looking ones (e.g. “g00gle.com””").
2. A misspelled word
Not everyone can easily pick up on a misspelled word, especially if it is not in the person’s primary language. In particular, there are certain words that people seem to confuse the way they are spelt with a greater frequency than others. Therefore, including such words in a fake domain may cause more traffic than anticipated. One such example is the word “accommodation” which people misspell as “acommodation” or “accomodation”.
3. Alternative spellings
This is very similar to the previous examples but instead of relying on the user making a mistake when typing, different spellings of certain words are used with the hope that the target user prefers to spell a particular word in the manner chosen by the attacker (e.g. adviser and advisor).
4. Pluralising a singular domain name
This technique is quite self-explanatory. A user may doubt whether the domain name is singular (and vice versa) and chooses to attempt to enter it instead of double checking.
5. Using a different top-level domain
The top-level domain (TLD) is the first part that follows after the dot and serves to indicate the objective of the website. For instance, .gov represents a government entity while .com a commercial one. The fake URL may hence be exactly the same as the real one but with a different TLD such as .com instead of .org.
6. Using a different country code
The country code is what follows the first part of the TLD and serves to identify the country of origin of the website. Therefore it may be the case that the incorrect country code is entered. A popular mistake is using the country code .co or .cm mistakenly instead of .com.
7. Omitting punctuation marks
URLs may contain hyphens or other punctuation marks normally used to separate words such as some.example.com rather than someexample.com. By not including such punctuation when it should be or by introducing them when they shouldn’t be, a whole new URL is created. Such URLs are more commonly known as doppelganger domains.
8. Using combosquatting
Combosquatting is a technique in which there are no mistakes in the name itself but rather a word similar to the subject of the website or organisation is added. For example, a user would walk straight into an attacker’s trap by deciding to use youtube-login.com instead of youtube.com with the intent of logging into their account. Combosquatting may also be used by an attacker to convince the victim of a phishing attack that the website is legitimate such as by using example-website.com instead of example.com.
What is the impact of typosquatting?
A typosquatting attack may vary in its threat level mainly since it depends on the typosquatter’s intentions and motives. For instance, the point of the typosquatting attack may be to fill the web page with advertisements and get paid a commission from the views and clicks. Similarly it may include a redirection to the real website but does so through affiliate links. Sometimes, attackers buy typosquatted domains with the hope that they draw in enough customers of a big corporation that this same organisation will then pay them a big fee to buy the fake domain off them.
Most of the time however, typosquatters tend to have criminal motives. The fake website may be a way to conduct a phishing attack to steal personal and financial information from the user. The success of this attack is pushed forward if the fake website is also very similar to the real one and through more sophisticated types of phishing such as realtime phishing.
There are also some typo scams which infect the visitor’s computer with malware or spyware and then demand from the user a huge fee to have these programs removed. The user may decide to pay this even if they have no guarantee that they will hold up to their word.
How to defend against typosquatting attacks?
Like any form of phishing attacks, there are ways how typosquatting can be prevented.
- As an end-user, making use of a password manager not only makes you and your organisation more secure, but it can also prevent you from logging into a website that is using a different domain name to the one that is usually used;
- As an organisation, it is a good idea to acquire typosquatted domains ahead of time and redirect any users to the real website to avoid typosquatting attacks later down the road;
- As an end user, be careful of what information you divulge to websites you access via links received through text messages or emails (even if they look similar or even identical)—make sure that the URL the link takes you to is the URL you’d expect;
- As an end-user, closely inspect inputted URLs before navigating to a page;
- As an end-user, consider using search engines instead of directly typing in the URL.
It’s difficult to stop a cybercriminal’s goals from succeeding especially since such an attack is fully dependent on an unsuspecting user not making a mistake. Nevertheless, this insight into the different forms a typosquatted URL can take is an excellent starting point to ensure that you and your employees are aware of this old yet evolving form of online scamming.