Typosquatting forms the basis of cyber attacks that aim to take advantage of users who mistake a malicious website for a legitimate one. Attackers register domain names that are similar to popular brands or products in the hopes that users will mistype the name and end up on their malicious site instead. Once on the site, users may be tricked into providing sensitive information or installing malware.
For us, as cyber security consultants helping businesses protect their assets, we use such tricks during Red teaming operations or bespoke pen testing assessments (including phishing assessments) where IT or security teams want to assess the cyber readiness of their controls.
What is Typosquatting?
Typosquatting is a form of cybersquatting, which is the act of registering, trafficking in, or using a domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else.
This attack involves taking advantage of typographical errors made by users when inputting a website address into their web browser. For example, a user might type “example.com” into their browser, but because of a typo, they might actually end up at “exampe.com”. The typosquatter could then place ads on this site that would generate revenue for them every time someone clicked on one of the ads.
These domain names may be misspelt versions, phonetic equivalents, shortened versions, or other variations on the original site’s name. Typosquatters often use these malicious sites for phishing scams and to host ads from affiliate networks and adware programs. The US federal law Anticybersquatting Consumer Protection Act protects businesses and consumers against typosquatting scams.
Typosquatting is often used in SEO, for example, to prevent people from finding the website of a competitor or rival business. Typosquatting can also be used by companies themselves in order to protect brand reputation and direct traffic towards their domain name.
Typosquatting is a big business
Many charities, businesses and websites dealing with transactions are often at the receiving end of these frauds from criminals. This is often why you should keep an eye on your domain and any typosquatting domains being registered. Any such names that resemble your business name must be reported. There are legal ways to track and shut them down if they are legally threatening your business/consumers or leading to potentially fraudulent activities.
As per Sophos survey on the subject, “Microsoft typosquats were at 61%, Twitter 74%, Facebook 81%, Google 83% and Apple at 86%. Clearly, there is a significant typosquatting ecosystem around high-profile, often-typed domain names.”
Typosquatters may be motivated for profit, as with cybersquatting or cyberpiracy, to target a competitor or celebrity, or even simply to indulge in the sport of typosquatting.
How does typosquatting work?
A person might look up a domain name, such as “google.com” and mistakenly type in the address of “gogle.com”. Typosquatters will often buy this typo-squatting domain to display advertisements or redirect users to malicious websites that are not the actual websites they were looking for. Typosquatting is also used in phishing scams.
Typosquatters will often buy a typo-squatting domain and redirect it to their website, which they may make look like the real site of a bank or other company to trick users into submitting sensitive information such as login credentials.
Typosquatters may be motivated for profit, as with cybersquatting or cyberpiracy, to target a competitor or celebrity, or even simply to indulge in the sport of typosquatting. They may also wish to capture email addresses from typo sites by setting up images designed for collecting email addresses, spam traps and bait-and-switch tactics. Typosquatting is generally caused by
Typos are common as a result of our fast-paced, hectic lives. They’re also one of the most frequent search entry blunders, and those who type quickly and carelessly or rely too much on autocorrect are especially prone to these domain sorts.
For example, typing cyphere.com instead of thecyphere.com.
Spelling mistakes are another cause of typosquatters. This is caused by internet users hearing or reading the wrong name, mishearing it, typing too quickly and making an error in writing down the word they have just heard/seen etc. Typos due to spelling errors often involve transposing letters from one word to another, resulting in misspelt domains. Typosquatters can take advantage of this common mistake by registering commonly misspelt domains of popular domains like Facebook, PayPal, and eBay.
Wrong domain extensions
As more top-level domain (TLD) names are issued, the incidence of typosquatting websites rises. There are a lot of different domain endings for various countries, such as .com, .co.uk, and others like that., as well as many kinds of organisations – i.e. .com, .org, and so on, that provide further opportunities for typosquatting.
For example, americanexpressco.uk instead of americanexpress.co.uk
It is known that the largest number of Typosquatting domain names are registered with alternative spellings. Typosquatters register an alternative website address with similar words or different word endings, such as plurals or hyphenated versions.
For example, learnfishing vs learnphishing as domain names
The use of a hyphen in a domain name might cause confusion. Typosquatters exploit this by registering a domain name with or without the hyphen. Typosquatting registrations have been made for popular brands that have a hyphenated version.
For example, e-bay.co.uk instead of eBay.co.uk and merriamwebster.com instead of merriam-webster.com
Supplementing domain names
When well-known companies bolstered with appropriate words, they may create a seemingly typosquat domain name that appears to be genuine.
For example store-amazon.com instead of amazon.com
Addition/Removal of Alphanumeric characters:
Typosquatters will try to exploit common alphanumeric errors such as the addition or removal of 0 (zero), I/i, O/o.
For Example, PaypaI.com instead of paypal.com and goggle.com instead of google.com.
Common uses of typosquatting
Adware and Malware
It is a common tactic for cybercriminals to host malware or adware on typo domains. Typosquatters can also sell these typosquatting sites to others who want them – so they don’t have to create the content themselves.
For Example, pokitdhedgehog instead of pokemon.com
This is another common use of Typosquatting. The attacker can register a typo domain to take advantage of users who type in the address looking for an online banking website, or any other site that requires login credentials.
For Example, netflix-accountlogin instead of Netflix
This is a less common use of Typosquatting. The attacker registers the typo domain and waits for traffic to come in, then sends them to an alternative website address that could contain third-party advertising or affiliate marketing links – and makes money from these sources.
For example, adfoc.us instead of AdFocus
Spoofing brands and personalities
Many typosquatters have registered domains for popular brands and well-known personalities to sell them later. Typosquatting provides a high chance that users will mistype or misread the domain, as it often happens when typing in URLs on mobile devices with small keyboards – so an attacker might receive traffic from people searching for those sites.
For example, Gmail-signin instead of gmail.com or huffingtonposts instead of huffingtonpost.com
Counterfeiting goods and services
Typosquatters can register typo domains that are similar to the sites of well-known brands in order to sell counterfeit products. Typosquatters can also use these typo domains to trick users into thinking they are visiting the original brand website instead of a fake or malicious site, stealing their login credentials or other sensitive information.
For example, Macpaypal instead of Macys
The fake site redirects traffic to the brand via affiliate links, earning a fee on all purchases made through the brand’s legitimate affiliate program.
Dangers of typosquatting
As mentioned, typosquatting is often used to trick users into visiting fake or malicious sites masquerading as popular online services. This can lead to many problems such as:
Unauthorised access of accounts
Users might be tricked into thinking they are typing in the correct domain name and enter their login details on a fake website that looks like the original one. Typosquatters can use these credentials to access users’ accounts, which means they could hijack their email addresses, social media profiles and or use them in URL hijacking.
For example, vudu-accountlogin instead of vudu.com
Attackers might set up fake versions of well-known websites that ask for users’ login information. Typosquatters can use this to trick users into thinking they are typing in the correct domain name and then steal their credentials.
For example, facebook-login instead of facebook.com
Malware and Adware
Attackers could host dangerous content on typo domains that is designed to infect computers with malware or serve up ads that contain malware or adware. Typosquatters can use this to take advantage of users who type in the address looking for an online banking website, or any other site that requires login credentials.
Typosquatters can use typo domains as part of Spamming attacks where they might send out emails pretending to be from well-known brands (or even famous personalities), with links that point to typo domains instead of the official domain. Typosquatters can also use these typo domains to send out phishing emails and trick users into believing they are from a reputable source – which could then lead them to enter their login credentials or downloading malware onto their computers.
How Typosquatting Might Be Used In The Future
In the future, typosquatting might target internet users using voice assistants such as Siri and Google Assistant. People often use these services by speaking out loud so there is no need for them to enter their login credentials or other personal data – however, Typosquatters could take advantage of this and register typo domains for well-known services in the hope that they will be used by someone who is using a voice assistant to interact with their phone or smart home device. This would allow Typosquatters to monetise these types of interactions, which might cause issues if phrases such as “I want to cancel this order” are used and Typosquatters could intercept and perform unwanted actions.
Typosquatting Protection Tips
To protect yourself from Typosquatting, you can do the following:
- Use antivirus software to protect yourself from malware and adware.
- Always check the URL before entering your login details. If it doesn’t look right, close the page and open up a new one.
- If you’re using a voice assistant to interact with your device, be sure to check that domain name carefully before speaking out loud.
- Look out for your browser’s “Did You Mean?” feature.
- Use password managers to manage complex login details and make sure you use strong passwords with letters, numbers, special characters.
- If you think you’ve been a Typosquatting victim, change your password and contact the IT department of your organisation.
- Look for SSL certificates to ensure you are visiting the correct website before entering your login details.
- Check the “Hostname” before entering your login details.
- There is no end to updating your knowledge on digital risks – subscribe to reputed blogs to stay on top of the latest happenings.
Is typosquatting legal?
In a word, yes. Typosquatting is not illegal in most countries and it isn’t always considered to be a security threat either since typosquatters might just register the typo domain for their own amusement or recreation. It’s also difficult to prove that Typosquatting has actually taken place unless there are other factors involved such as malware or adware. It might also be seen by some cybercriminals as a way of making money although, at the moment, this is not always profitable since it doesn’t happen very often and most typo domains are free to register with popular domain name providers such as GoDaddy.
Using typosquatting for illegal means violates the Internet Corporation for Assigned Names and Numbers (ICANN) policies. Typosquatters may also be prosecuted under laws that protect trademarks, copyrights or libel/slander legislation.
What should you do if you find typo domains?
If you find typo domains, it’s worth reporting them to the company that owns them and asking for their Typosquatting policies. It’s also worth reporting it to Google via Gmail’s “Report Phishing” link. You can use tools such as trendiction.net
Contact your IT department or website administrator if you think someone is trying Typosquat your domain. Typosquatters are not always aware that they have typo domains, but if you can find out who they are and register the domain yourself, it’ll be easier for everyone to remember them properly.
Final thoughts on Typosquatting
Typosquatting is a technique that has been used for over 20 years to monetise typo domains by Typosquatters. Typosquatters can use these typos of well-known brands (or even famous personalities), with links that point to typo domains instead of the official domain.
Typosquatting is becoming an increasing problem, but it can be difficult to define the boundaries of Typosquatting. It’s important that people are aware of Typosquatters and how they work to avoid being victims. Typosquatters don’t always know that their Typosquatting domain is a typo, so it’s worth reporting them to the company.
It’s also important for companies and individuals to have Typosquatting policies in place as well as ensuring they are providing clear guidelines on how people can report Typosquatted domains or typos of their domain.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.