Posted on Apr 19, 2020
Malicious actors are continually looking for new ways to leverage people’s mistakes. Often, security professionals focus on phishing attacks because they are one of the most common human error risks. However, as part of phishing attacks, cybercriminals often rely on people clicking on links that lead to fake websites. Understanding what typosquatting is and how it presents a multifunctional risk for organizations looking to secure their networks, systems, and software can help you mitigate these risks.
Typosquatting, also called URL hijacking, is a type of cybersquatting where a cybercriminal targets a brand knowing that people often spell the name wrong and registers a domain relying on typographical errors or “typos.” For example, if people often mistake “reccomendation” for “recommendation,” cybercriminals might create a fake URL “www.collegereccomendations.com” as a way to trick people attempting to visit “www.collegerecommendations.com.”
Unlike other malicious activities, typosquats lead to a variety of different negative outcomes for organizations.
When cybercriminals deploy a phishing attack, they often rely on users clicking on the link embedded in the email. To be successful, however, the website that users visit needs to look like the website that people associate with the brand. To do this, malicious actors need to recreate the original website as closely as possible while still making it different. Typosquatting is perfect for this use case because if people glance over the URL and internalize their own misspelling, then they are more likely to mistake the website in the email as the official website.
Phishing training modules typically teach users to look for misspelled URLs before clicking the link in an email. For easy to spell words, this makes sense. Someone is more likely to notice that “Traget” or “Tagret” isn’t “Target.” However, the more complex the word in the URL the more difficult it is to see. The addition of “www.” and “.com” increases the difficulty when people rapidly scan a URL for appropriate spelling.
Typosquatting, like other social engineering attacks, relies on the way people understand the world around them. While phishing campaigns exploit people’s emotions, typosquatting exploits the way that the brain perceives information.
For example, brain research shows that people use context to understand garbled messages. When the first letter and last letter of a word are in the right place, the brain will fill in the middle letters and be able to “read” the word as a whole.
Typosquatting leverages this cognitive process so that even when people are trying to detect a misspelled URL, they may still make a mistake. Typosquatting offers malicious actors a “two-for-one” attack vector. Not only can they use these websites as part of phishing campaigns, but they can also use them to trick users who mistype the brand’s website by accident.
Because typosquats work so well, malicious actors managed to find as many different ways to leverage them.
Although many cybercriminals use typosquatting as part of more sophisticated attacks, people can use the strategy for other reasons as well.
Organizations can take both proactive and reactive approaches to typosquatting that prevent their brand from being used illegally.
Instead of waiting until after cybercriminals use the brand as part of an attack, companies can do some research to help make it more difficult for them.
A quick internet search for “typosquatting generator” brings up a variety of options that companies can use to find the most common misspelling and mistypings for their brand. For example, one generator created 137 different misspellings for SecurityScorecard.
Using these, an organization might want to proactively purchase domains with the most likely misspelling or mistypings of its brand to prevent cybercriminals from creating them.
A search on Github provides programs for domain name permutation engines to help detect typosquatting, phishing, and URL hijacking. These can help detect lookalike domains, and many can be integrated with a company’s security tools.
If an organization finds a typosquat domain after it has been created, it still has some options.
In 1999, the United States government enacted the “Anticybersquatting Consumer Protection Act” (ACPA) that provides organizations several types of legal options. Once a company decides to pursue something under the ACPA, it needs to hire an attorney who can help go through the different processes.
The ACPA amended the Trademark Act of 1946 to incorporate domain names made “for the abusive and bad faith registration of their marks” defining cybersquatting and cyberpiracy as:
“the registration, trafficking in, or use of a domain name that is identical to, confusingly similar to, or dilutive of a distinctive trademark or service mark of another with the bad faith intent to profit from the goodwill of that mark—harms the public by causing consumer fraud and public confusion as to the true source or sponsorship of goods or services.”
As cybercriminals have continued to use typosquatting as part of their attack methods, organizations need to know how they can work toward protecting themselves and their customers.
One of the first steps a lawyer may take is to send a cease and desist letter if the firm can locate the owner of the typosquat website. The letter notifies the website owner that it infringes on the company’s trademark rights and requests that the site is taken down.
If the cease and desist order is not effective, the lawyer may look to take the case to trial and obtain injunctive relief which would be a court order to take down the website.
Formed in 1998, the Internet Corporation for Assigned Names and Numbers (ICANN) is an international non-profit responsible for Internet Protocol (IP) address space allocation, protocol identifier assignment, root server system management functions, and both generic (gTLD) and country code (ccTLD) Top-Level Domain Name system management. In 2013, ICANN’s Board of Directors approved the UDRP which established administrative proceedings that help resolve disputes and prevent cybersquatting.
Working with an attorney, an organization can pursue an administrative proceeding to gain ownership of the typosquatted domain. A company looking to file a UDRP claim need to submit it to an approved dispute-resolution service. Since the administrative process is often less expensive and resolves more quickly than lawsuits, many organizations look to resolve their typosquatting issues this way.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.