What is Typosquatting and Why is it a Risk to Your Organization?

Malicious actors are continually looking for new ways to leverage people’s mistakes. Often, security professionals focus on phishing attacks because they are one of the most common human error risks. However, as part of phishing attacks, cybercriminals often rely on people clicking on links that lead to fake websites. Understanding what typosquatting is and how it presents a multifunctional risk for organizations looking to secure their networks, systems, and software can help you mitigate these risks.

What is typosquatting?

Typosquatting, also called URL hijacking, is a type of cybersquatting where a cybercriminal targets a brand knowing that people often spell the name wrong and registers a domain relying on typographical errors or “typos.” For example, if people often mistake “reccomendation” for “recommendation,” cybercriminals might create a fake URL “www.collegereccomendations.com” as a way to trick people attempting to visit “www.collegerecommendations.com.”

3 ways typosquatting negatively impacts organizations

Unlike other malicious activities, typosquats lead to a variety of different negative outcomes for organizations.

1. Succes of phishing and social engineering attacks: Whether cybercriminals send out phishing emails using a typosquat of your organization’s website or send another typosquat website to your employees, the misspelled URLs often look similar to the original web address. This increases the likelihood that users, either your customers or employees, will click the malicious link. Ultimately, a successful attack can lead to scamming users, installing malware on endpoints, or stealing data.
2. Risk to brand or reputation: If customers click on a malicious typosquat that collects data, they may use the login information for the original website. Ultimately, that typosquat collects customer data which can reduce their confidence in your brand and harm your reputation.
3. Revenue reduction. If the creator of the typosquat sells a service or product similar to yours, potential customers may not be able to tell the difference and purchase from the fake website.

Why malicious actors use typosquatting in phishing emails

When cybercriminals deploy a phishing attack, they often rely on users clicking on the link embedded in the email. To be successful, however, the website that users visit needs to look like the website that people associate with the brand. To do this, malicious actors need to recreate the original website as closely as possible while still making it different. Typosquatting is perfect for this use case because if people glance over the URL and internalize their own misspelling, then they are more likely to mistake the website in the email as the official website.

Phishing training modules typically teach users to look for misspelled URLs before clicking the link in an email. For easy to spell words, this makes sense. Someone is more likely to notice that “Traget” or “Tagret” isn’t “Target.” However, the more complex the word in the URL the more difficult it is to see. The addition of “www.” and “.com” increases the difficulty when people rapidly scan a URL for appropriate spelling.

Why typosquatting is successful

Typosquatting, like other social engineering attacks, relies on the way people understand the world around them. While phishing campaigns exploit people’s emotions, typosquatting exploits the way that the brain perceives information.

For example, brain research shows that people use context to understand garbled messages. When the first letter and last letter of a word are in the right place, the brain will fill in the middle letters and be able to “read” the word as a whole.

Typosquatting leverages this cognitive process so that even when people are trying to detect a misspelled URL, they may still make a mistake. Typosquatting offers malicious actors a “two-for-one” attack vector. Not only can they use these websites as part of phishing campaigns, but they can also use them to trick users who mistype the brand’s website by accident.

8 types of typosquats

Because typosquats work so well, malicious actors managed to find as many different ways to leverage them.

1. Spelling errors: Spelling errors focus on words that people may often confuse or uncommon words that are company names. For example, the difference between “reccomendation” and “recommendation.”
2. Mistyped words: Although similar to spelling, typing errors focus on people hitting a wrong letter key rather than not knowing how to spell the word. For example, the difference between “the” and “teh.”
3. Adding or removing a hyphen: By changing the spelling in this manner, cybercriminals can take compound nouns such as “bedroom” or “rainfall” and turn them into “bed-room” or “rain-fall.”
4. Wrong domain: These attacks focus on people making a mistake such as www.___.org instead of www.____.com.
5. Alternate spelling: Cybercriminals will use different versions of a word such as “theatre” for “theater” or use a nonstandard spelling such as “luv” for “love.”
6. Adding to well-known brands: When cybcriminals add additional words to well-known brands’ names, they can create similar looking websites. For example, instead of “cvs.com,” they use “shop-cvs.com.”
7. Mistyped URL: Because people don’t need to type in “www.xyz” at the beginning of a web address to go to a website, cybercriminals remove the period, relying on mistyping, to create the fake website “wwwxyz.com.”
8. Changing the country code: Many domains use a country code top-level domain (ccTLD). For example, the United Kingdom uses “.uk” and the United States uses “.us” which means changing just the last letter can create a typosquat site.

5 reasons for typosquatting

Although many cybercriminals use typosquatting as part of more sophisticated attacks, people can use the strategy for other reasons as well.

1. Bait and switch: Sometimes, people want to sell a product that appears similar so they create a typosquat website to trick people into paying them for something. However, this reason can also be to steal credentials or install malicious software on devices.
2. Reserving the domain: Whether looking to sell the domain name later or hoping to prevent a corporate typosquatted domain from being used for cybercrime, some people purchase misspelled brand name domains and never use them.
3. Parody: Sometimes, people set up parody sites that make fun of well-known brands. Although not necessarily intended as a cyberattack, these websites can affect brand reputation.
4. Brand abuse: In the online advertising era, cybercriminals may create a typosquat website targeting a search for a brand name then use it for malicious purposes. In the alternative, people might also do this to sell a similar product or service as the brand name.

How do you combat typosquats?

Organizations can take both proactive and reactive approaches to typosquatting that prevent their brand from being used illegally.

Proactive strategies to combat typosquatting

Instead of waiting until after cybercriminals use the brand as part of an attack, companies can do some research to help make it more difficult for them.

Domain typo generators

A quick internet search for “typosquatting generator” brings up a variety of options that companies can use to find the most common misspelling and mistypings for their brand. For example, one generator created 137 different misspellings for SecurityScorecard.

Using these, an organization might want to proactively purchase domains with the most likely misspelling or mistypings of its brand to prevent cybercriminals from creating them.

Github

A search on Github provides programs for domain name permutation engines to help detect typosquatting, phishing, and URL hijacking. These can help detect lookalike domains, and many can be integrated with a company’s security tools.

Reactive strategies to combat typosquatting

If an organization finds a typosquat domain after it has been created, it still has some options.

The Anticybersquatting Consumer Protection Act (ACPA)

In 1999, the United States government enacted the “Anticybersquatting Consumer Protection Act” (ACPA) that provides organizations several types of legal options. Once a company decides to pursue something under the ACPA, it needs to hire an attorney who can help go through the different processes.

The ACPA amended the Trademark Act of 1946 to incorporate domain names made “for the abusive and bad faith registration of their marks” defining cybersquatting and cyberpiracy as:

“the registration, trafficking in, or use of a domain name that is identical to, confusingly similar to, or dilutive of a distinctive trademark or service mark of another with the bad faith intent to profit from the goodwill of that mark—harms the public by causing consumer fraud and public confusion as to the true source or sponsorship of goods or services.”

As cybercriminals have continued to use typosquatting as part of their attack methods, organizations need to know how they can work toward protecting themselves and their customers.

One of the first steps a lawyer may take is to send a cease and desist letter if the firm can locate the owner of the typosquat website. The letter notifies the website owner that it infringes on the company’s trademark rights and requests that the site is taken down.

If the cease and desist order is not effective, the lawyer may look to take the case to trial and obtain injunctive relief which would be a court order to take down the website.

The Uniform Domain Name Dispute Resolution Policy (UDRP)

Formed in 1998, the Internet Corporation for Assigned Names and Numbers (ICANN) is an international non-profit responsible for Internet Protocol (IP) address space allocation, protocol identifier assignment, root server system management functions, and both generic (gTLD) and country code (ccTLD) Top-Level Domain Name system management. In 2013, ICANN’s Board of Directors approved the UDRP which established administrative proceedings that help resolve disputes and prevent cybersquatting.

Working with an attorney, an organization can pursue an administrative proceeding to gain ownership of the typosquatted domain. A company looking to file a UDRP claim need to submit it to an approved dispute-resolution service. Since the administrative process is often less expensive and resolves more quickly than lawsuits, many organizations look to resolve their typosquatting issues this way.