Typosquatting, also known as URL hijacking, is a type of social engineering attack that takes advantage of human error. The possibility that most internet users often commit typographical errors (hence the word “typo”) when typing a domain name is exploited in presenting users with fake versions of a legitimate website.
Once an attacker can trick a user into believing that they are viewing a legitimate website, the attacker can use the session to collect sensitive information from the victim.
The main plot of an attacker that uses typosquatting is to lure unsuspecting users to a fake version of a legitimate website in order to harvest sensitive information.
Let’s take a look at an example.
The website chase.com belongs to JPMorgan Chase bank and they operate an online banking platform on their website where customers can log in and perform banking operations. An attacker knows that users on this online banking platform use their login details to access their accounts. These users are also prone to the error of incorrectly typing the domain name chase.com.
To launch a typosquatting attack, the attacker registers a bunch of domains with spellings that imitate the wrongly spelled domain name like the following:
...etc., and many other incorrect variants of the actual domain name.
These fake domains all go to a website that the attacker has designed to mimic, to convincing detail, the actual chase.com website. This way, the attacker has cast a net and is just waiting for unsuspecting Chase bank customers to fall in. The attacker can then use this opportunity to request sensitive information like account login details from the victims. These login details can be used by the attacker to access a user’s account and make transactions on behalf of the user.
During our research for the DNSFilter 2021 Threat Report, we monitored threat traffic between the period of Mar 2020 - Aug 2021 and discovered some malicious domains used to mimic the Chase bank login page. An example is shown below:
This fake website is so close to the real one that it will be difficult for a customer to detect malicious activity. And this is just one out of over a dozen found in our traffic.
We also found some malicious domains mimicking pages on Paypal and Microsoft, as shown below:
While most typosquatting threat domains point to fake versions of legitimate sites, some are redirected to sites with adult content, gambling, betting, and other unintended destinations.
Typosquatting is not only a problem for users trying to go to specific sites to access the services but also bad for the owners of the website.
For site visitors, typosquatting can be harmful in the following ways:
Site owners can also be affected in the following ways:
Typosquatting and cybersquatting are very similar in execution, and some even categorize typosquatting as a type of cybersquatting.
However, the main difference between typosquatting and cybersquatting is in the intent of the threat actor. Most typosquatting attacks are part of a broader phishing attack aimed at stealing user information.
Cybersquatting, on other hand, is aimed at exploiting owners of a website by buying domain names that they will be interested in and selling them back to the site owners at a ridiculously higher price. For example, an ill-intentioned individual can park domains like chase.net, chase.info, chase.org, etc., if they are available. Later on, when Chase bank decides to purchase these domains to ensure that they have sole ownership of all the TLD (Top Level Domain) variants, they discover that it is already owned by someone else and have to buy it back.
The owner of the alternative domains then takes advantage of Chase’s desperation and charges them ridiculous amounts of money for the domains.
Both website users and owners can prevent typosquatting in different ways. Let’s take a look at steps that these two parties can take to avoid being victims of typosquatting:
One battle-tested way to prevent typosquatting across an organization’s network is by using a DNS filtering service like DNSFilter. DNSFilter filters your domain queries by checking for threat patterns and comparing them against a database of known typosquatting and threat domains. Our AI-powered filtering system also ensures that newly discovered threat domains are blocked, and you’re prevented from reaching them.
As business owners running a website, you should be most concerned about typosquatting. Your users depend on you to keep them safe and you owe them security against scams and anything that can potentially frustrate their experience while trying to use your site.