DNSFilter: Typosquatting is How Hackers are Taking Advantage of Your Typos

What does Typosquatting mean?

Typosquatting, also known as URL hijacking, is a type of social engineering attack that takes advantage of human error. The possibility that most internet users often commit typographical errors (hence the word “typo”) when typing a domain name is exploited in presenting users with fake versions of a legitimate website.

Once an attacker can trick a user into believing that they are viewing a legitimate website, the attacker can use the session to collect sensitive information from the victim.

A simple typosquatting example

The main plot of an attacker that uses typosquatting is to lure unsuspecting users to a fake version of a legitimate website in order to harvest sensitive information.

Let’s take a look at an example. 

The website chase.com belongs to JPMorgan Chase bank and they operate an online banking platform on their website where customers can log in and perform banking operations. An attacker knows that users on this online banking platform use their login details to access their accounts. These users are also prone to the error of incorrectly typing the domain name chase.com.

To launch a typosquatting attack, the attacker registers a bunch of domains with spellings that imitate the wrongly spelled domain name like the following:

• cahse.com (wrongly typing “a” before “h”) 
• xhase.com (“x” is close to “c” on the keyboard, it is a common mistake to click “x” when you intend to click “c”) 
• chhase.com (mistakenly typing “h” twice) 
  

...etc., and many other incorrect variants of the actual domain name. 

These fake domains all go to a website that the attacker has designed to mimic, to convincing detail, the actual chase.com website. This way, the attacker has cast a net and is just waiting for unsuspecting Chase bank customers to fall in. The attacker can then use this opportunity to request sensitive information like account login details from the victims. These login details can be used by the attacker to access a user’s account and make transactions on behalf of the user.

During our research for the DNSFilter 2021 Threat Report, we monitored threat traffic between the period of Mar 2020 - Aug 2021 and discovered some malicious domains used to mimic the Chase bank login page. An example is shown below:

This fake website is so close to the real one that it will be difficult for a customer to detect malicious activity. And this is just one out of over a dozen found in our traffic.

We also found some malicious domains mimicking pages on Paypal and Microsoft, as shown below:

While most typosquatting threat domains point to fake versions of legitimate sites, some are redirected to sites with adult content, gambling, betting, and other unintended destinations.

Why is typosquatting bad?

Typosquatting is not only a problem for users trying to go to specific sites to access the services but also bad for the owners of the website. 

For site visitors, typosquatting can be harmful in the following ways:

• Users may risk losing their sensitive information and more to hackers
• Attackers may use the user’s account to communicate with and exploit the user’s friends and close relations
• The user may be exposed to undesired content like drugs, terrorism or nudity.
• Users can have malware, cryptomining software, or ransomware installed on their system
  

Site owners can also be affected in the following ways:

• Site owners can take a huge hit on their integrity when a user is exploited
• The more users are affected, the higher the risk of losing users
• Losing traffic to illegitimate sites
• They also start to be associated with spam and gain a reputation for not being security-focused or not caring about their users

What is the difference between typosquatting and cybersquatting?

Typosquatting and cybersquatting are very similar in execution, and some even categorize typosquatting as a type of cybersquatting.

However, the main difference between typosquatting and cybersquatting is in the intent of the threat actor. Most typosquatting attacks are part of a broader phishing attack aimed at stealing user information.

Cybersquatting, on other hand, is aimed at exploiting owners of a website by buying domain names that they will be interested in and selling them back to the site owners at a ridiculously higher price. For example, an ill-intentioned individual can park domains like chase.net, chase.info, chase.org, etc., if they are available. Later on, when Chase bank decides to purchase these domains to ensure that they have sole ownership of all the TLD (Top Level Domain) variants, they discover that it is already owned by someone else and have to buy it back.

The owner of the alternative domains then takes advantage of Chase’s desperation and charges them ridiculous amounts of money for the domains.

How to prevent typosquatting

Both website users and owners can prevent typosquatting in different ways. Let’s take a look at steps that these two parties can take to avoid being victims of typosquatting:

Website Users

• Inspect URLs carefully before opening them
• Bookmark your favorite websites to avoid having to type them each time
• Use a safe search tool instead of typing URLs directly into your address bar
• Visit only secure sites for sensitive business (sites with valid SSL certificates)
  

One battle-tested way to prevent typosquatting across an organization’s network is by using a DNS filtering service like DNSFilter. DNSFilter filters your domain queries by checking for threat patterns and comparing them against a database of known typosquatting and threat domains. Our AI-powered filtering system also ensures that newly discovered threat domains are blocked, and you’re prevented from reaching them.

Find out how effective DNSFilter is compared to other providers.

Website Owners

• Register as many variants of your domain name as possible
• Register as many TLDs of your domain as possible
• Use HTTPS for all your domains to indicate trust
• Use ICANN’s monitoring service Clearing House to find out how your domain name is being used within different domains.
• Contact ICANN to take down suspicious domains or mail servers trying to imitate your domain.
  

As business owners running a website, you should be most concerned about typosquatting. Your users depend on you to keep them safe and you owe them security against scams and anything that can potentially frustrate their experience while trying to use your site.