Popular websites such as YouTube and Twitter have always been a target for cybercriminal scams. But a not-so-new phenomenon is continuing to be a widespread problem: Typosquatting, in which typosquatters register almost virtual copies of the domains to lure users into giving up sensitive information and potentially infecting their computers with malware.
Typosquatting is a form of cybersquatting in which cybercriminals register domains similar to those of familiar and popular sites and take advantage of users who misspell the URL. Once the user mistypes the URL, they enter a phony website that looks almost identical to the original site. These sites often house surveys and malware and, since they look like the original and trusted site, users easily fall victim to the trap. Once the user fills out survey information, they can be charged for services they didn’t purchase or worse; their systems become infected with viruses.
Researchers at Irvine, California-based security provider M86 Security Inc., have found there are at least 15 misspelled variations of YouTube’s domain that results in either a survey or online dating website. These sites look almost identical to YouTube, so users generally have no idea they are being victimized. In one scam, victims who took a survey where lured into subscribing to an auto-renewing SMS subscription service that would be charged to the user’s phone bill.
Cybercriminals wait for people to mistype the domain name, said Bradley Anstis, vice president of technical strategy at M86. It allows attackers to easily lure users to the site they want them to visit.
“From the attacker’s viewpoint, the victim ends up on their website and the danger is that they can negate a lot of security you have,” Anstis said. “One important thing is that users have visited the site on their own.”
Many companies allow typosquatters to exist despite the erosion of their brand, possibly because they don’t realize the phony site can lure victims to other more malicious websites, Anstis said.
M86 researchers also discovered that the phony YouTube survey website takes in the IP address geolocation and accommodates to the specific language of the user, making it appear more convincing.
Typosquatting was a technique used to quickly gain advertising revenue from sites that receive a high volume of accidental traffic. Nowadays, it’s more about collecting as much information the cybercriminals can get and visitors can be redirected to a malicious website. Although surveys seem popular, that’s not the only way hackers are gaining access to users’ systems and information.
Typosquatting danger to enterprises
The scam can be much more sophisticated. Researchers at security services firm Godai Group LLC have discovered a way to collect sensitive enterprise data simply by exploiting email address typos made by employees. The researchers captured 120,000 emails intended for Fortune 500 companies by buying 30 Internet domains they thought people would send emails to by accident.
Sensitive information was collected about 151 different companies, including trade secrets, business invoices, personal information about employees, network diagrams and passwords. Companies such as Dell, Microsoft, Halliburton, PepsiCo and Nike were just a few on the list of vulnerable targets.
“Typosquatting isn't new, so it's striking that the researchers managed to capture so much information by focusing on just one common mistake,” wrote Mark Stockley of Sohpos’ Naked Security blog. “They captured 20GB of data in six months using only basic technical skills and 30 domains costing no more than a few dollars each.”
Stopping typosquatting is another story. “This is one for the overlords of the Internet. Hackers can change any domain name they like and fool anyone to go there. There’s no law that they’re breaking,” said M86’s Anstis. “It would be great if there was some way to report what domains are hacked and that would help to track that activity.”