Introduction to Typosquatting
Typosquatting, also known as URL hijacking, is the deceptive practice of registering domains that closely resemble a target domain by making intentional typographical errors. This malicious technique involves creating domains with just a few characters different from the legitimate domain. For instance, if the legitimate domain is “vercara.com”, typosquatters may use a variety of techniques to generate deceptive domains:
Typos: Keyboard mistakes when the user types the domain by hand. IE, vercaara.com.
Misspellings: Intentional variations from the domain’s spelling. IE, vercana.com.
Different Top-Level Domains: Registering the same domain but with different TLDs. IE, vercara.net.
Alternative Spellings: Using variations of similar-sounding letters. IE, fercara.com.
Hyphenation: Adding a hyphen to the target domain. IE, ver-cara.com.
Combined with WWW: prepending “www” to the target domain. IE, wwwvercara.com.
TLD Abuse: using .cm as a TLD instead of .com. IE, vercara.cm.
Character Encodings: Domains using letters from a different character set. IE, vercαrα.com with a Cyrillic/Russian “α”.
Uses for Typosquatting Domains
Typo domains can be used for various malicious purposes:
Phishing: Malicious sites are developed to look exactly like popular websites to gain access to personal data, login credentials, or user emails.
Spear Phishing: The attacker uses a domain and applications like your own domain or outsourced providers such as cloud services, expense reporting systems, or HR portals to grab login and other information from your employees.
Malware Delivery: The malicious website installs harmful software like ransomware on visitors’ devices.
Domain Speculation: The owner of the typosquatted domain tries to sell it to the victim at an inflated price.
eCommerce Fraud: The fake website deceives you into thinking that you are purchasing from the legitimate site, but you never receive the item you ordered.
Parody or Derogatory Site: The site playfully satirizes or features controversial content related to trademarks, products, or brand names.
Related Search Results: The owner of the typosquatting domain redirects traffic intended for the legitimate site to competitors, charging them based on the number of clicks.
Surveys and Giveaways: The fake website provides a feedback form, survey, or giveaway, tricking visitors into unknowingly sharing sensitive information.
Monetizing Traffic: Some website owners display ads or popups to earn money from visitors.
Affiliate Revenue: The fake site redirects traffic back to the brand by using affiliate links, earning a commission from purchases made through the brand’s legitimate affiliate program.
A Combination of Purposes: The domain owner uses a combination of the above purposes. For instance, hosting offensive information about the targeted brand in order to force them to buy the domain at a higher price.
Finding Typosquatting Domains
There are multiple tools available to help you identify typosquatting domains and potential typosquatting domains related to your own domain.
DNS Twist is a command-line tool available in Kali Linux and other operating systems that allows you to generate potential typosquatting domains.
There is a web-based version of DNS Twist. It will validate which domains are registered and active and will allow you to export the list.
DNSLytics is a website with tools to perform a wide variety of domain marketing and SEO functions, including a tool to find typosquatting domains.
Phishing Rod is a tool that uses the ICANN Centralized Zone Download Service to check for typosquatting domains using fuzzy matching.
Protections Against Typosquatting Domains
Once you have a list of potential typosquatting domains, there are several actions that you can take to keep them from being used in an attack against your organization.
You can take the list of typo domains and block them on a Protective DNS Solution. This keeps them from being used in spear phishing attacks against your internal user population.
You can register the domains yourself if they are available and have them redirected to your main website to help users that mistype your domain and to improve your Search Engine Optimization (SEO) score and volume of website traffic.
For active domains, you can initiate a takedown or Cease-and-Desist of the domain through your legal team. This could involve law enforcement or security contacts at the domain’s hosting datacenter.
For registered and active domains, you might be able to submit a complaint under the ICANN Universal Domain-Name Dispute-Resolution Policy.
Domain Typosquatting Summary
Throughout this blog post, we have provided essential insights into the world of ‘typosquatting’, a practice where attackers register domains that look like existing domains to perform a wide variety of malicious or semi-malicious activities. We also outlined several tools to identify these domains and potential domains. And lastly, we discussed actions that you can take to protect your organization against typosquatting.
