Cyberattacks are constantly getting more sophisticated. Barely a day goes by without news of an elite hacking team creating a more stealth exploit–malware, elaborate spear-phishing attacks, trojans, and a killer array of ransomware that can take factories and other organizations offline, or even hobble entire cities.
What is typosquatting?
First, do not visit the following examples unless you want to get hacked.
Typosquatting is when third parties buy variants of domain names based on simple and common spelling errors, e.g. “gooogle.com,” or “gooogl.com” instead of Google.com.
Most of these typo-domains are either purchased for resale, redirect to a real offer in a shady way, or take you to a minefield of advertising, but there are enough sites with more pernicious goals to merit attention. A recent study by cybersecurity company Sophos Labs found that roughly 2.7 percent of 15,000 domain names probed directed users to websites associated with some form of cybercrime, including hacking, phishing, online fraud, or spamming.
If 2.7 percent seems like a small number, consider that there are currently at least 360 million registered domain names.
Examples of typosquatting are easy to come by. In 2018, security researchers discovered a perfect copy of Reddit.com, one of the five most-visited sites online, under the domain name Reddit.co (.co is the domain name suffix for Colombia). In this instance, the hackers had even acquired an SSL certificate for the domain, meaning that the majority of web browsers displayed a green lock symbol indicating the spoofed site was legit and secure.
A similar campaign in 2016 was used to spread malware to anyone who had the bad luck of typing Netflix.om and Citibank.om (.om is the domain suffix for Oman). Cybersecurity researcher Brian Krebs reported a network of over a thousand domains using the country suffix for Cameroon, .cm, for major brands, such as Hulu and Netflix, that generated nearly 12 million visits over a three-month period. The opportunities for scams are numerous when a single missing letter can take a would-be victim to a completely separate site.
When you consider how easy it is to buy a domain name, the threat begins to seem a little more real and a lot more present. A spoofed website for a major service, as in the case of Reddit.com, can provide hackers with a fresh and current set of login credentials in a cyber space where 50 percent of respondents in a recent study admitted they use the same passwords for personal and work accounts, and that 65 percent of respondents use the same credentials for most or all their accounts. A compromised login and password combination provides an easy point of entry into business networks and emails if two-factor authentication is not in place, creating the potential for larger scale spear-phishing or ransomware attacks, and, of course, financial account attacks of every stripe.
The risk posed by this sort of hack on a business’s reputation is also worth noting. When it comes to “brandjacking,” typosquatters aren’t trying to hack anyone; instead, the goal is damage–most often with a redirect to offensive content. Whitehouse.org is the most famous example, which has been parodying the official Whitehouse.gov website since the early 2000s.
Lego has reportedly spent a fortune trying either reclaim or take down domain names that damage its brands. It shouldn’t be necessary to say that needless embarrassment can be an impediment to success.
What can be done?
Businesses should consider a proactive approach. The best foil to typosquatting is the acquisition of as many similar or related domain names as possible. While it’s extremely unlikely that a business can acquire every possible variation, and it would be inefficient for all but the largest companies to even try, buying the most obvious domain squats is a minor investment for the mitigation of a major risk.
As in virtually every cyber risk, one path to risk mitigation here is education and training. Typosquatting relies on an attention deficit. Train employees to pay attention, to be on the lookout for indications of a spoofed site, and to double-check links with an eye to making absolutely certain that domain names are properly spelled.
Domain names are a sizable part of a company’s attackable surface, and companies or individuals who ignore their own presence on the internet, as well as how it’s represented, do so at their peril.