Typosquatting: How Spelling Errors Could Lead to Scams

Typosquatting 404x404_header

It’s a common enough scenario, and familiar to most: When typing a URL in the Web browser’s address bar, you accidentally mistype the name. You may type ctibank.com instead of citibank.com, gacebook.com instead of facebook.com, or the ever popular gooogle.com instead of google.com.

The page at the wrong address is an example of typosquatting, where scammers register domains with names that are similar to legitimate sites. The owner of the site benefits from the fact that the user mistyped the name, whether by displaying ads and links, setting up fake storefronts, or tricking users with phishing pages.

At best, it’s just an annoyance. At its worst, it may be malicious. And it’s pretty prevalent. Experts have estimated nearly 80 percent of mistyped URLs wind up on typosquatting sites.

Not Always Bad, But Usually
Of course, some sites may legitimately have addresses that look similar to popular brands. Those are easy to figure out. If you land on goole.com, you will know it’s a site about an English town, and not a typosquatting one. Then there are the pages that seem harmless, such as the ones displaying advertisements or a parked page with a bunch of links. The typosquatting page window.com has links to Windows 7 and Windows 8, but if you don’t click on it and just close the window, no harm done.

While advertisements, offers to sell you the domain, or these parked pages constitute a majority of the typosquatting sites, there is a very real danger associated with these fake pages. Cybercriminals can grab these domains to create fake websites that look similar to the actual site so that users don’t realize right away they’ve landed in the wrong place. This is the perfect setup for a phishing scam, to trick users into entering their login credentials before redirecting them back to the real site. The users don’t realize what happened, and the criminals operating the site now have their information.

Fake sites Wikapedia.com and Twtter.com took the phishing scam another step further, by making the pages look like the real sites and displaying advertisements for contests offering iPads and MacBooks as prizes. Users were prompted to enter their credit card information and other sensitive information as part of the contest to claim their prizes.

Fraudulent Transactions
Scammers may set up an online store to convince visitors to browse and shop for products. If it was a typo domain appl.com, users may not realize they’d just bought junk and not a brand new Mac Book Pro. Or they may see a link for iTunes but wind up signing up for a service that sends prime-rate SMS messages to your cellphone.

Scammers may also be using the sites to drive some clicks to their advertising campaigns. Don’t click.

Criminals may setup sites hosting malware at these sites. This is a bit more unusual, since attackers aren’t going to be able to dispose of the domain and move onto a new one when the address invariably gets blacklisted for hosting malware. There aren’t that many variations of the domain name the attackers can use, so they tend to use other scams instead that will let them use the domain for a longer period of time.

How to Stay Safe
Companies take typosquatting seriously. Apple has in the past gone to the courts regarding appl.com, wwwApple.com, appl-e.com, and apples-stores.com for being too similar to its own domain name. Back in 2012, a United Kingdom watchdog organization fined wikapedia.com and Twtter.com $156,000 each for trying to trick users into thinking they were the real sites. A California judge ruled in favor of Facebook in May last year, awarding the social networking giant close to $2.8 million in damages and control of a little over a hundred domains with misspelled variants of its name.

When typing in the link to a website, pay close attention to what you type. Don’t just hit enter or click on “search” right away—read over what you typed to try to catch that typo at the last minute.

It’s also important to get in the habit of quickly checking the URL to make sure you landed on the page you intended. Sometimes the site may look like the real thing, and that last check can help you from making a big mistake.

Enable safe browsing mode in the Web browser. Internet Explorer, Firefox, and Chrome all have features where they block access to a page suspecting of hosting malware or otherwise malicious. If the site you fat-fingered is malicious, the browser will stop you.

Make sure your security software is up-to-date. If the typosquatting page hosts malware, the antivirus software will most likely detect the danger and block the file from being downloaded onto your computer.

Above all, never, ever, click on links in emails, text, chat messages, or social networking sites. You may not realize the links have a typo when you first look at it. If you type the URL instead of clicking, you will notice the typo, and thus avoid the scam.

5 thoughts on “Typosquatting: How Spelling Errors Could Lead to Scams

  1. Ironically, I am very opposed to crime and exploitation, and make typos on purpose! Let’s say my name is Marge, and I am not sure where something is going, may it is abusive. I my sign up for a subscription or service and use the name Marge in a typo such as Narge or Marj. When I see that name, and if I dislike the advertiser, I just recycle without opening something. They totally lost me as a customer! Typos are like knives–used with care they cut the spam!

  2. Thanks for this article & the warning. Out of curiosity I tried Twtter.com & my internet security program instantly detected a threat. Curiosity killed the cat & I guess it could kill your computer too

  3. You had to catch me prooffing MalwareDomainList’s hosts file for stale hosts didn’t you? I will repent and add the typo hosts you indicated to my blocking hosts file in the risk section for the next update which will go out soon. Rather than depending on my PAC filter’s IP block rules (which has changed again) exclusively to block the ownbox’s typo hosts, I will add the ones I know and have to my hosts file. They will also go into the risk section. Ownbox has redirected to low order ad-ware in the past.

    One other thing you need to watch for is that some phishers will mix the real name of who they are pretending to be, say like paypal.com either as-is or in part into a much longer host name to fool you. To make it worse they frequently have three URLs in the phish email message. One is what shows in HTML enabled email programs, e.g., paypal.com. The second is the actual URL you go to that also contains “paypal.com” or “paypal” letters into the host name. The third is rare but they can use JavaScript so that when you mouse over the URL, it replace the real URL with, you guessed it, paypal.com to thoroughly sell you on the idea. IUse Thunderbird or other email readers which don’t render HTML.

    ctibank.com eh? And they have the audacity to use forward.dnstool.net. Redirectors and URL minimizers are another threat. I advise people use preview.tinyurl.com so you can see where you are going before you get there.

    Thanks for the tips.

Leave a Reply

Your email address will not be published. Required fields are marked *


× 3 = six

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>