Typosquatting is an online attack that is pulled off by exploiting minor typos in URLs. The exploited typos may result from user error or be part of a social engineering attack. But either way, unsuspecting users end up visiting a malicious site designed to look like the legitimate site that was misspelled in the URL. Once on the malicious site, users may again be tricked into giving up sensitive information or downloading malware.
Typosquatting is also referred to as URL hijacking, fake URLs, domain mimicry, and sting sites.
In this post, we take a detailed look at typosquatting, how it works, and what you can do about it.
How typosquatting works
It all starts with a malicious actor registering a domain with a common misspelling of a popular website. That augments the chances of internet users inadvertently misspelling the URL themselves (google vs. goggle). And, in the event the user receives the URL to the masquerading site as part of an emailed phishing attack, there’s a good chance that the typo will be too subtle for the user to notice, and they will click the URL.
Once the user clicks the URL, they are brought to the malicious site. The malicious site can typically be one of two things:
- A copycat site, designed to look like the misspelled site as much as possible
- An independent site that doesn’t attempt to mimic another site but is laden with dodgy advertisements and malware.
If the malicious site is a copycat, the user will be prompted to enter sensitive information (username, password, credit card number, etc.). And if it’s an “independent” site, your machine may be compromised by malware. It’s worth double-checking the spelling of your typed URLs.
The goals of typosquatting
In detailing how the attack works, we’ve already highlighted two of the most common goals of typosquatting:
- Stealing your personal information
- Compromising your computer with malware
These are extremely common goals that apply to almost every online attack out there. And while most typosquatting attacks are likely mounted with those goals in mind, attackers can mount typosquatting attacks for other reasons as well.
Selling goods you’ll never receive
In certain instances, the malicious website will attempt to sell you something you could have purchased on the legitimate website it misspelled and may be trying to mimic. If the user goes through with the purchase, they’ll never receive the goods they pay for and will have also compromised their credit card information in the process.
Redirecting traffic to competitors
Sometimes, typosquatting is used to redirect traffic meant for the real website to a competitor’s website. Then, the owner of the typosquatting site charges the competitors for redirects and clicks. With enough redirects, the typosquatter can walk away with a handsome sum.
Monetizing ads
The malicious site owner can host advertisements and pop-ups (apparently, they’re still with us in 2024) to generate ad revenue from the users who are tricked into visiting the page.
Fake surveys and contests
In some instances, the malicious site operates under the pretense of gathering feedback for popular products and services. In reality, of course, the malicious actors behind the site are attempting to collect enough information about you to try and steal your identity.
Abusing affiliate links
The fake site can sometimes redirect traffic back to the original site using affiliate links to exploit the legitimate site’s existing affiliate program in an attempt to earn a commission from purchases.
Typosquatting, cybersquatting, and combosquatting
Cybersquatting and combosquatting share some commonalities with typosquatting, but they’re not precisely the same thing. We now have a good understanding of what typosquatting is. By contrast, cybersquatting, also referred to as domain squatting, is the process of purchasing domains that are very similar in spelling to existing brands and websites.
With cybersquatting, the goal isn’t to steal personal information or infect their machine with malware. The goal is purely mercantile: to sell the purchased domains to the owners of the existing brand, service, or website (at the highest price possible).
Legitimate companies are compelled to protect their brands. And so, in many cases, they do end up purchasing deliberately similar domains – many times at a very high price. Cybersquatting can be a very lucrative affair because purchasing domains is relatively cheap, making the payoff of a sale pretty high.
Combosquatting is a lot like typosquatting, in that combosquatters and typosquatters share the same goals. Where they differ is in their methods. In a combosquatting attack, malicious actors purchase domains that are similar to existing brands and websites.
But, instead of inserting a subtle spelling change, they insert extra words. An example would be amazon-shop.com. The latter could confuse a user into believing that amazon-shop.com is a legitimate Amazon website. With combosquatting, typos aren’t required; combosquatters attempt to deceive users with extra, innocuous words in the URL.
Typosquatting examples
goggle.com
One of the most famous typosquatting cases came about in 2006 when the misspelling of google.com was used in a typosquatting attack. The malicious site’s domain was goggle.com instead of google.com. When an unsuspecting user ended up on goggle.com, through either a phishing attempt or an accidental misspelling, their browser was pounded with pop-up windows and ads, and their machine was compromised with malware. The site appears to have been neutralized at one point, redirecting back to google.com. But a test conducted in 2018 found it redirecting users to malware sites again.
fallwell.com
In 1999, Christopher Lamparello registered the domain fallwell.com – a misspelling of falwell.com, the website of notorious anti-gay Christian Evangelical preacher Jerry Falwell. Lamprello’s goal was to provide the accidental visitors of his website with biblical resources and quotes that argued against Falwell’s views on homosexuals. After filing a complaint, the court initially vindicated Falwell on charges of trademark infringement, unfair competition, and cybersquatting. But the ruling was overturned on appeal in 2005 because Lamparello’s site was not a commercial website. Falwell attempted to counter-appeal in 2006, but the court denied his appeal.
mikerowesoft.com
In 2004, part-time web designer Mike Rowe thought that purchasing a domain with his full name, plus the word “soft” at the end – resulting in mikerowesoft.com – was a funny way to promote his budding business. And we have to admit; it is pretty funny. However, Microsoft failed to see the humor in it and attempted to buy the domain from Mike Rowe for the handsome sum of $10. Rowe refused Microsoft’s offer and instead wanted $10,000 to sell his domain. Because of that, Rowe was determined to be cybersquatting and was served with a cease-and-desist order from the World Intellectual Property Organisation.
How to defend against typosquatting
The way to defend against typosquatting depends on which side of the attack you’re on. Your defenses will be different if you’re an organization whose website is “typosquatted” rather than an internet user looking to avoid malicious sites. We’ll provide tips for both use cases.
For organizations
Register typo versions of your domains yourself
That’s right. You really shouldn’t wait for hackers to beat you to it. Draw up a list of the most apparent misspellings of your domains and register them. It’s also recommended to register other top-level domains (.org, .co, etc), country extensions, alternate spellings, and hyphenated variants for your domains. You can easily have all of these alternate domains redirected to your official website.
Use HTTPS
This is something you should be doing anyway. Nonetheless, SSL certificates help authenticate your site and establish that it’s the real deal. The lock icon in the URL bar will let your users know that they’re on the legitimate site. Of course, a malicious actor could produce a valid SSL certificate for their misspelled domain, but at least your users can look at the certificate if they choose, and they may realize they’re on the wrong site. There’s also a good possibility that the attacker won’t bother with HTTPS, and that’s a telltale sign in itself that something may be up. HTTPS also protects you from other kinds of online attacks, such as Man-in-the-middle attacks.
Use ICANN’s website monitoring service
The Internet Corporation for Assigned Names and Numbers (ICANN) provides a Trademark Clearing House service that you can use to find out how your organization’s name is being used in different domains. It may enable you to find out if your website has a “typosquatted” clone in the wild. The service is available worldwide.
Notify your staff, partners, and customers
Once you know that there are malicious, misspelled versions of your website on the internet, you should spread the word across your organization and notify your partners and your customers. This will allow them to be on the lookout for phishing emails and double-check the spelling of URLs in their browsers.
Get malicious websites or mail servers taken down
It’s better to try and avoid being “typosquatted” to begin with, but sometimes despite all your efforts, it may still happen. In those cases, you may need to turn toward the legal system to get those sites/servers taken down. It’s a costly operation, so again, your best bet is to do what you can to avoid being in this situation altogether. But if you need to take things down the legal path, ICANN’s Uniform Domain Name Dispute Resolution Policy is an excellent place to start.
For individuals
The most important thing for internet users trying to avoid typosquatting is vigilance, and a bunch of common-sense tips that you should be following anyway. The first six tips directly apply to typosquatting (and other online attacks), while the remaining four are general online safety tips. But either way, you should apply as many of these as possible in your online browsing routine.
- Don’t click links (URLs) in emails unless you’re sure you know who sent the URL and its destination and that they are not being impersonated. And even then, scrutinize the link. Is it an HTTP or an HTTPS link? Most legitimate sites use HTTPS today. And of course, check the link for spelling errors (faceboook instead of facebook or goggle instead of google)? If you can get to the destination without using the link, do that instead.
- Don’t open attachments in emails without identifying who the sender is and confirming with them that they sent you the email with the attachment.
- Use an antivirus program. And only buy well-reviewed and genuine antivirus software from legitimate vendors and run frequent scans regularly.
- Hover over links with your mouse cursor and inspect them carefully for alternate spellings or spelling errors.
- Store bookmarks for the websites you frequent the most and always access them from your bookmarks.
- Use a search engine to access websites instead of typing them out or following links from IMs or emails. Alternatively, you can use voice assistants to achieve the same thing.
- Use a firewall – All major operating systems have a built-in incoming firewall, and all commercial routers on the market provide a built-in NAT firewall. Make sure these are enabled. They may protect you if you click a malicious link.
- Never click on pop-ups. Ever. You never know where they’ll take you next.
- If your browser displays a warning about a website you are trying to access, pay attention to that warning and get your information elsewhere.
- Don’t reply to emails, text messages, or phone calls that request personal information. This is a classic sign of a phishing scam. If you reply, they could send you a link to follow to “fix the problem” for which they contacted you. And always remember that legitimate organizations will never ask you to provide personal information when they contact you by email.
Wrap-up
Typosquatting attacks can be challenging to avoid because they exploit our multitasking lifestyles. As we go about our workdays, we tend to go into auto-pilot mode and won’t always pay attention to everything we should. Hopefully, applying the above tips (for both organizations and individuals) should reduce your odds of falling victim to typosquatting – but at the cost of constant vigilance.
As always, stay safe and vigilant.