Notes from the Field • 10 MIN READ

Defend Against Social Engineering Campaigns Leveraging Typosquatting

by Patrick Oliveira Fry • Feb 2024

What is Typosquatting?

Typosquatting is a social engineering technique that imitates an organisations domain/website. It does this by utilising the fact that typographical errors may be performed by an end user when typing a URL. There are various reasons why an attacker would implement a Typosquatting domain, each creating different risks for the end user/organisation.

Examples of these include:

  • Phishing – Within a Phishing Campaign, bad actors will look to steal sensitive information by emulating a legitimate email/site etc. The user may be asked to enter personal/financial information. Read more on Phishing, here.
  • Malware – When a user enters the site, malicious software will be installed that is used to steal or corrupt files as well as control devices. Read more on Malware, here.
  • Advertisement –Advertisements or popups are utilised, so that when the user lands on the corrupted site and sees or clicks an ad, the typosquatter will earn money.
  • Reputational Damage – The typosquatted domain will contain negative content associated towards the legitimate site, to tarnish their reputation.
  • Sale – The misspelled domain will be registered to sell to the legitimate site owner at an increased price.
  • Traffic Diversion – The attacker aims to divert the traffic from the legitimate site to a competitor’s site. This will provide additional traffic to the competitor, whilst creating a potential for reduced business on the legitimate site.

How Does Typosquatting Work?

Typosquatting is an attack vector that delves into human error. An attacker will purchase a domain name that is like that of the victim organisation. By mimicking the legitimate website, with a slight variation, the user may be fooled to believe that the malicious site is the genuine site.

There are various ways that domain names can be typosquatted:

  • Misspellings – The typosquatter registers a domain similar to that of the known website. An example of this is “twittar.com”, replacing the e with a in “www.twitter.com”. This encompasses any omissions, transpositions, additional characters, or hyphenations that could be performed when entering a URL.
  • Incorrect Top-Level Domains (TLDs) – Top Level Domains are the suffixes at the end of a URL, such as .com, .net, .br. Users could incorrectly type the TLD from .com to .om, which is for Oman.
  • Subdomain Squatting – The attacker adds a well-known domain name as a subdomain to their current domain. For instance, “www.amazon.fakeweb.com”. The complete domain name may not be viewed, leaving users to believe they are on the legitimate site.

Protecting Against Typosquatting

Users and organisations can utilise publicly available tools such as Dnstwist to identify impersonating or similar domains. Dnstwist works by inputting the domain name and relying on a python script that searches for any imitative domains that could be flagged as phishing or typo squatting. This tool can be further refined to identify registered domains, where they are hosted, whether your website has been cloned, and more.

End users can reduce the possibility of falling victim to Typosquatting by:

  1. Avoid clicking on unknown links such as on social media, emails, or websites.
  2. Do not open email attachments from unknown senders.
  3. Implement antivirus software which will assist in detecting redirections to malicious websites.
  4. Inspect URLs before clicking on them. This can be performed by hovering over the URL to identify any incorrect spellings or modifications within the URL.
  5. Bookmark your frequently used websites for ease of use and to avoid misspelling of the URL.
  6. Utilise search engines instead of directly typing the URL.

Organisations can further protect their employees and customers by implementing the following practices:

  1. Register misspellings of the domain so that end users can be redirected to the official website with no concern towards Typosquatting.
  2. Utilise domain monitoring tools to identify when a domain is registered that resembles that of the organisation. This can be used in conjunction with takedown services, where once identified, the newly registered domain can be taken down, should enough evidence display that it was implemented for phishing purposes.
  3. Notify stakeholders of any impersonating domains. Informed customers, staff, and third parties of suspicious identified domains.
  4. Always use SSL certificates to ensure that customers can verify the legitimacy on the website.
  5. Enforce Multi-Factor Authentication for users when logging in. This will validate both the identity of the user and the website that they are connected to.

If you want to identify and protect your business from prevalent cybersecurity threats, such as Typosquatting, schedule a consultation with our experts today.