Typosquatting: Another great Web scam

If nothing else, the world of web security is remarkable for the creativity of its scams and the names the names given to these scams. Where else could you expect to find names like typosquatting and Doppelganger Domains? In fact, the actual meanings of these scam names are just as interesting as the names might imply (well… at least for us hard-core geeks).

What is Typosquatting?

Typosquatting is the often-malicious use of domain names (URLs) that are almost identical to frequently used and usually trusted domain names. Good examples would be ‘yahooo.com’ or ‘yahoo.com’, both of which are an easily mistyped version of the ‘yahoo.com’ URL.

A more obvious, but still frequently made mistake, is something like ‘UTube.com.’ In this case, the misspelling isn’t a typo, but rather the result of someone not knowing the actual spelling of the ‘YouTube.com’ domain. Instances like these are more comment than you might expect. Security firms M86 Security and OpenDNS recently reported 15 typosquatted domains that seem to purposely target YouTube.com.

In addition, a huge number of Typosquatting instances occur when a cyber criminal registers a domain that simply adds ‘www’ to the front of a legitimate domain – ‘wwwcnn.com’ for example. Forgetting the ‘.’ between ‘www’ and ‘cnn.com’ is an easy mistake, but one that your browser will corrected for you by looking up ‘www.wwwcnn.com’ – not the ‘www.cnn.com’ you might have expected.

The dangers of Typosquatting

The dangers of the basic Typosquatting scam are, of course, many. One of the more popular Typosquatting-related scams is to lead the misdirected web surfer to a site that matches the branding of the original site and displays a legitimate looking survey or contest that appears to originate from the intended site.

Some of these typosquatted pages appear as false authentication or login pages that encourage users to enter their account information, including passwords. This proves particularly dangerous when unsuspecting web surfers use the same login name and password for every website that requires credentials.

When it comes to using repeated passwords, not only does the account on the falsified website become a target, but it also becomes an easy task for the hacker to check more valuable sites (banks, PayPal, eBay) with those same login names and passwords.

Another typosquatting-related scam directs the web surfer to a fake website that is identical to the original and instead of suspiciously asking for personal information, the typosquatting site just inserts malware in the web surfer’s environment and returns the surfer to the expected site.

When it comes to a scam like this, the web surfer is most likely oblivious to the inserted malware wanders around his or her computer and passes information back to the hacker.

To put this problem in perspective, ScamBusters.org reported a 2008 study that found 80,000 typosquatting sites covering just the 2,000 most frequently visited websites! And with one popular kids’ website there were more than 300 scam sites hanging off of the real thing. And with a leading credit reports site, almost 750!

Doppelganger domains

Another form of typosquatting is one that Security consultancy Godai Group calls a “doppelganger domain”. This great (but incomprehensible) name means some clever hacker has created their only domain name by combining a sub-domain (a URL address that is one level below the primary domain) with the domain by omitting the period (‘.’) between the two.

For example, consider the URL ‘mail.ford.com’ (note that ‘mail’ is the sub-domain, ‘ford’ is the top domain) used in a legitimate email address such as president@mail.ford.com. The problem is that a typosquater who registers the domain name ‘mailford.com’, would receive every email intended for ‘president@mail.ford.com’ but whose originator mistakenly omitted the ‘.’ – effectively sending the email to ‘president@mailford.com’.

This particular kind of doppelganger scam, called man-in-the-mailbox, is very effective at collecting errant emails. A test by Godai Group, after setting up several doppelganger domains for fortune 500 companies, received over 120,000 mis-sent emails in a six-month period.

A clever addition to this scam has the hacker forwarding the mis-sent emails (sent to ‘president@mailford.com’ in this example) to the real recipient (at ‘president@mail.ford.com’), and then intercepting the return email as the recipient replies.

Between spell-check and auto-correct, many of us have become sloppy typists. Some of us have even given up trying. It’s not surprising that hackers are taking advantage of our laziness. My advice to web surfers is to pay attention, use pre-populated email names and URLs whenever possible, and try to proof you work before hitting enter or send.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure Web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Alan is an expert in Web security - from evaluation to Web development and remediation.