Typosquatting is a tactic nearly as old as the Internet itself, perhaps in part because it’s so easy to pull off. All the attacker needs to do is purchase a domain and wait. Provided their URL is close enough to that of an established brand, someone will eventually stumble upon their trap, courtesy of a mistyped URL — a ‘B’ instead of a ‘V,’ perhaps, or .co instead of .com.
This particular kind of URL spoofing is almost always malicious. In some cases, it’s part of a phishing campaign, intended to compromise user accounts and other data. Other times, the website itself hosts a malicious phishing payload such as ransomware. The attacker might even be a plagiarist looking to sell counterfeit products.
If a threat actor creates a convincing enough typosquatting attack, imitating your website, they can cause tremendous damage to your brand as visitors may believe that you’re genuinely associated with malicious or poor-quality content. To make matters worse, a manual website takedown request is often so time-consuming that by the time it’s finally fulfilled, the damage has already been done.
That’s the bad news. The good news is that it’s possible to prevent typosquatting and protect your customers and business partners from fraudulent websites. It starts with understanding what typosquatting is and how it works.
The Anatomy of a Typosquatting Attack
Typosquatting has a great deal in common with other phishing attacks, particularly if it’s intended as part of a larger brandjacking campaign. A typosquatter typically creates a website or URL that seems just legitimate enough to momentarily fool a visitor.
Where typosquatting differs from phishing is that in a vacuum, it’s largely passive, reliant entirely on the user to enter and visit an incorrect URL.
Typosquatted URLs typically take one of the following forms:
- Common misspelling of the original’s name or website.
- Alternative spelling of the original website.
- Different top-level domain from the original. This may also involve the use of country code top-level domains.
- Identical to the original save for the presence or absence of a hyphen or period — this may also be referred to as a doppelganger domain.
- Singular rather than plural (or plural rather than singular).
Some of the largest businesses and brands in the world have been targeted by typosquatting attacks, including Google (goggle), AirFrance (Arifrance), Equifax (Equifacks), and Microsoft (MikeRoweSoft). Celebrities and politicians, too, must frequently deal with typosquatters.
The Different Types of Typosquatting
Typosquat domains are usually created with one or more of the following objectives in mind.
Distribution of ransomware or malware
Rather than featuring any content, a typosquat domain may simply perform a drive-by download of ransomware, adware, or spyware.
Brandjacking
The threat actor’s spoof site is intended to imitate the genuine article. This is often done with the purpose of identity theft or business credential theft. Even a single stolen password can, without the necessary checks and balances, take down an entire organization.
Financial fraud is another common reason for brandjacking, as the attacker fools visitors into either purchasing counterfeits or buying products they’ll never see.
Revenue generation
Typosquatting may exclusively exist for revenue generation purposes. Generally, they’ll achieve this in one of two ways—either through ad impressions, or via phony affiliate links.
Traffic manipulation
A typosquatter might use their site to drive traffic to competitors and away from the brand in question. Occasionally, as was the case with John Zuccarini, this traffic redirection has a far more malicious goal in mind.
Satire
The typosquatting site wasn’t necessarily created with malicious intent, but instead mocks or otherwise derides the brand. This can still cause significant reputational damage.
Blackmail
Some particularly clever typosquatters are well aware that larger businesses often opt to make strategic domain purchases. Viewing this as a quick and easy payday, they purchase a domain with the intent of selling it to the related business.
Out of Network, Out of Control: How to Reign In Typosquatting
Digital transformation has fundamentally disrupted cybersecurity. It’s pushed technology products into cloud-based, self-service consumption models, shattering the security perimeter in the process. This trend is only further exacerbated by the shift to distributed work and the increasing prominence of personal devices in the workplace.
To address this new paradigm, organizations must embrace a digital risk protection strategy.
The external attack surface represented by these websites is massive. It’s impossible to contend with manually — businesses must take a different approach, one that begins with the right phishing and scam detection and remediation service.
1. Awareness and education
As is often the case with cybercriminals, typosquatting relies largely on the ignorance and carelessness of their targets. As such, a little education can go a long way toward bringing their efforts crashing down. Coach your employees on the importance of being mindful when browsing the web, including double-checking every URL they enter—or just using search engines for navigation, instead.
This education should be part of general security awareness training, which is equally crucial to avoiding social engineering attacks.
2. Trademark registration
One potential avenue for combatting typosquatters is to register your website under a trademark. That way, if all else fails, you can take the legal route and file a Uniform Rapid Suspension (URS) lawsuit against the typosquatter via the World Intellectual Property Organization. This is particularly effective against anyone seeking to blackmail your organization with a phony domain name.
3. Strategic domain ownership
A diligent company could attempt to purchase every variation of each domain it owns. Unfortunately, this approach is so cost-prohibitive that it’s nearly impossible. Even a simple, six-character brand name like Google has tens of thousands of potential variations; purchasing every single one could cost hundreds of thousands or even millions per year.
What you must do instead is make your purchases strategically. Determine which domains are the likeliest candidates for typosquatting and acquire those first. Ideally, your organization will be able to tap the expertise of one of its security vendors for help in that regard.
4. Deep learning
The web is impossible to monitor with human eyes alone. What your organization needs is AI-driven real time detection. Once you enter your domain names and business information, that should be all the system needs to go to work continuously analyzing the internet, dark web, app stores, and every other digitally accessible ecosystem for signs of impersonation and fraud.
It’s also imperative that you choose a platform with fast detection and a low false positive rate — if your organization must babysit the platform, that defeats the purpose of automation.
5. Automated, zero-touch takedowns
Detection through continuous monitoring is only half the battle. Remediation is where time is truly lost, which is why your organization must seek a platform that automates and streamlines the process. Seek a vendor that maintains relationships with registrars and hosting providers worldwide, one whose solution leverages API integrations to bring down potentially fraudulent sites before they’re even live.
6. Advanced real-time monitoring
Monitoring aside, a phishing and scam detection solution should also be capable of contextualizing potential threats. For instance, if a typosquat domain has a Mail Exchange (MX) record, that may be an indicator that it will be used to launch a phishing or business email compromise (BEC) campaign. Traditional tools and processes cannot effectively prevent a threat of this nature, as they lack a means of applying contextual analysis at scale.
7. Rich threat intelligence
Threat actors do their best work in the shadows, away from the prying eyes of security professionals. Find a solution capable of denying them this — one with a robust monitoring dashboard that grants fully detailed, actionable visibility into each suspicious domain and asset it detects. A high level of customization is also a must, along with the freedom to display threat intel in a range of different formats and based on a wide selection of metrics, including:
- Grouping look-alike domains, sites, apps, and platforms by geographic location, top level domain, IP address, etc.
- Domain usage data
- Registrant information
- Recommended actions
A More Intelligent Way to Prevent Typosquatting
Traditional security controls and tactics won’t protect your organization against threats like typosquatting. There’s simply too much ground to cover. What you need is a platform that allows you to find and take down fraudulent sites before your audience even knows they exist.
That’s where Bolster comes in. As the world’s premier phishing and scam detection and remediation service, Bolster is capable of identifying threats in a matter of milliseconds and can take down 95% of phishing and scam sites in as little as two minutes without human intervention. Leveraging a combination of natural language processing, computer vision, and deep learning, it’s capable of detecting and remediating not just typosquatting, but all manner of brand impersonation threats wherever and whenever they manifest.
More importantly, because it has a false positive rate of just 1 in 100,000, your team doesn’t need to waste time babysitting or training the platform — it’s ready straight out of the box to protect your business’s assets, reputation, and identity.
Bolster is also unique in that it’s capable of sniffing out threats where other detection platforms might typically overlook them, such as on secure collaboration platforms like Telegram. It achieves this through a combination of vendor relationships, intelligent IOC and TTP correlation, and contextual data gathered from sources like social media.
Bolster’s track record of automated threat detection is so accurate and consistent that the vendor has developed a strong relationship with Telegram which allows takedown requests to be transmitted directly to Telegram’s backend via API.
Bolster is the first and only service to date with such empowered take-down capability.
Ultimately, protecting your company’s external attack surface from typosquatting requires state-of-the-art technology. It requires a solution empowered by deep learning, natural language processing, and computer vision, supported by a vendor with a host of technical connections and relationships.
It requires Bolster — because no other vendor packages those features together with an intuitive dashboard, complete with powerful visualization and analytics tools.
With Bolster, you can start keeping scammers at bay for good.
Learn how Bolster can protect your organization from typosquatting threats by getting a demo here.
