The threat of typosquatting

Julien

17 December 2024

Awareness and resources, Not classified

Have you ever typed in the URL of a website you know well, only to come across a completely unexpected, even suspicious, page? It could be that the site you were hoping to visit has fallen victim to a typosquatting attack.

In this article, we’ll explore what typosquatting is, what it’s designed to achieve, and how you can protect yourself against it.

What is typosquatting or typosquattage ?

Typosquatting is a hacking technique that consists of registering one or more domain names very similar to that of a “legitimate” site, by exploiting common typing errors made by Internet users.

This method is based on the assumption that many users make mistakes when entering a URL manually. As a result, the differences are subtle enough not to alarm the user, especially if the pirate site is well designed.

On the other hand, illegitimate links can be sent directly to the user as part of a phishing scheme. If the link sent to a person is visually close to one they know, they’ll be more likely to click on it.

What's the difference between typosquatting and cybersquatting ?

Cybersquatting consists of registering domain names linked to famous brands or companies, with the aim of reselling them or damaging the company’s reputation.

This practice can lead to financial losses and encourage phishing or counterfeiting activities.

In the case of typosquatting, the attack is specifically based on human error. Typosquatters take advantage of slight variations in handwriting to redirect Internet users to other sites. Security impacts include data theft and malware infection.

How do typosquatters work ?

In order to deceive users, typosquatters register domain names similar to those of a website. These variations are sometimes so discreet that they are difficult to notice at first glance.

That’s why, as a domain name holder, you should register several variations and watch out for any new domain names similar to yours.

In concrete terms, URL changes can be :

by adding characters to the domain name (impots.gouv.fr ➔ impots.gouvernement.fr)
by inverting characters in the URL (goolge.com instead of google.com)
by inserting one or more letters (service-public.fr ➔ services-public.fr)
using homoglyphs to exploit the similarity of characters, for example "g00gle.com" (with two zeros instead of two "o "s) or "g00gle.com" where the "l" is replaced by a capital "i".
by hyphenation: (leboncoin.fr ➔ le-boncoin.fr)
by omitting characters from the domain name
by repeating letters
by transposition (changes the order of several characters in the domain name)
using the wrong TLD (Top-domain-level: replace the domain extension)
...

Here, typing amazon.net into the address bar takes you to a site selling computer tools that has nothing to do with Amazon. The site takes advantage of Amazon’s reputation to promote itself.

What are the objectives of typosquatting ?

Typosquatting may at first seem harmless, but it’s a multi-faceted threat. Its repercussions can go far beyond the simple promotion of a service, as in the previous example.

The objectives vary according to the intentions of the cybercriminals, and the consequences can be more or less serious:

Generate revenue

Some typosquatters exploit typos in URLs to divert traffic and generate visits to a site or redirect pages. By accumulating clicks, they can generate revenue through online sales systems (commission per click), without directly harming the user.

Reputation damage

Companies can use typosquatting to damage the reputation of a competing brand. By creating sites with similar names, they can spread false information or publish damaging content to tarnish the image of the target company.

Phishing and theft of personal information

One of the most common objectives of typosquatting is to trick users into stealing sensitive personal information. For example, login details, passwords or banking information. By creating sites that perfectly mimic the appearance of a legitimate site, cybercriminals trick victims into entering their data without suspecting the fraud. They can then use the data obtained to impersonate users (spoofing).
In some cases, they may also threaten to disclose sensitive information or cause damage unless a ransom is paid.

Financial fraud

Cybercriminals can also use typosquatting to carry out financial scams. By redirecting users to bogus payment or e-commerce sites, they can entice victims to carry out fraudulent transactions.

Malware infection

Typosquatters can also redirect users to sites containing malware, such as ransomware or keyloggers.Once the user arrives at these sites, a simple click or visit can trigger the download of a virus or spyware capable of capturing confidential data or taking control of the device.

How to protect yourself from typosquatting ?

To prevent visitors to your site from making mistakes, it’s important to provide ongoing training and make them aware of the risks of spoofing (identity theft).

Advise your staff to access the site via a search engine, or to register it, rather than typing the URL directly or clicking from an unreliable site.

Adopt a proactive strategy

For your part, we advise you to monitor domain name registrations.

Many companies adopt a proactive strategy to guard against cyberthreats by registering domain names close to their own.

The aim is to prevent similar domains from being registered and used for malicious purposes, such as phishing or identity theft. However, the task is far from simple. It’s impossible to manually review all possible combinations of similar domains.

To meet this challenge, solutions from EASM (External Attack Surface Management) such as AlgoLightHouse, offer a more efficient approach. You’ll be alerted to any suspicious unauthorized use of your brand name or logo. This allows you to take swift action.

Our analysts can continuously monitor all your external perimeters to quickly identify new domain names close to yours that may be hosting phishing sites. To do this, they carry out passive scans. These searches are based on sophisticated techniques such as fuzzing, and are complemented by constant monitoring of the various registrars.

(example of an alert sent via our AlgoLightHouse platform)

Report fraudulent domains

You can also report the fraudulent domain directly to the registrar to investigate its origin and, if possible, suspend it. On the other hand, if you suspect that typosquatting may be linked to illegal activities, you can report the matter to the appropriate authorities, such as law enforcement or Internet regulatory authorities; the Pharos website,

or example. The latter is the government’s official platform for reporting illegal online behavior.

Recently, the domain name qouv.fr was registered, and subsequently frozen by AFNIC (Association française pour le nommage Internet en coopération). In fact, the domain name bears a strong and unmistakable resemblance to ‘gouv.fr’, the official extension for French government sites. This case illustrates the importance of continuous monitoring to prevent hackers from hijacking the digital identity of public organizations and institutions.

Conclusion

Protecting yourself from external threats The threat of typosquatting is very real, and can have serious consequences for companies and users alike. It is essential to take steps to prevent this type of attack. Services like AlgoLightHouse help protect you by detecting these threats through passive, non-intrusive scans.

Partager cet article :