Typosquatting - Why Missing Your Mark Can Be Costly
It’s happened to all of us - You’re on the web taking care of some banking, ignoring your friends’ birthdays on Facebook and catching up on the latest memes. You click on your browser’s address bar and type in wellsfargoo.com. Even though you’ve mentally caught the mistake, your body’s subconscious decision to smash the enter key executes before you can pull away. Three seconds later you’ve got an ad-filled webpage screaming at you to call Microsoft support.
Naturally you freak out, pull the power plug on your device (even though it’s a laptop), throw it out the window, and then tweet about your near-death experience. In the security realm, we use the term squatting to describe an attacker lying in wait to bait victims into various traps. This particular variant is known specifically as typosquatting and preys on speed-demon and fat-fingered typists alike. So just how prevalent is this? How likely are you to fall victim to this if you miss your mark? Short answer - very.
As of April 2018, these are the most-visited websites by users in the US¹:
Average time spent on these sites range from about 5-10 minutes, with multiple visits being tallied per person, per day. To demonstrate just how common phony sites can be, I’ll be using a tool developed by Marcin Ulikowski called dnstwist. This is an application written in python that can be leveraged to discover these fake websites. As holds true with much of the information and tools available in the security realm, it can also be used maliciously to automate the process of spotting available domain names that can be turned into typosquatting sites. So let’s begin. Here’s a comprehensive list of spinoffs for each of the five sites above:
Google.com - Total count: 229
Youtube.com - Total count: 259
Facebook.com - Total count: 266
Wikipedia.org - Total count: 301
Reddit.com - Total count: 201
Obviously you got the point after the first image so the horrifically extensive list was unnecessary, but it further drives home the fact that this kind of stuff exists. What happens if we actually visit one of these sites? Are our computers infected? Is our personal information at risk? Here’s what I found:
Generally these webpages are redirecting you to other sites, or are simply posing as the real thing in an attempt to exfiltrate your personal data. If you don’t interact with the website, outside of browsing to it, chances are you’ll be fine. Venture any further, however, and it’s probable your computer will be compromised. All hope isn’t lost entirely, though. If you have a keen eye and a technical inclination, you may have noticed that many of the addresses listed earlier appear to be owned by the legitimate sites themselves, likely as a way to combat this deceptive activity. Try it for yourself - browsing to www.gooogle.com delivers you to the real thing.
How to protect yourself
Measure twice, cut once. This age-old adage holds true for our scenario. Look and think before you click and you’ll never find yourself in a pinch. Many popular web browsers also include built-in safety features that will alert you prior to taking you to a known-malicious site. Alternatively, you can simply use a search engine to locate sites when you’re unsure of the spelling. The same rules apply here, however. Ensure what you’re clicking on is the real deal, and not ads or phishing sites. You can verify the legitimacy of a website by submitting it’s address over at VirusTotal. If you fear the worst has happened and believe your device has actually been compromised, check out my malware removal guide. Always remember that you have complete control over your data and who has access to it. Everything you submit in an email, instant message, login form and text box is cached for the service provider to see and potentially use. Don’t let yourself be coaxed into giving out unwarranted information about yourself or your loved ones.
¹ - Analytics provided by Alexa. More information here.