Ready to Start Your Career?

Typosquatting Leads To User Compromise

Gabriel Schram's profile image

By: Gabriel Schram

July 9, 2021

Cybercriminals are taking advantage of user error through active social engineering campaigns and imposter websites. Typosquatting, also called URL hijacking, is an attack centered around a fake and malicious website. These URLs often look similar to popular websites, for example, gogle.com instead of google.com. Threat actors take advantage of a user misspelling the legitimate site in hopes that they go to their malicious website. However, Its tactics, techniques, and procedures evolve and now utilize phishing emails, drive-by downloads, malicious links, and multiple delivery methods.

An important consideration is how it differs from cybersquatting. Cybersquatting refers to the purchase of a web domain that an established business or organization has not bought. Cybersquatters do this to sell it to that business or organization for a profit. It is not necessarily a security threat.

Common Techniques

The foundation of a successful typosquat campaign is the appearance of the misspelled domain. They could also include methods of luring users into visiting their illegitimate sites. The most popular ways threat actors do this include:

  • Adding or Subtracting Characters- This process includes the removal/addition of one or more characters from the URL. The addition of periods, hyphens, backslashes, or even related words to the legitimate domain are possible modifications. Examples of this could be www.cybrrary.it/, www.cybary.it/ www.cybrary-security.it/, and wwwcybrary.it/. These spellings are incorrect, but look and sound similar to the legitimate site. The correct version is www.cybrary.it/.

  • Character Switch- Switching around one or more characters in a website name.

  • Character Substitution- This tactic entails changing one or more characters to another that looks similar.

  • Top Level Domain Switch- Refers to changing the end of a URL. These include .gov, .org, .com, .uk, etc. this technique could do something similar to www.cybrary.com/ or www.cybrary.org/.

  • Phishing- Phishing is a social engineering attack. Attacker crafts and sends emails containing links that direct users to their illegitimate websites.

Motivation Behind Typosquatting

The motivation behind typosquatting varies with the malicious actor behind the scam. These motivations are:

  • Information Gathering- False websites gather information from the end-user accessing the malicious domain. Users could potentially input their personally identifiable information.

  • Fraud- The threat actors exploit typosquatting for financial gain are likely using their fake websites to achieve their goals. Typosquatters have the potential to host advertisements from businesses that think their website is legitimate. This type of exploitation could also come in the form of online purchases where users visit the platforms. It is a fraud but also a potential to gather user information.

  • Malware Delivery- The attacker infects end users with malware via drive-by downloading. This attack refers to an unintentional download of malware to a target device. After a user visits a malware-loaded illegitimate website, security gaps enable them to exploit the target machine and deliver its payload.

Mitigation

First and foremost, users need to be aware of these social engineering campaigns and be cautious when visiting unknown websites. An SSL certificate allows for an encrypted connection between the web server and the browser. Another option is Transport Layer Security (TLS), which protects user data in transit when browsing the web. To determine if a website has a valid SSL certificate, examine the URL and check for a small padlock icon as in Figure 1. It is a sign that the website is most likely legitimate. Users can click on the padlock for more information about the website's SSL certificate.

Determining a Valid SSL Certificate
Figure 1. Determining a Valid SSL Certificate

Additionally, websites starting in HTTPS instead of HTTP are most likely using a valid SSL certificate. To ensure a safe online session and avoid a fake website, look for SSL certificates and social engineering training. Drive-by downloads are prevented by keeping systems and applications up to date and secure. Insecure systems are vulnerable to known variants of malware. Overall, typosquatting is becoming more relevant with the push for remote work and the growth of web application development.

References

Kaspersky. (2019). What is a drive-by download? Retrieved from https://www.kaspersky.com/resource-center/definitions/drive-by-download Swinhoe, D. (2020). What is typosquatting? A simple but effective attack technique. Retrieved from https://www.csoonline.com/article/3600594/what-is-typosquatting-a-simple-but-effective-attack-technique.html

Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry