Have you ever seen a website that looked almost identical to a popular site you know, but something just seemed off? You may have seen an example of typosquatting.
This sneaky online tactic involves creating websites with names that closely resemble well-known brands, often by introducing a small error or using similar-looking characters. This may sound harmless, but it can be incredibly dangerous if people don't know what to look out for.
In this article we’ll explore what typosquatting is, real-world examples of the cybercrime in action, and how to defend against it.
What is Typosquatting?
Typosquatting is a cybercrime where attackers register domain names that are very similar to legitimate websites, often with just a slight misspelling. Also known as URL hijacking or sting siting, its goal is to trick victims into visiting a malicious website when they make a typo in the address bar.
Cybercriminals will purchase domain names with common misspellings of popular websites, such as “Faceboook.com” instead of (e.g., "Facebook" instead of "Google.com"). Once the user is on the fake website, users may be tricked into entering personal information or downloading malicious software.
Businesses are also at risk from typosquatting. Not only can it damage a company's reputation but it can also lead to significant financial losses. When cybercriminals create fake websites that mimic popular brands, customers may share sensitive information or make fraudulent purchases.
When customers enter a fake version of a website, it can erode trust in the brand. This damage to reputation can lead to a loss of customers and revenue.
If customers unknowingly share sensitive information on a fake site, the business may be held responsible for the data breach. Typosquatting can disrupt operations by diverting traffic away from the legitimate website, impacting sales and customer service.
What is an example of typosquatting?
Typosquatters have become increasingly sophisticated in their tactics however there are often a few key techniques they utilize:
- Relying on common typos: These are the most straightforward, such as replacing an "o" with an "0" or deleting a letter.
- Using Homoglyphs: Homoglyphs are characters that look similar to others, such as "l" and "I" or “e” and“ė”.
- Domain hijacking: This involves registering domains that are similar to popular brands but with different endings like .net or .org instead of .com.
- IDN homograph attacks: These use characters from different alphabets that look like Latin characters, but represent different letters when encoded.
Is Typosquatting Illegal?
While laws vary by location, many countries have enacted legislation to protect trademarks and consumer rights from typosquatting.
For example, the Anti-Cybersquatting Consumer Protection Act (ACPA) is a US federal law used to combat typosquatting. It prohibits registering, trafficking in, or using a domain name to profit from the goodwill of a trademark.
Typosquatting can be considered trademark infringement if it confuses consumers and dilutes the value of the original brand.
Most countries have consumer protection laws that prohibit deceptive trade practices, which can include typosquatting.
How to defend against typosquatting?
Typosquatting attacks are sneaky but you can take steps to minimize their impact. The simplest way to do the most obvious- always double check your website address before entering any information and be on the lookout for anything suspicious like misspellings or incorrect domain extensions.
Ensure all your devices are protected with up-to-date antivirus and anti-malware software as well as ensuring your devices are up to date with any software updates. Be wary of clicking on links in emails and messages, even if they appear to be from legitimate sources.
Businesses can purchase the domains of common misspellings of their brand name and redirect users to their legitimate website and prevent cybercriminals from acquiring them.
Domain Name System Security Extensions (DNSSEC) can help verify the authenticity of domain names. Domain registration tracking tools can also be used to ensure you stay on top of domain registrations that are similar to your brand.