Previously, we talked about Cybersquatting (or Domain Squatting) and the fact that not all cybersquatting is malicious. Sometimes the domain names are just similar to other companies from across the world.

Typosquatting, however, is more purposeful. It is a type of cybersquatting that aims to take advantage of common typographical errors made when a user inputs a URL into their web browser. These domains are generally not created for sales purposes. The typosquatter’s URL will usually fall under one of the following categories; all of them similar to the victim’s website address:

In the following examples, the legitimate website is “example.com”.

• A common misspelling, or foreign language spelling, of the intended site: ”exemple.com”
• A misspelling based on typographical errors: “examlpe.com”
• A differently phrased domain name: “examples.com”
• A different top-level domain: “example.org”
• An abuse of the Country Code Top-Level Domain (ccTLD): “example.cm” A person leaving out the letter “o” in “.com” in error could arrive at the fake URL’s website.

Once at the typosquatter’s website, the user may also be tricked into thinking that they are on the real site; through the use of copied or similar logos, website layouts or content.

Typosquatting itself can be very difficult to remove, as typosquatters register misspelt versions of popular domains in the hope that they will be able to make money out of traffic from unintentional typing mistakes, or fat-finger errors, made by internet users. Whether it directs you to a malicious or perfectly legitimate site is up to the owner/operator of the typosquatting website.

Much like cybersquatting, a company could try protecting itself by buying common misspelt versions of their name, however, this could run into the thousands, if all alphabetical possibilities were considered. Things get even more complicated if numerical characters that could pose as letters are included.

Typosquatting Analysis

A recent study undertaken by Paul Ducklin (from IT Security firm, Sophos) revealed some interesting results when analysing typosquatting for six popular brand names: Facebook, Google, Twitter, Microsoft, Apple and, his own employer, Sophos. To keep things simple, he only looked at typos where one alphabetic character in the company name was different: one letter omitted, one letter mistyped, or one letter added. Typos involving numbers or punctuation marks were ignored.

Paul generated all possible one-character mistakes in the “http://www.companyname.com” form of the six domains. That produced 2249 unique site names, from “http://www.pple.com”, through “http://www.facemook.com”, to “http://www.twitterz.com”. He then used Sophos, as a baseline of how many typosquats a regular business domain would expect to have. Sophos don’t have thousands of users attempting to visit their URL, however, they do have a few squatters (56 out of 333, or 16%) hoping for occasional search traffic or for the chance to sell on a domain name. Figures for the other brands were significantly higher: Microsoft typosquats were at 61%, Twitter 74%, Facebook 81%, Google 83% and Apple at 86%. There is clearly a considerable typosquatting ecosystem around high-profile, frequently-typed domain names.

Surprisingly, out of the many typosquatted URLs, only one of them contained malware. Regardless of this, typosquats are not to be taken lightly. There is still risk involved.

384 of the typosquat URLs (2.7%) fell into the loose category of cybercrime. That means they have an association with hacking, phishing, online fraud or spamming. And 354 of the URLs (2.4%) were adult or dating sites. Even though you may tolerate adult sites yourself, you don’t want to expose your workplace or your children to them. Typosquatters, on the other hand, don’t care about this.

Predictably, 15% of the URLs were tagged as advertising sites and popups, with the USA hosting nearly two-thirds of the servers providing a home to the typosquat URLS. Germany, China and the UK were next on the list.

Bait & Switch is another simple trick used by typosquatters. If you mistype “http://www.apple.com” you’ll see an Apple-like page. The page appears to offer you iTunes software downloads for Windows and Mac.

The “Download iTunes” button is the bait. There is, in fact, no iTunes download. Instead, if you click the button, you are whisked off to an mp3helpdesk site, which claims to be offering you “unlimited downloads for just $0.99 a month”. In reality, you are paying for access to technical help forums for a selection of free file sharing and audio/video software.

Brand abuse was rife amongst the tested samples, with typosquat domains trying to imitate the real thing. Google was the most commonly-abused brand, since it is easy for a third-party site to present a Google-like search page and use Google’s search engine behind the scenes.

This sort of brand abuse can be quite lucrative. By presenting sponsored links as organic search results, the fake site can earn click-through revenue more readily. The brand abusers can also hide their inorganic and even unrelated links amongst otherwise-high-quality results. By visually presenting its supposed search engine as a well-known brand, the fake site doesn’t even look like a typosquat.

Conclusions

Whilst mistyping popular domain names doesn’t seem to pose immediately danger, there are still plenty of risky URLs you can be exposed to, simply by visiting a typosquat domain. Cyber-crime and adult sites rank highest as a typosquatter’s weapon of choice and these URLs should be blocked, at least in the workplace or around children. However, even with browser protection in place, it is almost inevitable that you will end up on an unintended website from time to time. That’s because the scale of the typosquatting industry is just so large: over 80% of all possible one-character variants of the domains of Facebook, Google and Apple are both registered and resolved.

If you do inadvertently find yourself on an unexpected page, due to a typographical error, don’t be tempted to click anything on that page, even if you appear to be offered a link to your intended destination. At their best, typosquatters leading you to parked domains are just trying to make money by capitalising on your errors. At their worst, typosquatters try to give you a false sense of security, so they can mislead you into unintended and possibly risky online actions.