What is typosquatting? A simple but effective attack technique

Typosquatting definition

A typosquatting attack, also known as a URL hijacking, a sting site, or a fake URL, is a type of social engineering where threat actors impersonate legitimate domains for malicious purposes such as fraud or malware spreading. They register domain names that are similar to legitimate domains of targeted, trusted entities in the hope of fooling victims into believing they are interacting with the real organization.

How typosquatting works

Threat actors can impersonate domains using:

• A common misspelling of the target domain (CSOnline.com rather than CSOOnline.com, for example)
• A different top-level domain (using .uk rather than .co.uk)
• Combining related words into the domain (CSOOnline-Cybersecurity.com)
• Adding periods to the URL (CSO.Online.com)
• Using similar looking letters to hide the false domain (ÇSÓOnliné.com)

“Can you see the difference between goggle.com and google.com?” says Russell Haworth, CEO of Nominet, which acts as the registry for the .uk domain. “Essentially, typosquatting is a lookalike domain with one or two wrong or different characters with the aim of trying to trick people onto the wrong webpage.”

Registering a domain is quick and easy, and attackers can register several variations of the legitimate target domain at the same time. Typosquatted domains can be used as the entirety of an attack or a smaller part of a larger campaign for these purposes:

Extortion: Sell the typo domain back to the brand owner.

Ad fraud: Monetize the domain with ads from visitors via incorrect spelling, redirect users to competitors, or redirect traffic back to the brand itself via an affiliate link and earning commission on every click.

Information theft: Harvest credentials and sensitive information either via phishing email or copied sites’ login pages, or harvest misaddressed email messages.

Malware delivery: Install malware or offer malicious software downloads.

Activism: Paint the targeted domain owner in a negative light, a use of typosquatting that is particularly common with political domains.

“The motivation is almost always financial in the end,” says Tim Helming, security evangelist at DomainTools, “though geopolitical motives can’t be dismissed either. The endgame is usually theft of money, intellectual property, or other valuable data that can be sold or held for ransom. In some cases, typosquatted domains can be used in various attack campaign stages to achieve geopolitical objectives, such as network intrusion or data exfiltration.”

How common is typosquatting?

Typosquatting is not new, and the robust digital economy has meant interest in this type of attack rarely wanes. Helming says his company sees hundreds of squatting domain attempts every day. “In the last 24 hours I observed 11 domains spoofing iCloud, and several of them included the term “support,” which strongly hints at credential harvesting,” he says. “The iCloud is just a single term. Multiply this by the hundreds or thousands of well-known company names out there and you can see how extensive this activity is. Since it can affect firms of any size, you’re really then looking at hundreds of thousands of potential mimicry victims.”

2020 has seen many domain spoofing attempts relating to the COVID-19 pandemic. DomainTools reports that more than 150,000 new, high risk COVID-19-themed domains have been registered since December 2019. “The most valuable space in the internet is .com, which means it is also the most valuable space to carry out typosquatting,” says Nominet’s Haworth. “The industry’s most attractive domains for typosquatters to target are financial institutions or organizations that sell medicine. Fast-moving consumer retail goods are also popular to target, so people should be particularly careful when logging into these types of sites or receiving emails with links to them.”

Likewise, this year’s US presidential election was a ripe target for squatting. In one report, Digital Shadows found more than 500 squatted domains relating to presidential candidates. The fact that 66 were hosted on the same IP address and possibly operated by the same person shows how easy it is to launch such attacks. Six domains in the report redirected to Google Chrome extensions for “file converter” or “secure browsing” that if downloaded and installed could be used to infringe on voter privacy and potentially deploy malware.

Helming says the practice of squatting domains has changed very little in recent years. The shift to HTTPS has added some workload to actors running typosquatted domains, but self-service certificates mean this isn’t a large effort. The introduction of generic top-level domains provide a larger namespace for squatting, though they look unusual to many users and can reduce the likelihood of success.

How to stop typosquatting attacks

Typosquatting can be difficult to combat due to the fact you are relying on people to spot erroneous domains. CISOs should ensure that employees are aware and educated around the issue of typosquatting and learn what to look out for and potential ways key domains—both their own and those of organizations in the company’s supply chain—could be spoofed and why.

Domain registries and registrars have no “guard rails” to prevent malicious registrations of lookalike or typo domains, so the registration is simple and inexpensive, says Hemling. “Names can be registered that look visually almost indistinguishable from legitimate names—even when looking very carefully.”

Some vendors offer services to find potentially spoofed domains. The World Intellectual Property Organization (WIPO) has a Uniform Domain-Name Dispute-Resolution Policy (UDRP), which allows trademark holders to file complaints against typosquatters and reclaim the domain. Helming explains that UDRP doesn’t get to the actors who registered but allows the domain registrars to seize control of the illicit domains.

Taking down spoofed domains often requires legal action and law enforcement. In 2018 Microsoft gained a court order to shut down domains thought to be operated by the Russian-affiliated Fancy Bear group (also known as APT28) and designed to impersonate political groups. This year the US Justice Department says it has closed down hundreds of pandemic-related fraud domains.

“The criminals will effectively never be responsive to legal actions,” says Helming. “Attribution can be very challenging, and these actors know how to cover their tracks. Sometimes legal action (or threats of it) can be more effective against the infrastructure companies that host the nefarious domains.”

Companies can also look to register similar domains to their own to preemptively prevent squatting attacks and redirect users to the correct URL. “This is typically known as a defensive registration and is a legitimate form of typosquatting,” explains Haworth. “For example, Microsoft owns more than a dozen domains with variations of their brand name to prevent such attacks.”

Typosquatting open-source libraries

A newer type of typosquatting is to exploit software supply chains in open-source libraries. Attackers create malicious packages that closely resembled those of legitimate packages and then upload them, for example to the NPM downloads repository. “Typosquatting is a fairly rare situation, but the impact can be large, making the creation of malicious open-source components a viable attack pattern,” says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre.

For example, if there is an open-source component named “set-env” that is used to set the operating environment for an application built for a specific framework, a malicious team could create a clone of that project named “setenv” that includes their malicious code. “The attacker is targeting a lack of familiarity with a development framework within a team and creates a component that on the surface solves a valid problem,” Mackey says “They then embed a malicious aspect into the code and both promote the existence of their component and rely on developers to discover their component.”

If the two projects look otherwise identical, it would be easy for someone to become confused, and the attack is effectively targeting a software misconfiguration. It’s difficult to detect when a corrupted component might be used, more so since the malicious component might be released to mainstream package management repositories by the attackers.

“Attackers research the most commonly used software packages,” says Ax Sharma, senior security researcher at Sonatype. “They then craft malicious apps and publish them to an open-source software repository under a name that is identical to that of a popular package. Skilled attackers may employ additional evasive tactics, such as obfuscating their malicious code, hiding it in minified JS files, and even making their malicious copycat app pull the legitimate package whose name they are typosquatting as a dependency, so as to remain undetected.”

A recent example was a number of malicious JavaScript packages uploaded to the NPM portal that opened shells on the computers of developers who imported the packages into their projects. Mackey explains that the plutov-slack-client purported to provide a JavaScript Slack interface for Node.js applications but in reality opened an external connection, potentially allowing an attacker entry to the server running the application. “While plutov-slack-client was only available for a few weeks, it was downloaded hundreds of times, meaning the attackers potentially had access to the data of hundreds of victims.”

Though the intent can vary, Mackey says threat actors can use this type of attack to execute code for credit card skimming, deliver spam, or execute phishing campaigns, for example. In September malicious packages were discovered that uploaded user details to a GitHub page, and NPM has published a number of advisories around malicious packages in recent months including a discord package that included a Trojan that collected data. Another example in the last year included over 700 typosquatting RubyGems that used names mimicking those of commonly used Gems.

Sonatype’s Sharma warns that successful attacks result in a polluted open-source ecosystem that can cause significant damage. A successful attack could cascade a threat actor’s malware downstream to many victims, he says, “as the impact would extend far beyond just developers who download the typosquatting package into their builds. Any customer who then installs the developer’s packages encapsulating the typosquatted copycat is now also impacted.”

Defending against such attacks can be difficult, especially for open-source projects that are run by small teams or solo developers that lack the resources to track potentially problematic domains or act against them. “Since most open-source software is created by independent developers attempting to solve technical problems,” says Mackey, “they typically have neither the skills nor the time to manage the brand their project is creating until it becomes sufficiently popular as to warrant inclusion in a major foundation.”

“While the open-source community and maintainers of package management repositories do take action when they learn of malicious components,” Mackey says, “attackers rely on the window of opportunity created between the start of their attack and public knowledge of the malicious component to maximize their profit.”

Mackey advises companies keep a comprehensive inventory of what components are used by all software in an organization against which audits can be conducted to ensure only approved components are in place. This inventory and audit should take place to validate any new components that are introduced.