At Cyfirma, our mission is to keep you informed about the latest and common prevailing threats and techniques employed by malicious actors to exploit organizations and individuals. In this report, we will delve into the insidious technique known as typosquatting. Although seemingly simple and commonplace, this technique harbours significant risks that can profoundly affect both individuals and organizations. This report provides an in-depth analysis of typosquatting techniques, a deceptive practice used by attackers to exploit users’ typing errors and redirect them to malicious websites.
The consequences of victims falling to typosquatting attacks can be severe, ranging from financial loss to identity theft. Moreover, organizations that are targeted by typosquatters may suffer reputational damage, due to the association of fraudulent activities with their brand. To mitigate the risks associated with typosquatting, the report recommends several preventive measures also.
Typosquatting, also known as URL hijacking or domain mimicry, exploits the typing errors made by internet users when entering website URLs, aiming to redirect them to malicious websites. Attackers register domain names that closely resemble popular or legitimate websites, capitalizing on common misspellings or slight variations. These fraudulent sites deceive users by mimicking the appearance and functionality of legitimate sites, leading them to unknowingly engage in malicious activities.
By luring unsuspecting users to typosquatted websites, threat actors can execute various malicious actions, including phishing scams, malware distribution, and unauthorized data collection. Users may be prompted to disclose sensitive information, such as login credentials or financial details, under the false pretence of interacting with a genuine website. This exposes individuals to identity theft, financial loss, and other security breaches, while organizations targeted by typosquatting attacks face reputational damage as users associate fraudulent activities with their brands.
Typosquatting is a prevalent cybercrime technique, where hackers register misspelled or variation domain names to deceive visitors and redirect them to alternative, often malicious, websites. Users may land on these sites through mistyped URLs or phishing attacks. The impact of typosquatting extends beyond individual users, affecting business owners as well. Every visitor stolen by these malicious sites represents a potential lost customer for legitimate companies.
Purchase of Misspelled or Impersonated Domains: Cybercriminals acquire domain names that are intentionally misspelled versions of popular websites. They may even purchase multiple variations of the misspelled domain to increase the chances of capturing unsuspecting visitors. For instance, instead of purchasing “flipkart.com,” the typosquatter might buy “fllipkart.com” or “fliipkart.com or flipcart.com”.
User Engagement: Typosquatting domains become dangerous when real users visit them. This can occur in two ways:
Mimicking Legitimate Websites: To deceive users further, typosquatted websites are designed to mimic the appearance and functionality of the legitimate counterparts. This includes using the real organization’s logos, design elements, and content. Unsuspecting users may not realize they are on a fake website, making them vulnerable to providing sensitive information.
Data Theft and Account Compromise: Typosquatted sites are frequently used in phishing attacks to trick users into divulging their personal information. Users who enter their personal information, such as usernames, passwords, or financial details, on typosquatted sites unknowingly provide access to cybercriminals. If victims reuse the same credentials across multiple platforms, their other online accounts become vulnerable to compromise.
Other Malicious Activities and Threats:
Typos: Typosquatting capitalizes on common typing errors made by users, often due to rushing or relying heavily on autocorrect. Attackers register domains with common mistyped versions, such as cyfirmaaonline.com instead of Cyfirmaonline.com. These subtle alterations aim to capitalize on users’ typographical errors.
Spelling Errors: Typosquatters are aware that users may not know the correct spelling of a brand name. They register misspelled variants to redirect users to their legitimate homepage, ensuring they capture potential visitors who make spelling errors. For instance, they might use “advertisment.com” instead of “advertisement.com.”
Alternative Spellings: Different spelling conventions between regions or variations in language can confuse internet users. Typosquatters take advantage of this by registering domains with alternative spellings, leading users to unintentionally visit the wrong URL.
For instance, consider the word “counsellor.” In American English, it is spelled “counselor,” while in British English, it is spelled “councellor.” Typosquatters may register domains with these alternative spellings aiming to intercept users who unintentionally mistype the URL.
Hyphenated Domains: Adding or omitting hyphens in domain names can create confusion. Typosquatters manipulate domain names by inserting additional hyphens to deceive users. For example, they may use “my-online-shop.com” instead of “my-onlineshop.com” to exploit unsuspecting visitors.
Manipulation of URL Structure: Typosquatters add periods to the URL, altering the structure to deceive users. For instance, they might use online.cyber.security.com instead of online.cybersecurity.com, where the added period misleads users into visiting a fraudulent site.
Combination of Related Words: Cybercriminals create typosquatted domains by combining related words relevant to the target domain. An example could be online- cybersecurity-tutorial.com instead of online-cybersecurity.com, where the combination enhances the likelihood of users falling into the trap.
Similar-Looking Domain Endings: The availability of various domain endings (TLDs) for different countries and organizations provides further opportunities for typosquatting. Typosquatters often target similar-looking TLDs, such as using “.co” instead of “.com,” to trick users into visiting their malicious websites.
Exploiting Different Top-Level Domains: Typosquatters capitalize on the availability of different top-level domains (TLDs) to execute their deceptive tactics. By registering similar domains with different TLDs, they can trick unsuspecting users into visiting their malicious websites.
For example, consider a legitimate website with a “.com” domain like example.com. A typosquatter may register a domain with a similar name but a different TLD, such as example.org. Users who mistakenly type the incorrect TLD or are unaware of the specific TLD associated with the website may unknowingly end up on the typosquatted domain. The similarity in the domain name combined with a different TLD can create a false sense of legitimacy, leading users to believe they are accessing the genuine website.
Similar-Looking Letters: By utilizing characters that closely resemble the original letters, typosquatters create deceptive domains. For instance, they might register onlineattack.com instead of onlineattack.com, where “a” is different in both domains but the visual similarity masks the false nature of the domain.
Here attackers utilize non-Latin characters, like Cyrillic, to replace Latin characters in domain names. For instance, they may substitute the Cyrillic character “а” for the English lowercase “a.” Although visually similar, computers can distinguish between them, leading users to unintended destinations. This attack specifically called as homograph attack.
Typosquatting is utilized by cybercriminals to exploit user errors and deceive them for various malicious purposes. The most prevalent uses of typosquatted domains include:
Bait and Switch: Fake websites lure users by offering products or services similar to those found on the authentic site. However, once the purchase is made, users either receive substandard goods or nothing at all, while still being charged.
Affiliate Links: Typosquatted websites redirect visitors back to the genuine brand’s site through affiliate links. In doing so, they earn commissions from any purchases made through the brand’s legitimate affiliate program.
Imitators: Scam websites masquerade as legitimate platforms, mimicking the appearance, logos, color schemes, and page layouts of well-known brands or organizations. These imitator sites aim to conduct phishing scams, tricking users into disclosing their login credentials and personal information.
Malware Installation: Malicious websites take advantage of unsuspecting visitors by infecting their devices with malware or adware. This can lead to data breaches, compromised systems, and unauthorized access to sensitive information.
Traffic Diversion and Financial Gains: Another method employed by typosquatters is the diversion of traffic intended for genuine websites to their own competitors. Through this technique, they redirect users to rival businesses or similar platforms. In doing so, they capitalize on this redirected traffic by charging their competitors on a cost-per-click basis. This unscrupulous approach allows typosquatters to exploit the popularity and reputation of legitimate websites to generate financial gains.
Monetize Traffic: Fraudulent website owners generate revenue by hosting advertisements or pop-ups on their typosquatted pages, profiting from the visitors’ engagement with these ads.
Deceptive Data Collection: In this technique, fraudulent websites pose as platforms conducting customer surveys or presenting enticing giveaways. However, their underlying objective is to deceive users into divulging sensitive information or data, ultimately leading to identity theft. By preying on users’ trust and desire for rewards, these deceptive websites exploit their personal information for nefarious purposes, highlighting the importance of caution and scepticism when engaging with online surveys and giveaways.
The emergence of a new type of typosquatting poses a significant threat to open-source libraries, targeting software supply chains. Malicious actors are creating fake packages that closely resemble legitimate ones and uploading them to popular repositories like NPM.
Exploiting Lack of Familiarity: Attackers capitalize on developers’ lack of familiarity with specific frameworks by creating clones of legitimate open-source components with slight variations in the package names. For instance, a clone named “setenv” can mimic the original “set-env” component used to set the operating environment. By embedding malicious code within these counterfeit packages, attackers exploit software misconfigurations and rely on unsuspecting developers to include their malicious component in their projects.
Crafting Deceptive Packages: To make their malicious packages appear legitimate, attackers meticulously research commonly used software packages. They employ evasive tactics such as obfuscating their code. This strategy helps them remain undetected as they infiltrate mainstream package management repositories.
Popular packages like bitcoinlib, ccxt, cryptocompare, cryptofeed, freqtrade, selenium, solana, vyper, websockets, yfinance, pandas, matplotlib, aiohttp, beautifulsoup, tensorflow, selenium, scrapy, colorama, scikit-learn, pytorch, pygame, and pyinstaller are being targeted in this typosquatting campaign. The threat actors have created numerous variations, ranging from 13 to 38, for each of these packages, aiming to capitalize on potential typing mistakes and trick users into downloading the malicious versions. To avoid detection, the attackers have introduced a new obfuscation technique not seen in the previous wave from November 2022.
From an external threat landscape management perspective, typosquatting poses a significant risk to organizations and individuals. Typosquatting attacks can result in various security breaches, financial losses, and reputational damage.
During our OSINT research, we have discovered numerous instances of typosquatted domains that are specifically aimed at legitimate websites. One notable example is OpenAI’s ChatGPT, which has gained significant popularity worldwide, attracting a large user base. Exploiting this widespread usage, threat actors can capitalize on the opportunity by sending phishing emails containing URLs that closely resemble OpenAI’s legitimate domain.
In our investigation, we have identified approximately 5000 typosquatted domains associated with the legitimate domain “openai.com”. These malicious domains have been crafted in a way that deceives unsuspecting users into believing they are accessing the genuine OpenAI website. Here is the screenshot of such similar or typosquatted domains that we were able to find:
In a similar vein, Popular organizations like Amazon, known for its online retail and streaming services, are prime targets for typosquatters.
Our investigation revealed approximately 6000 typosquatted domains resembling “amazon.com”. These deceptive domains exploit common typing errors to trick users into thinking they are on the legitimate Amazon website. Fraudulent online stores hosted on these domains pose risks such as receiving counterfeit products or compromising payment information. Here is the screenshot of typosquatted domains associated with “amazon.com”:
Note: In order to safeguard their brand reputation and to protect users from the risks of typosquatting, major organizations and brands take proactive measures by registering defensive domains that closely resemble their official domains. These defensive registrations act as a crucial preventive measure, mitigating the potential for malicious actors to exploit minor variations or typographical errors, in an attempt to deceive unsuspecting users.
Furthermore, as evidenced below, the typosquatted domain “amazonpime.shop,” designed to mimic the legitimate Amazon Prime Video service, serves as a phishing site. The typosquatted domain “amazonpime.shop” is tagged as a phishing site by OSINT research tools.
This deceptive website bears a striking resemblance to the original platform and poses a threat to unsuspecting users. It can be utilized for nefarious activities such as stealing user credentials or distributing malicious software onto the victim’s system.
Following is the screenshot from a threat actor’s telegram group, where he is selling amazon’s phishing site hosted on such typosquatted domain on demand, and also provides a video demonstration of that.
Typosquatted domains, even if currently inactive, still pose a potential threat and can be utilized for future attacks. This technique targets not only specific domains like “openai.com” and “amazon.com” but any reputable website.
Proactive measures, such as monitoring domain registrations and conducting scans, are essential for managing the threat landscape.
Typosquatting is a prevalent technique that exploits users’ typing errors to redirect them to malicious websites, enabling various malicious activities such as phishing scams and identity theft. Our research also reveals the alarming reality of typosquatting in open-source supply chain attacks, emphasizing the need for heightened awareness and proactive measures in the open-source ecosystem.
By impersonating well-known brands, typosquatters deceive unsuspecting users and manipulate their online experiences for illicit gains. The significant number of typosquatted domains associated with popular organizations underscores the widespread nature of this threat.
To mitigate the risks of typosquatting, individuals and businesses must remain vigilant, exercise caution while browsing, and implement measures like domain monitoring and user education.
By utilizing ICANN’s monitoring service, organizations can keep track of how their brand name is being used across different domains. It allows brand owners to receive notifications and alerts when new domain registrations include their trademarked names or similar variations.
Remember, vigilance and awareness are key to protecting yourself from typosquatting attempts.