A slight case of typosquatting

Opinion by Dan Raywood

Ahead of last Christmas, some research appeared from Websense Security Labs which revealed that nearly 2,000 typosquatted domains of major high-street stores had been detected.

Ahead of last Christmas, some research appeared from Websense Security Labs which revealed that nearly 2,000 typosquatted domains of major high-street stores had been detected.

In that instance, the page looked like a retailer's site, but often they can host malware for unsuspecting surfers. In a recent presentation by Avast, Jidricj Kebec, head of the Avast anti-virus labs, said that it had detected 8,500 domains that were variants of the US listings website Craigslist.

He said: “We have seen a few domains parking 8,500 domains which are purely mistyped. For example you to go to '.cm' instead of '.com' which is registered in Cameroon; in fact this domain is very expensive so they are spending lots of money to register the domains.” He explained that the fake domains usually contained counterfeit goods and often the domain name was a random error.

Milos Korenko, director of marketing at Avast, who was also at the presentation, said Craigslist was searched for 20 times more than some other sites – and that is globally and not just in the US. “If you are a bad speller or that stupid then you could get infected,” he said.

Kebec said: “We also see '.cocom'. I am quite impressed by the logic here because they go to a lot of effort into how they create domains and how they are deciding which of them are worth creating because, as I said, the '.cm' domains are very expensive, so they have to have other options.”

I asked Kebec how easily this can be avoided for users; he said it was pretty easy as many people have their favourite sites bookmarked so they would not do a typing error, but those affected were on sites that they did not access frequently, such as those of the high-street stores ahead of Christmas.

Lyle Frink, PR manager at Avast, said: “So many sites do not do a good job of policing the other domains and that should be part of their modus operatum. They do not think that part of protecting their sites is a priority.”

In a recent story by thenextweb.com, two companies running premium-rate phone competitions from typosquatted sites ‘Wikapedia.com' and ‘Twtter.com' were fined £100,000 by the premium-rate telephone services (PRS) regulator PhonepayPlus. The regulator said: “In both cases, the landing pages for the ‘squatted' sites looked like the genuine sites the consumer was searching for – the ‘squatted' sites used the same logos, colouring and fonts.

“These ‘squatted' sites informed consumers that they had won or could claim a prize, such as an iPad. In both cases, consumers were given the impression that to enter or claim they simply had to enter their contact details and answer some questions.”

Roger Rawlinson, managing director of the assurance division at NCC Group, said: “Customers led to a false website once are likely to avoid the genuine site in the future, and companies that do not review and regulate the internet landscape for cyber squatters are at real risk of losing revenue and reputation. Organisations have their own reputations to uphold and should be fighting this threat at the source, scanning for imitation websites and launching takedown processes. It's about brand protection as much as crime prevention.”

Recent research by Sophos found that 86 per cent of searches for Apple's website resulted in the visitor ending up on a typosquatting website, compared with Google (83 per cent), Facebook (81 per cent) and Twitter (74 per cent). It found that adult and dating sites made up 2.4 per cent of the typosquatted websites of 2,249 unique site names, while the rest were domain parking and domains for sale, related search pages, competitions and surveys and even fellow typosquatting researchers.

I caught up with Spencer Parker, group product manager at Websense, who told me that there are two points to typosquatting: to catch people when they make mistakes in order to deliver malware; or to 'park' domains with adverts.

He cited an example of a website called 'utube' which supplied uPVC windows in the US. Parker said they "parked" the domain and hosted adverts, and caught people who couldn't spell 'YouTube'.

“The owners parked the domain and made the decision to get videos on the website along with adverts, and it was all down to typosquatting. They simply sold extra advertising space,” he said. This led to YouTube filing a legal claim against utube back in 2006; meanwhile, Lego spent more than half a million US dollars pursuing cyber squatters through the Uniform Domain-Name Dispute-Resolution Policy (UDRP) in an effort to protect its brand.

I asked Parker what right sites have over typosquatters; he said that even if the main site has a legal claim over a domain it must prove that it is infringing on a copyright or delivering malware.

“If the domain is parked then they will have to buy the domain at an inflated price,” he said.

In a guest blog for Get Safe Online, Rik Ferguson, director of security research and communication EMEA at Trend Micro, said typosquatting has been around almost as long as the world-wide web, with US legislation dating back to 1999 – the Anti-Cybersquatting Consumer Protection Act contains a specific clause (Section 3a) aimed at combating this.

He said: “British law enforcement have been doing their best to crack down on dodgy online shopfronts, however efforts to suspend illegitimate domain names can only ever represent a game of whac-a-mole in the fight against evil online traders.

“Criminals can register vast reserves of domain names in advance and, when one gets shut down, simply activate another as required. That is the real issue: far too many DNS domains, including .co.uk and those of many other countries, are operated as 'open' domains.

“Until regulation is tightened and international co-operation is improved then well-intentioned law-enforcement initiatives will only be treating the symptom, not addressing the cause.”

Really, it is difficult for brand owners to manage all variations of their URL if they are forced to monitor the entire web for rogue addresses. Then again, social media surveys will have you believe that your online presence is key.

As for users, we have said it before and we'll say it again – be careful what you click for.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events