How to Protect Yourself from Typosquatting Attacks

Posted on January 31, 2017


Imagine the following scenario.  You go to your bank’s online website such as to check your account balance and perhaps pay some bills.  In the process you inadvertently type as a spelling error (note the backwards placement of the “k” and the “n”) and not notice it because the usual website is displayed that you have come to know for several years of using it.  You click the login link and type in your username and password.  You are then sent to a new page in which you are asked a security question such as what your father’s name is.  You type in the answer and click the submit button.  You are then directed to a page that pronounces that an error has occurred and you must login once again.  You click the retry button and are redirected to the home once more at which point you repeat the process of typing in your username/password.  Fortunately, the login process is successful this time and you are appropriately directed to your account.

Two days later you log on again and find that an unauthorized withdrawal of $2,000 has occurred.  Unfortunately, this scenario isn’t farfetched at all.

The scenario is a classic example of typosquatting, a form of URL hijacking that relies upon typographical mistakes by end users that directs users to a fake website that all too often exists for strictly nefarious purposes.

Cybercriminals often target banks or e-commerce sites and purchase domain names that are comprised of one or two incorrect letters from the original.  These URL’s then direct customers who have accidently mistyped the desired domain name to the webserver of the cybercriminal who hosts a site which nearly replicates the targeted domain at first glance.

Upon reading the scenario above, you may wonder how the fake site knew to ask the appropriate security question?  Was it just a guess on the cybercriminal’s part?

The answer is no.  When the customer first inputted his or her login credentials, the fake site simultaneously opened up a session with and submitted the supplied login credentials.  Since this login attempt was implemented from an unrecognized IP address, the fake site was asked the preselected security question, in this circumstance pertaining to the father’s name.  The fake website then simply forwarded the question to the customer.  Having captured all of the relevant information, the fake website displayed the error page.  When the customer clicked the link to repeat the login process, the customer was then redirected to the actual website of the bank itself which is why the logon proved successful.  Unfortunately, the cybercriminal also has an open session with the naïve user and withdraws the money.

So how can this scenario be prevented?  Actually it is very easy, it just requires the diligence of the targeted company and the attentiveness of the user.

3 Steps that can Prevent Typosquatting Attacks from Succeeding

Of course the user should have noticed that he or she typed the domain name incorrectly within the browser, but they also should have noticed that the address was not utilizing SSL.  The fake website would have been presented with the “http” prefix in an untrusted state as an SSL connection would have failed due to the lack of a trusted certificate.  When the customer was then redirected to the correct website, the proper prefix of “https” or a padlock icon would have correctly appeared indicating a trusted site and secure connection.  The fact is that every time everyone must be observant when accessing websites that require authentication in order to protect the confidentiality and integrity of data.  Just as people should be guarded of their wallets in crowded environments, web customers must be conscious of their browser security.

The other two steps of prevention are the responsibility of the company itself.  The fact is that every company needs to research its domain name for possible typosquatting attacks.  This is easily done on the Internet as there are a number of websites in which one can type in a domain name and be shown a list of all possible names that include one or two letter divergent combinations.  The designated list will also show which names are currently available and which have been purchased.  Many companies such as Google simply purchase all available options as domain names can be obtained for a nominal price.  Companies can also research who has purchased those names that are unavailable.  Should the company suspect that anyone of the purchased names are being used for disreputable reasons, the company can inform its customers through news alerts of these potential vulnerabilities.

The other step that companies can take is to shore up the security of their website from iframe capture which an all too simplistic way for a third party to capture web content and links from another site.  Website developers need to practice secure coding methods in order to deter simple content capture and duplication.




Posted in: IT Security