Typosquatters Profit from Common User Errors
The Web has opened plenty of new avenues for criminal behavior. For example, you may have heard of cybersquatting. Someone registers a site’s domain name that includes a trademark and then tries to profit by selling that name to the trademark owner. But are you familiar with typosquatting? You should be because typosquatters profit from common user errors. These schemes can make just about any organization, along with visitors to its website, the victims of fraud.
Fat fingers
Like cybersquatting, typosquatting (also known as URL hijacking) involves the purchase of domain names in bad faith. It takes advantage of an inclination among users known as “fat fingers” — basically, our tendency to hit the wrong keys and enter misspelled trademarks or brands. For example, in a case involving the retailer Lands’ End, a typosquatter registered domains such as landswnd.com and lnadsend.com. Other human errors — for example, typing the wrong URL extension (.com instead of .org) or omitting punctuation marks such as hyphens — can also work to typosquatters’ advantage.
Some fraudsters seek to divert consumers away from competitors or just draw traffic to their own sites (often pornography or dating sites). A recent report from security firm DomainTools LLC says that major media outlets, including USA Today, the New York Times and the Washington Post, are frequently targeted. DomainTools found hundreds of fraudulent domain names related to these publications.
Big money
Other typosquatters go further. For example, the websites they divert to might feature a phishing scheme, whereby a visitor is induced to enter login information or download malware. Such tactics can make big money for fraud perpetrators — particularly if they target the right sites. Earlier this year, an anonymous typosquatter announced that he had stolen 200 bitcoins (then worth an estimated $760,000) from Dark Web sites over the previous four years.
Typosquatting can also be used for corporate espionage. In one case, a law firm sued a programmer who had obtained a domain name similar to its own, except for a minor typo. The law firm alleged that the defendant had used his doppelgänger domain name to create fake email accounts and intercept email sent to the firm.
Best defenses
Because typosquatters profit from common user errors, awareness is probably the best defense. Your company should regularly check various mistyped versions of its URLs and consider purchasing as many similar domain names as possible.
(This is Blog Post #649)