It’s all too easy to make a spelling mistake, especially when you’re looking up a website.
Few of us proofread every URL we enter into a browser. Whether it’s adding an extra vowel or transposing a couple of letters, the occasional typo is almost inevitable.
These errors would be no big deal if they led us to a digital dead end. In some cases, however, cybercriminals use a technique known as typosquatting that can expose you and your organization to all kinds of risks.
Understanding Typosquatting
If you haven’t encountered typosquatting before, consider yourself lucky – it’s such a simple form of attack vector that it’s almost bound to become more common.
Definition and explanation of typosquatting
Typosquatting is a cybercriminal activity whereby bad actors take advantage of people who don’t put the correct website address into a browser and redirect them to an alternative site. Sometimes this is referred to as brandjacking, given the misspelled URLs are often close to that of a legitimate organization.
How typosquatting works
Imagine you’re keying in the URL for one of your favorite retailers, or even your bank. If you’ve cleared your cache, you’ll have to enter the full website address.
Typosquatters try to think through the many different ways in which that URL could be incorrectly written. They register domains for those erroneous versions of the brand name so that, when you make a typo, you’ll land on a bogus website they control. In some cases, these sites may be designed to look just like the one you intended to visit.
From there, threat actors can attempt to dupe you into entering your personal information in order to steal data, generate revenue through affiliate marketing or spread malware.
Difference between typosquatting and cybersquatting
Sometimes typosquatting is referred to as a form of cybersquatting, though the latter could simply involve hackers buying a legitimate domain relating to a business that hasn’t claimed the URL for itself.
For instance, some small businesses haven’t yet established their digital presence. A cybersquatter could create a site using its brand name in the URL in order to fool prospective customers who look them up online.
Typosquatters focus more on taking a brand name and registering URLs that prey upon common misspellings or mistakes that online users are likely to make.
Types of Typosquatting
Not only is it simple to fall for typosquatting attacks, but they can come in a variety of forms.
Common types of typosquatting attacks
Typosquatters don’t need to you to key in complete gobbledygook to redirect your browsing session.
In some cases, they could register the legitimate spelling of a brand name but add a hyphen, such as “XYZCompany-Inc.com.”
Other approaches include registering the legitimate business name but with an alternate domain ending. Rather than a dot-com domain, for instance, they might have the same words but end the domain with .net, .biz or .org.
It could be enough to add an “s” in a domain, so it pluralizes the brand name instead of the accurate version.
Examples of typosquatting attacks
When you land on a site controlled by typosquatters, they may impersonate the brand. Those posing as a bank or a retailer, for instance, might suggest you enter your username and password to log in to your existing account. By doing so you’re exposing your credentials to those who could then steal your identity, similar to what happens in a phishing scheme.
Typoquatters might also display notifications suggesting you need to update your credit card information to track a purchase, or present fake offers to buy products and services.
Some typosquatting attacks are more subtle, where they simply serve up ads or get you to click on a link that injects your system with malware.
Potential dangers and risks associated with typosquatting
Though it might be based on making an innocent mistake, typosquatting can have serious consequences. If you don’t realize you’ve landed on a bogus website, you might wind up installing an exploit kit, pass on information that should stay private or help cybercriminals commit fraud.
The fallout from typosquatting also extends to the brands being impersonated. Having your customers fall victim to these attacks can damage an organization’s reputation and relationships with current and prospective customers alike.
What Is the Purpose of Typosquatting?
It’s not always clear what typosquatters are trying to accomplish with their attempts to deceive, but generally speaking it falls into one or more of the following categories:
Earning money from affiliate inks
Typosquatters may partner with companies that want to drive significant volumes of traffic to their own domains. This could include competitors of the brand being impersonated. Every time you visit one of those partner sites or click on the links on those sites, those behind the typosquatting campaign earn a commission. Affiliate models like this can be big business.
Access to personal information
Besides your login credentials, credit card number or contact information, falling for typosquatting could lead you to pass on employee information that puts your brand at risk.
Typosquatters may not take advantage of this data directly but opt to sell it on the dark web.
Putting malicious content on devices
When you inadvertently land on a bogus site and download malicious content, it means cybercriminals could use ransomware to hold data or entire systems hostage. They could also take a more long-term approach where the malware is part of an advanced persistent threat (APT) that seeks to spread across corporate networks and escalate its privileges to even more restricted systems and data.
Legal Aspects of Typosquatting
While some cyber threats seem to represent a grey area in terms of legal accountability, typosquatters are by no means safe from the authorities.
Overview of United States law on typosquatting
Under the U.S. Anticybersquatting Consumer Protection Act (ACPA), for instance, abusing marked domain names with the intention of profiting from another organization’s reputation is prohibited.
The ACPA specifically calls out those who register domain names that are confusingly similar to a legitimate entity’s trademark.
Those found guilty of violating the ACPA may be forced to pay victims restitution of profit to the legitimate domain holder. They may also be subject to statutory damages of between $1,000 and $100,000 for each domain name involved in an incident. This includes re-registering an infringing domain name in bad faith.
WIPO resolution procedure for typosquatting disputes
On a more global level, the World Intellectual Property Organization (WIPO) has a long-established procedure for reclaiming a domain name that has been infringed upon by typosquatters. Its many resources include case filing tools, a database of research case law and an online enforcement tool.
Organizations around the world have made good use of WIPO’s resolution procedures. In fact, WIPO reported a record number of domain name cases in 2023.
Laws and regulations surrounding cybersquatting and typosquatting
The most straightforward way to legally protect against cybersquatting and typosquatting is to ensure your brand is properly trademarked according to local laws.
In the event you fall victim anyway, the Internet Corporation for Assigned Names and Numbers (ICANN) has established the Uniform Domain Name Resolution Policy (UDRP), which is what WIPO’s procedures are based upon.
Preventing Typosquatting
Tips and best practices to avoid falling victim to typosquatting
Assuming you’ve already registered your organization’s name with the proper spelling, one way to stay ahead of typosquatters is to register the most common misspellings as well. Some brands will also invest in brand URLs with different domain endings that redirect web users to the proper site.
Make sure to pay attention to both top-level domains (TLDs) as well as subdomains such as “blog.yoursite.com,” as these could be targeted by typosquatters too. If you have an in-house legal team, they can monitor for domain registrations that might infringe on your brand. Reporting infringements is also critical to prevent typosquatting attacks from wreaking havoc.
How to protect personal and business information
An effective IT security plan recognizes potential threats like typosquatting and takes steps to prevent or limit the impact of a successful attack.
For example, think through what might happen if an employee lands on a bogus web site. Ensure systems are protected with anti-malware and intrusion prevention tools. Make it possible to remotely lock systems that may be infected or taken over via typosquatting. Enable alerts and notifications for any suspicious activity that might happen on your network as a result of typosquatting.
Importance of secure passwords and password managers
Some of the biggest consequences of typosquatting attacks can be mitigated by having strong credential protection and management in place.
With an effective password manager, for instance, threat actors won’t be able to access or make use of usernames and passwords that would otherwise be exposed through an attack. Educate your team about the importance of these tools as well as creating strong passwords that are difficult to guess.
Implications and Consequences of Typosquatting
Potential financial and reputational damage
Every visitor who lands on a bogus site due to typosquatting is a potential lost sale for businesses that depend on traffic conversions. Meanwhile, if the details about a successful typosquatting attack become public, online users might deliberately avoid the brand involved and take their business to a competitor instead.
Case studies and real-life examples of typosquatting incidents
There are plenty of high-profile brands that have found themselves caught in typosquatters’ crosshairs. In early 2024 reports surfaced of typosquatting incidents involving VMware, X (formerly Twitter) and others.
Around the same time, security researchers discovered a wave of typosquatting attempts involving IP scanning software sites. Those who fell for them, such as IT professionals, wound up visiting sites loaded with malware and other threats.
Following the worldwide outage involving CrowdStrike, meanwhile, the company reported typosquatting scams attempting to fool people who were looking for way to deal with malware.
Software developers have also been targets of typosquatting attempts involving Python Package Index (PyPI), one of the largest code repositories. This caused significant disruption: as a result of the increasing threats, PyPI had to temporarily shut down the ability for new users to register on its systems while it addressed the issue.
How LastPass Can Help
The first line of defense against typosquatting is making sure the keys to your most critical business data remain protected. Credentials like passwords, for example, provide access to everything from customer data to financial information and in some cases the ability to directly control business operations.
When employees use weak passwords, however – or inadvertently enter them into sites where they’ve been redirected by typosquatters – that data and those operational controls fall into hackers’ hands.
LastPass has invested in developing technology and products that can avoid those scenarios, which build upon the education about typosquatting you should do across your entire workforce.
Overview of LastPass's password management features
With LastPass you’re providing your employees with a fast and easy way to create, remember and even fill in passwords. The benefits can be applied throughout your organization, no matter how many applications you depend upon to run your business.
Using LastPass to generate and store secure passwords
Rather than using their middle name or their pet’s name as a password, for instance, employees using LastPass can instantly generate a strong password. The use of zero-knowledge encryption, meanwhile, allows data to be kept secure in a password vault that typosquatters can’t access.
LastPass also regularly scans the dark web to monitor for data breaches or other incidents that suggest credentials have been compromised in some way. This is on top of a password strength tool that runs 24/7 to check against security risks.
Protecting against typosquatting with LastPass
Having LastPass in place means that even if employees wind up on a bogus website or page through a typosquatting attack, cybercriminals won’t be able to take the next step and break into their accounts.
Instead, employees should immediately report typosquatting attempts so that organizations can mitigate other negative outcomes, such as reputational damage or affiliate revenue schemes.
It’s time to stop typosquatters in their tracks. Start your LastPass trial today.
