Typosquatting and the risks of one wrong keystroke

It’s easy to do – you quickly type a URL you use every day, whether it’s Google or Facebook or Amazon, and in your haste, you accidentally swap, add, or delete a single letter and hit enter. Suddenly you’re not where you wanted to be, and often that new strange piece of the internet isn’t a 404 message, but rather an unexpected, and often sinister, website.
Or even stranger, a spoofed version of the site you wanted to visit in the first place.
Registering common misspellings of popular websites to catch users unaware is known as typosquatting, and it’s exactly what it sounds like – cybercriminals scoop up these frequently mis-spelled domain names, knowing that a some innocent users will end up on their page.
Typosquatting is so common that businesses often register common typos themselves to redirect users to the correct page – Google, for example, owns the dot-com domains for its name spelled with one, two and three Os.
Typosquatting is a huge industry – over 80% of all possible one-character variants of Facebook, Google, and Apple are registered.
It’s easy to make jokes about typosquatting – the human error component can be amusing, and some of the satirical pages users stumble across are occasionally clever – but the risks posed by typosquatting are very real. NBC Nightly News recently highlighted the dangers of these typos and what you can do to avoid these malicious sites in a video featuring Sophos’ James Lyne.
But what really happens when someone makes their way to the wrong page? That depends on the intentions of the typosquatter. Sometimes it’s simply domain parking or domains for sale, or “related search” pages. Others are riskier to encounter, like competitions and surveys asking for personal information, or bait-and-switch sites. Others still truly are benign, like humor or satire sites or sites maintained by typosquatting researchers.
A while back, Naked Security’s Paul Ducklin mis-spelled Apple, Facebook, Google, Microsoft, Twitter, and Sophos in 2,249 ways to see what would happen – basically he let a computer miss-type URLs across the web to see what it uncovered. He found everything from outright fake pages to adult content and contests designed to capture personal information:

The full report goes into greater detail, but it’s worth highlighting a few key takeaways. Most interestingly, typosquatting sites are not rife with malware, despite what one might expect.
The fact that the scammers registering these sites are using popular misspellings, and thus there is a finite number of URLs available for this sort of activity, means, oddly enough, reputation matters. If they’ve registered a common misspelling of Facebook, they can’t just up and move house to a new URL if the page develops a reputation.
In fact, cybercrime made up just under 3% of the findings. Pop-ups and ads were far more common (15%) while IT and hosting – pages offering to sell you interesting domain names – made up 12%.
But while the percentage is relatively low, the tricks used by typosquatters to trick users into giving away personal or financial information can be very effective. Spoofed sites might, for example, offer you a free product if you pay for shipping – capturing the credit card data for unsuspecting users.
Other common goals for typosquatting include a false warning that your computer has been infected, tricking the user into downloading a “fix” that is actually the malicious payload, or convincing the user to click on a link that infects their computer with malware.
Attackers don’t just target everyday users. A devious newer form of typosquatting was recently identified targeting developers installing Python packages from the PyPI (Python Package Index) repository.
Bad code was found hiding in plain sight using filenames that were easily mistaken for legitimate packages. This is an interesting case because the motive was unclear – the code was malicious but relatively benign. It was a warning shot to developers using other peoples’ code in their projects, and demonstrated a variation on a common online scam.
The best antidote to protect yourself against typosquatting is, alongside appropriate security software, awareness. Bookmark your regular sites, check your spelling on a URL before hitting enter and be skeptical when a site doesn’t feel right or asks you for information you need to protect.