Defeating typosquatters: Staying ahead of phishing and digital fraud

It has become a mantra for businesses targeted by hackers to describe the incident as a “sophisticated cyber-attack”. Although true in some instances, the reality is that most cyber-attacks involve the use of easily preventable tactics including phishing, business email compromise, social engineering, and out-of-date software.

Email phishing scams typically rely on diverting unsuspecting people to sites that look legitimate. This requires criminals to set up a domain that impersonates a site that is of interest to the victim. These domains are like the real thing and are often visited by users who have mistyped the genuine domain URL (hence the name: typosquatting).

Unfortunately, criminals are good at finding new ways to trick unsuspecting visitors to your website. One example is address bar spoofing. A mobile browser vulnerability revealed how bad actors can make any domain appear to be genuine by using JavaScript to update what appears in the address bar.

Once the site is set up, visitors can be subjected to scams, potentially unwanted programs, offers of sale of counterfeit goods, or fake marketplace sales (shoppers make payments but never receive their goods). It’s estimated 18% of these sites undertake malicious activities, including credential harvesting and malware distribution.

It’s a world wild web out there

Many domain registration companies now offer value-added services that can help protect against criminals seeking to exploit established domains. Effective features include automatic renewal and additional protection guarantees against unauthorized transfer, which is especially useful after the attack which saw criminals take control of targeted cryptocurrency domains including liquid.com and Nice Hash transferred to criminals using social engineering techniques. However, typosquatting is generally not covered by these services and you will need to take protection against it into your own hands.

There are three effective ways you can protect your business from typosquatting. The first is to register all the possible combinations and manage renewals yourself. However, as you can see from the different methods listed above, this is a laborious and costly exercise. Using a third-party partner to manage the process for you will free up your skilled resources, though will also increase the cost.

The second method involves a DIY approach using online tools to spot new domain registrations. These include DN Pedia, which lets you know if any domains have recently been registered that include your brand name, and dnstwister, a useful tool which shows registered domains similar to your brand using the rules based on typosquatting methods. It also shows whether email services, a fundamental part of the phishing mix, have been configured for the domain. Be careful, though: if you’re researching typosquatting domains that are dodgy in nature, you could pick up a malware infection.

The third option is to use a dedicated typosquatting service. Such services may rely on skilled analysts to research and resolve issues. Having dedicated manpower on this kind of operation, however, is a luxury most businesses cannot afford, but for companies that are regularly targeted, it’s an essential part of doing business. There are additional advantages.

A well-trained analyst will keep a constant eye out for external chatter making sure you’re made aware of any discussion among bad actors discussing potential attacks. More recently, cybersecurity companies are making effective use of automation techniques to offer a more cost-effective solution.

Defeating typosquatters

Getting a typosquatting domain taken down is not easy. Gathering intelligence isn’t always straightforward and cases routinely cross international borders. Domain registrars and registrants can now use GDPR to avoid having their details publicly available. The on-going “FACEBOOK, INC. et al v. facebook-verify-inc.com et al” highlights these difficulties.

To remove 12 domains that mimic its Facebook, Instagram and WhatsApp brands, the plaintiff had to file suit in the State of Georgia where Verisign, the business controlling the top-level domain (TLD) registry for the sites is based, because the hosting company would not identify the owners and so the location of the defendants could not be determined. If they win the case by default, as expected, this will have been a relatively quick process even at more than half a year.

Fortunately, there are organizations that can help.

Cifas, the UK’s not-for-profit fraud sharing organization, helps brands understand the latest attack methods to stay one step ahead of cyber criminals. As part of their arsenal, they use digital risk protection to produce cyber threat intelligence which is relevant to their members.

The National Cyber Security Centre (NCSC) provides a site for reporting incidents along with its Cyber Aware campaign to help shoppers stay safer while shopping online.

In an ideal world, domain registration and hosting businesses would be more proactive in their approach to prevent typosquatting. Measures could include:

• Mandatory verified contact details for anyone registering domains
• Use of traceable payment methods
• A cooling-off period between request and use of a domain
• Disclosure of registration details to any parties which have a valid typosquatting domain request

The reality is, however, the number of sites registered is so large and the margin on these services is so low, proactive checks simply aren’t sustainable. Therefore, it is vital that businesses take action to protect themselves and their customers against this kind of threat.