Typosquatting is an effective trick where an attacker registers a domain similar to the target domain - usually of a popular website - in appearance, keyboard typo likelihood, or tweaked TLD.  Victims think they are on a legitimate site but instead are subject to a malicious attack. This is a classic, yet overlooked, vector for spearphishing.

Let's take LinkedIN for example, where someone could inadvertently type "linkdin[.]com" (missing "e") into their browser, or when they click on a link like "Iinkedin[.]com" (capital "i" instead of "l") . On the typosquatted domain, a malicious website is waiting for these victims, usually a phishing attempt to steal their credentials or bank info. In some cases, reaching a domain like this will download ransomware or other malware onto the victim's computer.

Another type of domain squatting is called combosquatting - adding an additional word to the domain name so it looks like a legitimate website related to the intended service. IBM's threat intelligence sharing platform, X-Force, posts early warnings for squatting campaigns of popular companies and services. Recently they posted about a new Google squatting campaign with global scope used by cyber attackers to target the media sector to steal login credentials. The domains show a mix of typo and combosquatting:

  • googl-service[.]com
  • google-activate[.]com
  • google-activated[.]com

Now let's imagine a spearphishing campaign targeting customers of a specific bank, like Wells Fargo. The attackers may spoof a legitimate email being sent out by the bank that includes the basic Wells Fargo homepage link (www[.]wellsfargo[.]com), replacing the legitimate link with a similar, malicious one. Typosquat options on a domain are endless - wellsfarg0[.]com, wellsfargo[.]co , wellesfargo[.]com, welsfargo[.]com just to list a few.

Enterprises are well aware of the problem, and may purchase a few typosquat versions of their domain in order to "buy out" potential predator websites looking to steal from their users. In these cases, they will redirect the risky traffic back to their website. But they will always miss some variations. The attack surface is too big. For smaller business, even this pre-emptive step is not an option. It's easy to send out text messages or emails allegedly from an online organic produce or dog food supplier, asking customers to "just re-enter" their credit card details that didn't come through "because of a processing error". In some cases, threat actors don't even go that far, making a much simpler request like simply baiting users to "visit the business's website", only to pop up a screen that says the user first has to re-enter their gmail credentials. 

At ThreatSTOP, users have the option of creating their own custom user defined blocklists (UDLs). These lists get instantly propagated to their ThreatSTOP IP or DNS firewall product. That's in addition to ThreatSTOP blocklists made up of 800+ threat intelligence sources, to defend their customers from both the industry's most urgent concerns, and from threats unique to their own enterprise. We're investigating adding a new protection feature from typosquatted domains, and we'd like to know what you think.

ThreatSTOP supports highly customizable DNS (RPZ) responses, and using RPZ, we can rewrite any FQDN to any other FQDN. Using our Typosquat Protection Feature, ThreatSTOP customers will be able to create custom UDLs with all possible typosquatted permutations of their most commonly used domains, including their own business domain. Users can collect all suspicious domains based on their original, legitimate input domains using the dnstwist phishing domain scanner, and also identify which of those domains have actually been registered. Once a customer UDL is created, ThreatSTOP will map all traffic attempting to reach the domain permutations over to the one legitimate domain, saving potential victims from typosquats serving phishing and malware on.

Tell us what you think - would a feature like this make a difference for you?

Let us know by commenting below.