Imagine the following scenario. You go to your bank’s online website such as www.safebank.com to check your account balance and perhaps pay some bills. In the process you inadvertently type www.safebakn.com as a spelling error (note the backwards placement of the “k” and the “n”) and not notice it because the usual website is displayed that you’ve come to know for several years of use. You click the login link and type in your username and password. You are then sent to a new page in which you are asked a security question such as what your father’s name is. You type in the answer and click the submit button.
You are then directed to a page that pronounces that an error has occurred and you must login once again. You click the retry button and are redirected to the home once more at which point you repeat the process of typing in your username/password. Fortunately, the login process is successful this time and you are appropriately directed to your account.
Two days later you log on again and find that an unauthorized withdrawal of $2,000 has occurred. Unfortunately, this scenario isn’t farfetched at all.
The scenario is a classic example of typosquatting, a form of URL hijacking that relies upon typographical mistakes by end users that directs users to a fake website that all too often exists for strictly unlawful purposes.
Cybercriminals often target banks or e-commerce sites and purchase domain names that are comprised of one or two incorrect letters from the original. These URL’s then direct customers who have accidently mistyped the desired domain name to the webserver of the cybercriminal who hosts a site which nearly replicates the targeted domain at first glance.
How typosquatting works step by step
Typosquatting is a method phishers use to capitalize on commonly misspelled domain names, often creating malicious duplicate domains of legitimate brands. Upon reading the scenario above, you may wonder how the fake site knew to ask the appropriate security question? Was it just a guess on the cybercriminal’s part? The answer is no. When the customer first inputted his or her login credentials, the fake site simultaneously opened up a session with www.safebank.com and submitted the supplied login credentials.
Since this login attempt was implemented from an unrecognized IP address, the fake site was asked the preselected security question, in this circumstance pertaining to the father’s name. The fake website then simply forwarded the question to the customer. Having captured all of the relevant information, the fake website displayed the error page. When the customer clicked the link to repeat the login process, the customer was then redirected to the actual website of the bank itself which is why the logon proved successful. Unfortunately, the cybercriminal also has an open session and withdraws the money.
Sales of .om domains steadily increasing
Many of the most popular top-level domains such as .com and .net are declining in proportion to the domains used globally. But the .om domain is increasing steadily. Unsurprisingly the majority of these purchases did not come from citizens of the middle eastern country of Oman which has the country code top-level domain “.om.” One possible reason: “typosquatting.”
So how can this scenario are prevented? Actually it’s very easy; it just requires the diligence of the targeted company and the attentiveness of the user.
3 Steps that can Prevent Typosquatting Attacks from Succeeding
Of course the user should have noticed that he or she typed the domain name incorrectly within the browser, but they also should have noticed that the address was not utilizing SSL. The fake website would have been presented with the “http” prefix in an untrusted state as an SSL connection would have failed due to the lack of a trusted certificate.
When the customer was then redirected to the correct website, the proper prefix of “https” or a padlock icon would have correctly appeared indicating a trusted site and secure connection. The fact is that we all need to be more observant when accessing websites that require authentication in order to protect the confidentiality and integrity of data. Just as people should be guarded of their wallets in crowded environments, web customers must be conscious of their browser security.
Get a comprehensive internet security suite to protect you from phishing attempts, viruses, spyware and other types of malware. WebTitan's internet security solutions block malware and prevent it from compromising your systems and stealing your data.
Securing your website from iframe capture
The other step that companies can take is to shore up the security of their website from iframe capture which an all too simplistic way for a third party to capture web content and links from another site. Website developers need to practice secure coding methods in order to deter simple content capture and duplication.
Stay Protected! Learn more about our suite of security solutions. Get a free trial or no-obligation quote to evaluate whether our solutions are right for your organization.