How do typosquatting scams work? Where are typosquat hosts found? Which countries the typos are coming? Where is the scam infrastructure located? This feature will answer all such question and more so that this Christmas can be a bit safer. It will take you through a typosquatting campaign that abuses tenth of known brands and includes thousands of registered typosquat hosts (a typosquat hive).
It will also offer a list that includes hundreds of typosquatting hosts from that hive, all of which can be found in the wild. The list is free to download so this Xmas can be a bit safer.
If you make the wrong typo, where does it take you?
Usually, in the case of typosquatting-based cyber crimes, the victim that mistakenly made the typo is redirected to a scam site that tries to take advantage of the victim's state of mind. For example, victims who thought they typed in the right Web address might not notice if they see a scam site with the look and behaviour that they expect, and that can profit the scammer. Victims might see a site with the same color scheme and theme as the brand or site they intended to go to, hand-in-hand with false congratulations on being a random winner who will receive a prize for completing a short survey.
A "typosquat hive" from the wild: How does it work?
Typosquatting is illegal in the US. Nonetheless, a lot of typosquatting sites are hosted in the US. As an example, at the bottom of this write-up, you'll find a list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals.
How does this specific scam work?
The typosquat hive (Please refer to the image below) consists of many hostnames registered by the cybercriminals. The list below consists of a lot of names that target very well known brands. The cybercriminals are interested in breadth -- they want to target as many well-known brands as possible. This gives their scam good exposure. The cybercriminals that are in control of the hive (the registered typosquat domains) have a few options for how to use the sites. They can set up their own scam infrastructure. Usually, the cybercriminals that own the hive partner with other cybercriminals that already have the scam infrastructure established (marked 2). The scam infrastructure is where the victim (marked 3) is ultimately led to separate from his or her money after making a typo in the browser. The scam infrastructure consists of Web servers, changing domain names, and the enticing scam content that victims see.
The agreement between the cybercriminals that own the hive and the ones that own the network could be either fixed cost for the time the typosquat hive is used, or, more often, a "per traffic" agreement. The latter means the owner of the hive gets a cut based on the actual number of victims that fall for the scam. For example, a percentage from the victims that registered for a premium number text service that costs £3 a message. Once the agreement is set up, the owners of the hive can point the hosts they own to the name servers that are part of the infrastructure built by their "partner in scam" (marked 4) for as long as the agreement is on.
The typosquat hive in our example targets mainly UK brands. Here are just a few examples from that list of registered typosquatting domains in the hive, including the brands they're targeting:
johnlwis.com (targets the legitimate Web site johnlewis.com)
arrgos.co.uk (targets the legitimate Web site argos.co.uk)
debnhams.co.uk (targets the legitimate Web site debenhams.com)
As UK Web sites and brands are the main target, most of the requests coming to this typosquat hive originate from the UK (victims making easy typos). Please refer to the pie chart below to see the location distribution of users that end up at a typosquat host in this hive, as observed in the Threatseeker Network over one week. It's natural to see multiple countries, as UK residents roam and brands offer services and products that are available globally.
Scam infrastructure hosted in the US
Typos that go to a host in the hive lead to a scam site. For example, when typing in johnlews.com, it redirected any victim to the scam site surveystartweb.com as seen in the diagram below. Victims are informed that they won a desirable product, and are asked to register to a premium rate number service
In this example, surveystartweb.com is part of the scam infrastructure and ultimately redirects to promotions.djummer.com, where victims are likely to be separated from their money. The scam infrastructure consists of many hosts that hold basically the same information. In essence, different typos lead to different scam hosts and URLs that usually follow the same principal, as in this case where victims are led to a premium rate number service.
Using the Threatseeker Network, it is possible to check how many unique scam URLs are identified as part of the same scam infrastructure. If you check the graph below, you can see that observing live data for a week yielded an average of 121 unique URLs per day.
The GeoIP location of the URLs within the scam infrastructure is mainly in the US, a fact we found astounding. Check out the pie chart below to see the GeoIP location distribution of all the hosts known to be part of the scam infrastructure, as observed by the Threatseeker Network over one week.
It's important to note that good typosquat hosts are very valuable to their cybercriminal owners. There are two main reason for this:
- A good combination of keys both likely to be a common typo and very similar to the legitimate, targeted site is rare. There are a limited number of proximate keyboard buttons that are likely to create a typo: for example, instead of the letter "P," it is easy to type nearby letters like "O."
- Once a typosquat domain is spotted, it's blacklisted and lost forever.
For these reasons, it's not a surprise to see typosquat hosts that don't serve scams lying low for a time, coming to life and serving scams for a short while, and then going back to covert mode. Also, it's common for typosquat hosts to employ evasion tactics while they lie low; one method is to redirect any users or nosy researchers to the legitimate Website to avoid any suspicion. Other tactics could involve blacklisting methods against probing users or researchers that try to poke around the hive.
It's important to remember that legitimate Websites and the companies behind them sometimes employ a strategy of buying typosquat hosts that are similar to their site's name. This is a good strategy for successful Websites, as those companies usually understand the dangers of typosquatting and how their brand name can be affected and abused.
Kudos go to Amazon, which registered a good number of potential typosquat hosts, including aqmazon.com, amaxzon.com, amzon.com, and many more. These are all GOOD hosts registered by Amazon itself, leaving no chance for abuse as long as they remain registered to Amazon.
Other means can also be used to redirect or lure victims to the scam infrastructure. For example, not long ago we also noticed that a spammy Facebook campaign titled "In Memory of Steve Giving Away 1000 iPad 2s" that propagated throughout Facebook and ultimately led victims to the same infrastructure.
A list of hundreds of hosts used for typosquatting found in the wild and free
Download the full list from here 3324.typo_list_.txt . Please exercise caution as these domains are not safe. We strongly advise that you not load them in a browser.
Courtesy: Websense Security Labs
Your guide to the latest cricket World Cup stories, analysis, reports, opinions, live updates and scores on https://www.firstpost.com/firstcricket/series/icc-cricket-world-cup-2019.html. Follow us on Twitter and Instagram or like our Facebook page for updates throughout the ongoing event in England and Wales.
Updated Date: Feb 02, 2017 23:20:58 IST