What Cybersecurity Risks Does Typosquatting Pose, and How Can You Beat Them?
Typosquatting represents a significant threat to cybersecurity. But what exactly is it? How does it work? What threats does it pose to your cybersecurity? How can you prevent these threats and how can you deploy application security against them?
What is typosquatting and how does it work?
In traditional typosquatting cyberattacks, malicious actors register domain names that closely resemble popular websites or applications. These domain names are intentionally crafted to exploit common typing errors made by users when entering a web address into their browsers. Then, users are redirected to malicious websites where attackers can gain unauthorized access to sensitive information. This is used as a platform for a range of damaging activities, such as data theft, fraud, and extortion. Research indicates that over one-fifth of all .com domain registrations are typo domains, and their number is increasing.
Typosquatting attacks have more recently expanded to open source software repositories. Rather than redirecting browsers to fake websites, attackers upload malware-infected packages with a similar name to a legitimate open source package. The hope is that a developer will mistype and download the malicious version rather than the valid package.
Different types of typosquatting attacks
- URL hijacking. Attackers register domain names that closely resemble legitimate URLs. For example, replacing a single letter, adding a common typo in the domain name, swapping letters, or adding hyphens, numbers, or additional words.
- Extension-based attacks. Malicious actors register domain names with different extensions, such as .com instead of .net or .org.
- Homograph attacks. Attackers use non-ASCII characters that visually resemble ASCII characters to create domain names that appear identical to legitimate ones. For example, using the Cyrillic letter “а” instead of the ASCII letter “a.”
- Subdomain attacks. Attackers create subdomains similar to legitimate ones, exploiting common mistakes in entering URLs.
- Open-source repository attacks. Attackers upload malicious versions of popular packages with slightly different names. Developers that misspell the package name will download the malicious version.
What threats does typosquatting pose?
Typosquatting poses the following threats to software and application security:
- Data exfiltration. Fake websites or open source malicious packages can be used to gather sensitive information, like login credentials, credit card details, or personal data.
- Malware distribution. Typosquatting websites or open source packages may host malicious files or distribute malware, infecting users’ devices. This malware can infiltrate organizations when users access their companies’ servers and shared drives with their infected devices.
- Financial loss. Typosquatting attacks can result in financial losses for businesses and users through fraudulent transactions, stolen funds, or unauthorized access to accounts.
- Reputational damage. Legitimate businesses whose brands are targeted by typosquatting attacks can suffer reputational damage if users associate the fraudulent websites with their brand. If customers become wary of using their websites, software, or applications, this could further damage their business.
Examples of significant typosquatting attacks
Significant typosquatting victims have tended to be major brands that attract high user numbers and high traffic. The threat from typosquatting derives from the large number of users that it deceives into exposing their sensitive data, so naturally attackers target companies with many users who return frequently.
Google is a major example. Attackers have registered misspelled domains such as Gooogle.com and Googkle.com and used them to display advertisements, potentially generating revenue from unsuspecting users, or redirecting them to fake websites that looked similar to Google’s homepage but contained advertisements and potentially harmful content. Twitter has also been targeted. When attackers registered the domain “Twtter.com” the site displayed malicious ads and potentially distributed malware to unsuspecting visitors.
Several attackers have hit Bank of America over the years by registering misspelled domains that closely resembled the bank’s legitimate website. The aim: to steal users’ login credentials and personal information. Similarly, fraudsters have registered false domains that resemble PayPal to capture users’ account credentials and gain access to their accounts. Misspelled domains resembling LinkedIn have also been used to harvest user login details and credentials.
Typosquatting domains related to Airbnb have been used to trick users into booking accommodation on fraudulent websites, leading to financial losses and compromised personal data. Moreover, typosquatters have used domains such as “micorsoft.com,” to distribute malware by tricking Microsoft users into downloading infected files. In October 2022, a large malicious campaign was identified, using over 200 typosquatting domains that impersonated twenty-seven brands to trick visitors into downloading various Windows and Android malware. The brands included Google Play, Google Wallet, Microsoft Visual Studio, PayPal, Snapchat, and TikTok.
In the open source software development arena, Mend.io researchers identified a new typosquatting attack on the ’colors’ npm package in spring 2022. In the summer, they discovered typosquatting malware in the composer repository. Others found a significant typosquatting npm software supply chain attack in the fall of 2022. And at the end of the year, the Mend team identified further npm attacks, including ‘cors’ typosquatting. Other researchers found that Python and JavaScript developers were targeted with fake packages delivering ransomware, in another software supply chain attack relying on typosquatting.
How to prevent typosquatting attacks
There are some key procedures you can implement to prevent typosquatting attacks:
- Regularly monitor domain registrations that resemble your brand to identify potential typosquatting attempts.
- Defensively register domains and common variations to prevent attackers from using them.
- Educate users about typosquatting risks and encourage them to double-check URLs before entering sensitive information.
- Implement secure sockets layer (SSL) certificates to ensure secure connections between users and your application, providing an additional layer of trust. An SSL certificate is a good indicator that you are on a legitimate site and not a typosquat.
- Use two-factor authentication methods, such as SMS verification or authentication apps, to reduce the risk of unauthorized access.
- Conduct continuous security testing, assessments, and penetration tests to identify vulnerabilities that could be exploited by typosquatting attacks.
- Automated code reviews and audits. This helps identify suspicious or potentially vulnerable code snippets that could indicate potential typosquatting attack vectors.
What tools typically prevent typosquatting attacks?
Typically, you can use DNS monitoring tools that alert you to domain registrations that resemble your brand. You can also perform WHOIS lookups to gather information about domain registrations and identify potential typosquatting domains, and you can deploy DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent email spoofing and protect users from phishing attempts that leverage typosquatting.
You can also put your application security tools to work to stop typosquatting.
How can you use AppSec tools to fight typosquatting?
Although application security tools like software composition analysis (SCA), static application security testing (SAST), and software bills of materials (SBOMs) do not directly address the issue of domain typosquatting, they can help you defend against it. SCA and SAST tools analyze source code to identify security vulnerabilities in software applications that may be exploited by attackers, including those attempting typosquatting attacks. SBOMs can indirectly contribute to mitigating such attacks by enhancing transparency in the software supply chain. Moreover, some modern SCA tools protect against open source malicious packages. These tools reinforce your security with the following functions:
- Input validation: As typosquatting attacks often involve manipulating user inputs, such as URLs, filenames, or usernames, SCA and SAST can analyze the application’s code and identify areas where input validation is insufficient or missing, thereby minimizing the chances of malicious inputs leading to typosquatting attacks.
- Verification of software sources: SBOMs provide information about the origins of software components, so you can verify if sources are legitimate. They enable you to compare names, versions, and sources of components with known trusted sources. If any discrepancies or inconsistencies are found, it could indicate a typosquatting attempt.
- Sanitization and encoding: SCA and SAST tools help developers ensure that user inputs are properly sanitized and encoded, reducing the risk of typosquatting attacks that seek to exploit unvalidated inputs to inject malicious code or execute unintended actions.
- Enhanced visibility: SBOMs provide a comprehensive list of all the software components and dependencies used in an application, including their versions and sources. This allows you to identify potential vulnerabilities and assess the security posture of the software. It also helps identify unintended or malicious components, including those introduced through typosquatting.
- Supply chain security: SBOMs promote transparency and accountability in the software supply chain. By having a clear record of the components used, organizations can better assess if their suppliers’ security is sound and up-to-date, and therefore if they’re using safe and reliable components from them. This helps reduce the risk of incorporating typosquatting-prone components.
- Malicious package protection. Some SCA tools detect and block malicious open source packages before your developer can download them.
Fight typosquatting with a multi-layered approach
AppSec tools like SCA, SAST, and SBOM can aid in identifying vulnerabilities and strengthening the overall security posture of software and applications, which in turn can better alert you to typosquatting attempts, so you can prevent them. They’re not a complete solution to these attacks, because preventing typosquatting requires a multi-layered approach that involves a combination of techniques, including domain monitoring, user education, SSL certificates, and two-factor authentication, alongside secure coding practices, vulnerability scanning, and software analysis. Together, these measures can significantly reduce the likelihood and impact of typosquatting attacks. By staying vigilant and employing the right tools and procedures, you can beat the risks posed by typosquatting and enhance your security.
