Analysis: the Typosquatting trade

Type “goggle” instead of “google” and you still end up at Google. But type “twiter” instead of “twitter” and you end up at a deceptively similar scam site designed to collect personal user information

At best, typosquatting causes inconvience.  At worst, it causes data theft and exposes the victim to exploits, malware, and phishing scams.

Websense Security Labs recently analysed common typos that occur when trying to reach Facebook. The typosquatting pages rely on typo errors based on keyboard character distance, common repeats, and omissions.

The Labs also studied objectionable links generated by these typos. They found that over 62 per cent of the links lead to bot networks, phishing, or malicious websites.

Twitter, for example, is the subject of numerous false sites including: 

·   ttwitter.com 
·   twwitter.com 
·   twiitter.com 
·   twittter.com 
·   twitterr.com 
·   twutter.com 
·   twiter.com 

Many of the most popular websites (including Amazon and Google) have registered web sites with such typos and spelling errors to safeguard users.

Others that don't take such steps can find their users falling prey to typosquatting. And if the typo site has already been registered, the legitimate company can face a long legal battle.

Many months after Twitter won its dispute against twiter.com, the site is still redirecting to a scam survey.

Given the millions of users trying to reach the world's most popular websites, the value to a criminal of a good typosquatting address is high. It's just a matter of finding a way of using the visitor numbers to generate dollars. 

The high premium phone numbers scam

One way of making money is to present cost per action scams or registering to high premium phone number services. The attacker registers or leases from other cybercriminals several typosquatting sites for the one leading web address. They then redirect the typosquat sites to another site.

This occurs globally with some of the twitter.com variants. Visitors are redirected to a site where they are presented with a screen that tells them they have been selected to complete a survey for a chance to win a gift such as an iPhone 4S. After they complete the survey, the visitor is asked to enter their phone number which quietly subscribes them to a service that costs more than $2 per message or  $6 per week. 

One of the spam sites used in this campaign is video-rewardz.com, which at its peak in late 2011, achieved a top-250 ranking in the global Alexa web analytics listings. Related spam sites include:

·   videorewardcentral.com 
·   videorewardsonline.com 
·   socialupdatepanel.com 
·   videorewardstoday.com 
·   videorewardsnow.com 
·   giveaway-winner.com 
·   videorewardspace.com 
·   video-reward.com 
·   videorewardspot.com 

The campaign is widespread and includes frequently visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, and Wikipedia to Craigslist. The Websense ThreatSeeker Network has discovered over 7000 typosquatting sites within this single network.

What's it worth?

Websense estimates the total number of daily visits for just one spam site – video-rewardz.com – at871,915. Daily page views are around 4,010,808. Based on online website valuation tools such as worthofweb.com this puts a value of $20,545,371 on the video-rewardz.com website. It's a substantial sum. 

Currently, the spam advertisements used in the campaign are not installing malware on user’s computers. But what if these networks are resold to underground groups with that intent?

If the downloads were changed to contain data-stealing malware (a fairly easy process), the outcome could be devastating for people trying to protect corporate and personal data. 

Careful typing helps, but will never be enough, so it's highly recommended that companies install security that protects email and web browsing, and protects against data theft.

Copyright © SC Magazine, Australia