Typosquat domains can damage not only an organization’s finances, but also their reputation with customers, prospects, and the market. Monitoring for and quickly remediating typosquat domains (where possible, more on that to come) is critical for maintaining business operations and preventing hackers from accessing your sensitive data.
Given the tightening budgets and market instability, not only for cybersecurity teams, but across the board, it’s more important now than ever to ensure you have a secure, cost-effective plan in place to manage typosquatting.
What is Typosquatting
Let’s start with a quick explanation of typosquatting, including examples of what to look for. Typosquatting, also interchangeably referred to as “domain squatting,” “cybersquatting,” and variations thereof, is essentially registering a variation of a legitimate domain in an attempt to trick consumers, employees, or anyone interacting with the legitimate domain. This is often done for financial gain, or to obtain sensitive data or company information.
A typosquat domain would be something like “walnart[.]com”, where hackers have substituted an N instead of a M to appear similar to Wal-Mart’s official domain “walmart.com”. The more similar a domain is to the original, the more likely a victim may not notice.
Why Do Hackers Utilize Typosquatting?
Typosquatting is immensely popular because it is a relatively easy attack technique compared to other methods, and isn’t illegal on the surface. Any average joe can register a domain for any reason they want, and doesn’t have to prove ownership or brand relation even if they are registering a similarly structured domain to one that already exists. There is nothing illegal about the domain registration itself.
This type of cyber attack is also fairly cheap and effective. Victims can originate from a simple internet search that includes a typo, or from clicking on a top placing website or ad without looking closely at the domain. (Some free WordPress sites also include free AdWords ads)!
What Happens During a Typosquat Attack
Once a typosquat domain is registered, here are some (but certainly not all) of the things that may happen next in the domain lifecycle:
1) The domain will sit “parked”.
This is where it is owned/registered but otherwise inactive. It sits inactive until the registration expires, and the cycle repeats when/if someone else renews it (Domain Renewals often are set up to auto-renew against the initial payment method). Registration lengths are up to the registrant and typically vary between 1-10 years, depending on how much they want to pay up front.
Important to Note: Often companies will hire services and/or task employees with purchasing typosquat domains proactively so they cannot be used by would-be phishers. Depending on the company, this practice may not be communicated effectively across relevant departments. Translation- not all typosquat registrations are malicious, some might even belong to your company’s! It is always good to know what service or registrant information your company may use, and what your company’s strategy is against typosquat domains.
2) Domain owners can attempt to “flip” the domain.
This is when registrants post the parked domain for sale and sell it to the highest bidder. In the case above the registrant would perhaps be hoping that Wal-Mart themselves would come to them offering thousands of dollars.
3) They can host a phishing site on the typosquat domain.
This will typically make the domain immediately eligible for suspension, as it is breaking any l Registrar’s T&C by using the domain maliciously.
However there is an important caveat here: There is a difference between whether or not that phishing site is hosted at “http://walnart[.]com,” vs something like “http://walnart[.]com/phishingsite.html” or “http://phishingsite[.]walnart[.]com.” Subdomains and extended URL paths are essentially not a Registrar issue, and are the problem of the hosting provider where the phishing content is located, as the root domain itself is not technically being used for malicious activity.
This concept also includes redirects. If “walnart[.]com” redirects to another phishing site, then the Registrar will typically decline to act on walnart[.]com, and instead will point you to action on the redirected domain.
Another caveat to remember is that all Registrar’s are different, depending on the country they reside in. So while we can have typical expectations around their remediation response, nothing is guaranteed.
4) Hackers can configure the domain to send/receive emails.
The emails could appear under addresses like “[email protected][.]com” or [email protected][.]com. Hackers aim to trick the recipient into believing they are communicating with the real Wal-Mart by injecting content clearly impersonating the brand (logos, language, employee titles etc).
This practice is referred to as BEC (Business Email Compromise), and can achieve a variety of malicious goals, most notably re-routing large payment transactions to a different bank number. BEC can target both consumers and employees, and is particularly hard to defend against because it can be very difficult to know when and where it might be happening. It’s hard to know for a fact that a domain is engaging in phishing email activity until it actually happens. The existence of a MX Record (Mail Exchange Record) alone is not evidence of occurrence. It’s entirely possible, despite the domain being configured for email, that an email is never once sent from that domain.
Points of Legality
So, you’ve detected a typosquat domain and have determined it’s threatening to your business. Taking down the malicious domain might not be as easy as you think.
Why can’t we take action on this typosquat domain that is clearly targeting us?
Well, technically you can, it’s just not always that easy. According to a law called the Anti-cybersquatting Customer Protection Act (ACPA) passed in 1999 “a trademark owner may bring a cause of action against a domain name registrant who 1) has a bad faith intent to profit from the mark or 2) registers, traffics in, or uses a domain name that is a) identical or confusingly similar to a distinctive mark, or b) identical or confusingly similar to or dilutive of a famous mark.”
Here is where the grey area begins. Registrars make money keeping domains active, which means they have a financial incentive to leave domains in an active state until it is explicitly proven that the domain is being used in bad faith or violating a given trademark. There is a lot of subjectivity involved in determining what qualifies as “bad faith intent” or “confusingly similar” to another domain.
Registrars have essentially been left to police themselves on this issue, leaving it up to the victims/consumers to prove with hard evidence that a domain is violating trademark or committing abuse before they will act on suspending a domain. A simple misspelling is not usually enough.
The Role of UDRP in Domain Takedowns
The concept of the Uniform Domain-Name Dispute-Resolution Policy (UDRP) was created around the same time of the ACPA to provide victims of typosquat domains with a legal path where they feel a violation is occurring.
If Wal-Mart wanted to acquire the above domain on the basis that it is violating the Wal-Mart trademark, they *may* have a case in court. However, as you can imagine this is a legal process and takes a significant amount of time and money. A company like Wal-Mart may have the resources to commit to this process, but the average victim/company does not. UDRP costs range at minimum $1500 per domain but can get up to $10k.
It should also be noted that to acquire any domain that has already been registered, but has not reached its expiration date, a UDRP is a requirement if you want to own that domain prior to that date. The other option is to wait for the domain to expire and register it the moment it does (there are some services like DropCatch out there that can help you time this).
What Can My Organization Do When We Are the Target of Typosquat Domain Attacks?
So, What do companies need to get a malicious domain suspended? The Registrar will not take action until hard evidence of malicious abuse is provided.
Examples of this are typically one of two things:
1) The domain resolves to an active phishing site: Any active phishing content on a domain will typically provide a path for a registrar to suspend the account. They then potentially have an arbitration period where the owner can argue their account was compromised and re-activate the domain later.
2) The email header (the .eml file in Outlook/Apple Mail Desktop version) proves that a phishing email came from that domain as a sender. Important note; forwarded emails and screenshots will not suffice, as the sender email can often appear as a different address to the recipient via spoofing. The Registrar will reject any attachments in a takedown request that aren’t the actual email headers of the original phishing email.
Utilizing a Typosquat Solution
How can your organization stay up to date with potential typosquat domain threats? As you can imagine, there are quite a few new domain registrations every day (nearly 400 million per day for just the .com TLD for example)!
This makes it impossible for any human or security team to manually analyze the amount of data needed to pluck out which ones are malicious. Services like Bolster combine millions of new domain records from 1270+ possible TLD’s daily, and automate the process of analyzing what might be targeting you. With Bolster, security teams can upload lists of domains they already own, and rely on Bolster’s continuous monitoring technology to scan for potential malicious domains. Users can set up Bolster to automatically takedown malicious domains, or be notified when threats are detected so their team can act.
How to Gather Email Headers
How can security teams gather the header content of an email to use as evidence in a domain takedown request?
Though some platforms are a little more straightforward than others, we recommend using desktop email software (Outlook or Apple Mail for example) vs webmail. It’s super easy to drag and drop the email file right from your column view directly onto your desktop, and then just like that, you are ready to submit the attachment to the registrar. Other resources for gathering email headers we like are:
- Outlook (Desktop and Web. Drag and drop works with Desktop version)- https://support.microsoft.com/en-us/office/view-internet-message-headers-in-outlook-cd039382-dc6e-4264-ac74-c048563d212c#tab=Web
- Apple Mail (Desktop. Drag and drop works with Desktop version)- https://support.apple.com/guide/mail/show-detailed-email-headers-mlhlp1089/mac
- Gmail (Web)- https://it.umn.edu/services-technologies/how-tos/gmail-view-email-headers
- Yahoo (Web)- https://help.yahoo.com/kb/SLN28478.html
Learn more about Bolster
If your team is interested in a typosquat monitoring and automated takedown solution, request a demo with Bolster to learn more today!
About the Author – Daniel Katz is a Cyber Security Solutions Engineer that has over 10 year’s experience demonstrating, installing and maintaining a wide variety of cyber security related technologies spanning across computer networking, threat intelligence, log management, SDLC, Vulnerability Management, and Digital Risk solutions.