How Attackers Use Typosquatting Domains for BEC and Ransomware Attacks

BOLSTER has also paired this article with a FREE resource, 'Leveraging AI to Stop Typosquatting Attacks.'

People tend to associate typosquatting domains with only phishing related activities but in reality, these domains are used in a wide variety of attacks. Attackers use these domains in attacks such as brand impersonation, BEC scams, and ransomware campaigns.

Typosquatting Domains in BEC Scams

  • Business Email Compromise scams primarily target company employees or individuals who are responsible for transferring funds.
  • For these scams, attackers use spoofed emails, emails with typosquatting domains, or compromised email accounts of executives, employees, or business partners to make fraudulent payment requests.
BEC Attack Process
  • BEC scams are carried out by financially motivated attackers. In 2020 alone, FBI Internet Crime Complaint Center IC3 received 19,369 complaints of BEC scams resulting in over 1.86 billion dollars in losses to businesses and individuals. The total loss due to these scams has been rising every year.

Attackers use email addresses with typosquatting/look-alike domains to take advantage of employees in a hurry who might skim over an email address and not notice a difference in one or two characters.

Since a majority of BEC scam emails do not contain any links or malicious attachments, such emails can easily slide by email spam and malware filters.

Attack Scenario:

Attackers acquire a domain name similar to that of their target company’s name and use the emails addresses from the acquired domain to send BEC scam emails.

For example, if a company employee’s legitimate email address is [email protected], the attacker may acquire and use the email address [email protected] in scam campaigns.

A typosquatting domain email address being used for BEC scam 

The email address looks very similar to the employee’s email address, but when you look carefully the letter “o” in the company domain name has been replaced with zero “0”.

TIP: Protect your employees and customers with a proactive monitoring and takedown service.

FREE DOMAIN RISK REPORT: Click here for a free report assessing your company’s typosquatting threat landscape.

Typosquatting Domains in Ransomware Attacks

  • Ransomware is a type of malware that encrypts data on a victim’s computer and demands payment in return for the decryption key. Some ransomware variants also exfiltrate sensitive data from systems before encrypting important documents and files, then threaten to make the data public if the ransom isn’t paid.
  • Global ransomware costs are predicted to go above $265 billion by the year 2031. The average ransom paid by companies infected in 2021 was $570,000. Meanwhile, the actual loss is higher since ransom payout doesn’t include downtime, lost data, mitigation costs, and reputation loss because of ransomware.

One of the most common Ransomware distribution tactics is emails with malicious attachments or with malicious URLs in the email body. In highly targeted campaigns, attackers utilize email addresses using the typosquatting/look-alike domains of the company to appear more legitimate & trustworthy to the eyes of unsuspecting employees.

Ransomware Attack Process using email as the method of distribution

Attack Scenario

An attacker uses a look-alike/typosquatting domain’s email address for sending the email with a malicious attachment to target company employees.

The attacker can send malicious executables disguised as documents, legitimate office documents laced with malicious macros, or malware stored inside an archive in hopes of somebody opening them.

Instead of attachments, the attacker can also try to send emails that have a link to the malicious executables hosted at the typosquatting/look-alike domain of the company.

If the spam or rule-based filter fails to detect these incoming emails as suspicious, the employee may end up opening the email & executing the attachment.

In case of successful execution, the employee’s machine will get infected, and all the important files & documents will be encrypted. Or in the other case attacker can use that infected machine to gain a foothold into the company’s network and try to infect important servers and other machines on the network.

If attackers are successful, then it can lead to interruption of the entire company’s operations until the decryption key is acquired by paying the ransom or until the backups are restored.

TIP: Protect your employees and customers with a proactive monitoring and takedown service.

FREE DOMAIN RISK REPORT: Click here for a free report assessing your company’s typosquatting threat landscape.

Steps to Protect from such attacks

For Users

  1. Be skeptical, vigilant, and only open emails from trusted senders.
  2. Do not download and open attachments from untrusted emails.
  3. Carefully examine the email address for typosquatting in the email domain name and URLs in the email content.

For Companies

  1. Employees should be given periodic security awareness training for identifying & dealing with different types of scams, attacks, and their consequences.
  2. Report malicious typosquats to global blocklists and then to your SIEM/SOAR platforms; acquire high-risk typosquatting domains.
  3. Notify your partners and suppliers of high-risk typosquatting domains and active MX records.
  4. Monitor new and active typosquatting MX servers on a continuous basis. Bolster’s typosquatting monitoring solution can help with that. Click here for a demo.

About Us

This blog is published by Bolster Research Labs. We are also creators of – a free URL scanner to detect phishing and scams sites in real time.

If you are interested in advanced research and uncovering of new scams or working with cutting edge AI, come work with us at the Bolster Research Labs. Check out open positions here