One of the ways that hackers get users to click on malicious links or believe false emails is to use domains that look like, but are not actually, legitimate domains. This can be done in many ways such as subtle misspellings, character substitutions, or use of foreign language characters. This practice is called typosquatting and provides attackers with easy to obtain and use ammunition to social engineer and attack your users.
Knowing whether someone has registered a typosquatting domain can provide early warning of potential attacks against your users or customers.
One easy way to find potential typosquatting domains is to run your primary domain through the NCC Group’s TypoFinder website. TypoFinder applies the tricks used by bad guys to create domains which could be used to impersonate you and lets you know if they have been registered.
For example, here is a very small part of a list of potentially typosquatted domains for Microsoft generated by the tool:
There are some pretty shady looking domains here – m1crosoft[.]com, m.crosoft[.]com, kicrosoft[.]com – and the list continues.
Looking at the list for your domain can be an eye opener. But what can you do with that information?
When you find domains which appear to be specifically targeted at fraud, have your company’s legal team send the domain registrar a strongly worded letter requesting that the domains be de-registered. If you have a trademark associated with your domain, you may have an even stronger case.
You may also want to block outgoing web and email traffic to the typosquatted domains. This way, if someone does click on a link using the bad domain, or answers a fraudulent email from within your organization, they will be blocked.
Typosquatting is just another example of how attackers use psychology mixed with technology to social engineer people into aiding their attacks. Your response needs to be similarly hybrid, using technology and awareness to protect your organization.