Have you ever heard of mikerowesoft.com? Or does the website deutschebnak.com ring a bell? Attentive readers will have noticed that a few errors snuck in there. This kind of error is called typosquatting, or URL hijacking, and is a form of cybersquatting. It describes a social engineering attack where popular web addresses are peppered with typos in order to redirect people to illegitimate websites. These websites usually contain advertising from their competitors, malware or even pornographic content.
Cybersquatting and the like
Cybersquatting is an umbrella term for a range of social engineering attacks. Cybersquatting, or domain squatting, involves registering domain names that the applicant is not entitled to. These can be brand names (brandjacking), public figures (namejacking) or company names. This also includes registering typo domains or so-called typosquatting.
Deep dive: Typosquatting
At one point or another, everyone’s ended up on a typo domain. In fact, the whole thing is pretty easy to pull off: cybercriminals register domains that strongly resemble those of well-known websites, usually by changing only a few letters. People are then redirected to third-party sites via simple typos and, worst-case scenario, interact with them as well. These interactions can include entering personal data, clicking on malicious links or downloading malware. Typosquatting not only affects private individuals, however. Many companies reserve domain names in the 4-digit range in advance in order to counter the loss of customers or traffic due to typosquatting.
Typosquatting allows attackers to capitalise on simple human mistakes:
- Spelling and typing errors
- Outdated or alternative spellings
- Domains with hyphens
- Incorrect punctuation marks
- Wrong top-level domains (e.g. .net, .org, .com etc.)
There are also different types:
- Impersonators – A fake website that imitates the look and feel of a pre-existing website. Victims are tricked into providing sensitive information.
- Listing related search results – A fake website that redirects traffic intended for the real website to its own and demands payment per click.
- Traffic monetisation – A fake website that places ads or pop-ups to generate revenue.
- Surveys & giveaways – A fake website that pretends to collect customer feedback in order to harvest personal data.
- Installing malware – A fake website that installs malware on the affected hardware.
What does the law say?
Registering a domain is easy and, in most cases, only costs a few euros. According to the principle of priority, “first come, first served”, there is no guarantee that the person applying for a domain is also the person who is legally using it. In these cases, naming rights, trademark law or even competition law come into force. Whether or not the domain in question is a legally registered domain has to be assessed on a case-by-case basis.
In a case from 2001, the BGH (Germany’s Federal Supreme Court) decided in the so-called “Shell ruling” that the principle of priority is no longer valid if the plaintiff’s name recognition is significantly higher than that of the defendant. In this case, the plaintiff made use of the right of its own name.
“The very registration, not the first use of another company name as a domain name in non-business dealings, constitutes an unauthorised use of a name under §12 of the German Civil Code.” – As stated in the 2001 judgement1
Mike Rowe recounts another case that is more likely to make you smile. The then 17-year-old secured the domain MikeRoweSoft.com for his private website. The world-famous software company, Microsoft, didn’t like the web designer’s creative work at all and threatened the young entrepreneur with a lawsuit.
“I didn’t expect them to send all their highly paid lawyers after me right away”, Mike Rowe explains.
In the end, however, both parties were able to reach an out-of-court settlement. After all the drama, Mike Rowe sold the documents of his case as “a piece of internet history” on eBay for $1,037 USD.2
Because of the ever-increasing amount of squatting and the need for the individual review of such cases, proceedings of this nature can drag on for years. The dubious key figures who are often behind domain squatting also hide behind shell companies or in foreign countries. This approach makes a conviction virtually impossible.
Prevention & measures to prevent typosquatting
To protect yourself against an attack caused by typosquatting domains, these tips will help you:
Individuals
- Avoid clicking on suspicious links. These links can come to you via emails, text messages, chat messages or social media channels.
- Avoid opening email attachments from unfamiliar addressees.
- Install an antivirus program and keep it up to date.
- Check the correct spelling of URLs carefully.
- Save your most visited links in your bookmarks to avoid typing errors.
- Use speech recognition software for familiar URLs.
- Use a search engine to get to specific websites.
Companies
- Secure as many domain variations of your name as possible and link them to your website. This can include different spellings, punctuation, and country extensions of the top-level domain.
- Let ICANN’s Trademark Clearinghouse help you monitor your brand name and notify you if your name is used in other people’s domains.3
- SSL certificates allow you to protect your visitors’ data during transmission, providing a sense of security. Those looking to hijack your domain wouldn’t use this method.
- As soon as you suspect someone might be impersonating your company, inform clientele, colleagues, and other stakeholders about possible social engineering attacks through phishing emails or phishing websites.
In conclusion, typosquatting is a serious issue. Small, careless mistakes make it possible to inadvertently access a typosquatting domain, even for experienced users. What seems like a trivial oversight can still cause a lot of damage.
1 http://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&nr=23718&pos=0&anz=1
2 https://en.wikipedia.org/wiki/Microsoft_v._MikeRoweSoft#Further_developments
3 https://www.trademark-clearinghouse.com/content/what-trademark-clearinghouse
