Two days ago, Infosecurity's UK-based news editor received a phishing scam purporting to come from Apple Support. It said, "Dear iTunes Customer, This is an automatic message sent by our security system to let you know that you have 48 hours to confirm your account information." It was followed by the inevitable link, and was obviously a scam.
The interesting part, however, was the domain name: applie.com – close enough to apple.com to be easily mistaken. It's an example of what is known as 'typosquatting'; the registration and use of a domain name that is easily mistaken, visually or via the keyboard, for a legitimate domain used by major companies. Typosquatting is the subject of new research published by High Tech Bridge (HTB) today.
It's a huge problem. To make analysis manageable, HTB examined just 385 suspect domain names all similar to ten of the most popular anti-virus brands. Examples (don't ever go to a misspelled domain, just in case) include: kasperski.com ('i' instead of 'y'); mcaffee.com ('ff' instead of 'f'); and 'symanrec.com' ('r' instead of 't').
Not all are dangerous. Of them, 107 are actually owned by the anti-virus companies, some of whom go to great lengths to protect their customers by buying up potentially fraudulent names. Kaspersky (46) and McAfee (40) stand out, between them owning 86 of the 107 potentially fraudulent company-owned domain names analyzed by HTB.
A further 41 domains were found to belong to companies with a legitimate reason to register them; that is, companies with a similar company name or trademark, and no attempt at fraudulent use.
However, 164 domains were classified as fraudulent typosquats, while a further 73 were classified as cybersquats. Typosquats, says the report, are "Domains registered by third-parties to make money on users erroneously visiting websites hosted on these domains (due to a typo in URL or a phishing campaign) by displaying ads, redirecting users to questionable websites selling illegal or semi-legal products and services."
Cybersquats are "Domains registered... in the hope that the antivirus companies or third-parties will buy the domains at some point in the future. Websites on these domains are not active." This activity is neither illegal nor dangerous (unless the buyer turns out to be a criminal); but is dubious.
The real danger comes from the typosquats. For example, explains Marsel Nizamutdinov, chief research officer at HTB, typosquats are "used to display annoying ads, redirect users to pornographic or underground pharmaceutical websites, or even to infect with malware user machines who accidentally made a typo in the URL or clicked a phishing URL. The last scenario is the most dangerous, for example a consumer wanting to purchase an antivirus for a new PC who accidentally mistypes the domain name in his browser could find that his machine will be infected by malware turning it into a zombie to perform DDoS attacks or send spam."
Infosecurity does not believe that this research can be seen as 'scientific research.' Since the selection of the domains to be analyzed is purely subjective, it cannot realistically be claimed that any one anti-virus company is better at safeguarding users from typosquatters than any other company. What it absolutely does show, however, is how serious and widespread the problem really is.
For their part, the anti-virus companies tend to protect their actual users rather than the public in general. Our approach, Luis Corrons, technical director at PandaLabs told Infosecurity, is that "if a website is distributing malware, hosting phishing, etc. we block it. Registering a few domains can help, but it is like trying to stop bullets by blowing them aside." And what this in turn says is that users who already have a reputable anti-virus product will be pretty well protected from typosquatters. Users who don't have AV installed should do so immediately – but should be very careful where they go to get it.