January 30, 2013

Can't Sleep? Let's Count a Typosquat Hive

Carl Leonard Principal Security Analyst

The Websense® ThreatSeeker® network has uncovered a typosquat hive hosting hundreds of hosts targeting well-known brands.  This hive constantly moves around to evade detection.  Numerous popular brands are being abused – can you spot the difference between these scam URLs and the real ones?

Upon further analysis we discovered a connection between those hosts:

  1. Most of them are hosted on the same IP address,
  2. They lead to scam survey websites and spam websites.
  3. They attempt to circumvent detection and lie low by periodically shifting from serving threats to serving default parking pages without threats.

Let us take one of the example hosts to further illustrate how a victim can be taken from a typosquat in the hive to a scam site.  For example, typing in hxxp://youtibe.com/ redirects the user to a scam site hxxp://socialsurvey.chattycatty.com/. 

Multiple requests to the same host result in different landing pages including scam surveys, form filling, and spam sites. In one example (see the screenshots below) users are lured and redirected to a "Youtube" themed website to complete a survey which claims that upon completion, they will have the opportunity to receive one of the listed gifts:


After completing the "survey", the user is offered the option to sign up for a paid and automatically renewed monthly subscription service with an additional enticing gift at a low price. The user is then asked to enter their credit card details. The catch is in the "terms and conditions" section where evidently it's claimed that that the gift is accountable by a 3rd party and that no subscription refunds are allowed.

Fortunately Websense protects its users against such threats with Websense ACE (Advanced Classification Engine). If you have seen other typosquats, let us know in the comments.


Author: Samana Haider

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.