December 8, 2011

A typosquat hostname list for Xmas

Elad Sharf Security Researcher

A few weeks ago, we published a blog about typosquatting. This time, we're going to give an actual example of typosquat hosts found in the wild and show how typosquatting scams work. We'll take you through a typosquatting campaign that abuses tenth of known brands and includes thousands of registered typosquat hosts (a typosquat hive). After that, we'll offer a list that includes hundreds of typosquatting hosts from that hive, all of which can be found in the wild. The list is free to download for any of you who are into IT security -- so this Xmas can be a bit safer.


In this blog we'll cover:

- A typosquatting example: If you make the wrong typo, where will it take you, and how does it work?

- A typosquat hive example from the wild - how does it work, which brands are targeted, and where will the typosquat take you?

- Which countries the typos are coming from with this campaign.

- Where the scam infrastructure is located. 

- A list of hundreds of hosts used for typosquatting found in the wild. The list is free to download.


A typosquatting example: If you make the wrong typo, where does it take you?

We've all made typing mistakes when typing a Web address in our browser. In better cases, we get nothing more than a 404 not found error. In worse cases, we might be redirected to a scam site or a malware/exploit site.

Usually, in the case of typosquatting-based cyber crimes, the victim that mistakenly made the typo is redirected to a scam site that tries to take advantage of the victim's state of mind. For example, victims who thought they typed in the right Web address might not notice if they see a scam site with the look and behavior that they expect, and that can profit the scammer. Victims might see a site with the same color scheme and theme as the brand or site they intended to go to, hand-in-hand with false congratulations on being a random winner who will receive a prize for completing a short survey. The following video shows how it works:


A "typosquat hive" example from the wild: How does it work?

Typosquatting is illegal in the US. Nonetheless, a lot of typosquatting sites are hosted in the US. As an example, at the bottom of this blog, you'll find a list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals.

How does this specific scam work? Please refer to the image below, and we'll take you step-by-step right through it. The typosquat hive (marked 1 in the diagram ) consists of many hostnames registered by the cybercriminals. (If you have a look through the list linked at the bottom of the blog, you'll find those names there.) The list consists of a lot of names that target very well known brands. The cybercriminals are interested in breadth -- they want to target as many well-known brands as possible. This gives their scam good exposure. The cybercriminals that are in control of the hive (the registered typosquat domains) have a few options for how to use the sites. They can set up their own scam infrastructure, like the premium rate phone numbers system we saw in the video above. Usually, the cybercriminals that own the hive partner with other cybercriminals that already have the scam infrastructure established (marked 2). The scam infrastructure is where the victim (marked 3) is ultimately led to separate from his or her money after making a typo in the browser. The scam infrastructure consists of Web servers, changing domain names, and the enticing scam content that victims see. 

The agreement between the cybercriminals that own the hive and the ones that own the network could be either fixed cost for the time the typosquat hive is used, or, more often, a "per traffic" agreement. The latter means the owner of the hive gets a cut based on the actual number of victims that fall for the scam. For example, a percentage from the victims that registered for a premium number text service that costs £3 a message. Once the agreement is set up, the owners of the hive can point the hosts they own to the name servers that are part of the infrastructure built by their "partner in scam" (marked 4) for as long as the agreement is on.

The typosquat hive in our example targets mainly UK brands (list available for download at the end of the blog). Here are just a few examples from that list of registered typosquatting domains in the hive, including the brands they're targeting:


johnlwis.com (targets the legitimate Web site johnlewis.com)

arrgos.co.uk (targets the legitimate Web site argos.co.uk)

debnhams.co.uk (targets the legitimate Web site debenhams.com)


As UK Web sites and brands are the main target, most of the requests coming to this typosquat hive originate from the UK (victims making easy typos). Please refer to the pie chart below to see the location distribution of users that end up at a typosquat host in this hive, as observed in the Threatseeker™ Network over one week. It's natural to see multiple countries, as UK residents roam and brands offer services and products that are available globally.



The scam infrastructure is hosted in the US

Typos that go to a host in the hive lead to a scam site. For example, when this blog post was created, typing in johnlews.com redirected any victim to the scam site surveystartweb.com as seen in the diagram below (click to enlarge). Much as in the scam featured in the video, victims are informed that they won a desirable product, and are asked to register to a premium rate number service (click on the second image to see an animation of the redirection in the browser).


Animated GIF showing the redirection to the scam site after making the typo (click to open - the animation loops):


In this example, surveystartweb.com is part of the scam infrastructure and ultimately redirects to promotions.djummer.com, where victims are likely to be separated from their money. The scam infrastructure consists of many hosts that hold basically the same information. In essence, different typos lead to different scam hosts and URLs that usually follow the same principal, as in this case where victims are led to a premium rate number service. Using the Threatseeker Network, it is possible to check how many unique scam URLs are identified as part of the same scam infrastructure. If you check the graph below, you can see that observing live data for a week yielded an average of 121 unique URLs per day.


The GeoIP location of the URLs within the scam infrastructure is mainly in the US, a fact we found astounding. Check out the pie chart below to see the GeoIP location distribution of all the hosts known to be part of the scam infrastructure, as observed by the Threatseeker Network over one week.



Some final words

It's important to note that good typosquat hosts are very valuable to their cybercriminal owners. There are two main reason for this:


1. A good combination of keys both likely to be a common typo and very similar to the legitimate, targeted site is rare. There are a limited number of proximate keyboard buttons that are likely to create a typo: for example, instead of the letter "P," it is easy to type nearby letters like "O."

2. Once a typosquat domain is spotted, it's blacklisted and lost forever.

For these reasons, it's not a surprise to see typosquat hosts that don't serve scams lying low for a time, coming to life and serving scams for a short while, and then going back to covert mode. Also, it's common for typosquat hosts to employ evasion tactics while they lie low; one method is to redirect any users or nosy researchers to the legitimate Web site to avoid any suspicion. Other tactics could involve blacklisting methods against probing users or researchers that try to poke around the hive.

It's important to remember that legitimate Web sites and the companies behind them sometimes employ a strategy of buying typosquat hosts that are similar to their site's name. This is a good strategy for successful Web sites, as those companies usually understand the dangers of typosquatting and how their brand name can be affected and abused. Kudos go to Amazon, which registered a good number of potential typosquat hosts, including aqmazon.com, amaxzon.com, amzon.com, and many more. These are all GOOD hosts registered by Amazon itself, leaving no chance for abuse as long as they remain registered to Amazon. 

We'd also like to add that other means can be used to redirect or lure victims to the scam infrastructure. For example, not long ago we also noticed that a spammy Facebook campaign titled "In Memory of Steve Giving Away 1000 iPad 2s" that propagated throughout Facebook and ultimately led victims to the same infrastructure. 


A list of hundreds of hosts used for typosquatting found in the wild and free to download.

Download the full list from here 3324.typo_list_.txt. Please exercise CAUTION as these domains aren't safe. We strongly advise that you not load them in a browser.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.