January 10, 2012

Typosquatting social web gains top Alexa ranking

Ulysses Wang

Websense® ThreatSeeker® Network has detected fraudulent Web sites that have made it to the global top 250 high Alexaranking list. These are amazing results for fraudulent Web sites, as some of them rank even better than genuine big name portals. In this campaign, the fraudulent sites pretend to be from YouTube, and they try to lure you in by saying you have been selected to complete a survey for a chance to win a gift such as an iPhone 4S. Survey scams were very common in the past year, and were usually spread within social networks like Facebook or Twitter. They often used hot topics to lure visitors. We have already blogged about these incidents, and customers are encouraged to educate themselves about these attacks so they do not to fall for this kind of technique. Here is the snapshot of the current campaign:


An interesting thing we found is that survey campaigns that spread in social networks are usually localized by area or language. This means that traffic for spam sites used in campaigns are limited to related countries or regions. However, video rewards survey campaigns can spread globally as they have a high Alexa rank almost in every country, and they have no language barrier. Additionally, the spam site server checks the IP addresses of visitors and shows the location information on the page to appear more authentic. One of the spam sites used in this campaign is video-rewardz.com, which at its peak, reached Alexa’s top 250 list. The spam site has a high Alexa rank dating from Dec 19th 2011. The spam site is still available now and has a lot of traffic.


How is it possible for spam sites to have so much traffic? After conducting some research, we found that the major source is from mistyping of the twitter.com Web site.  This type of attack is called typosquatting, and it is not new. We have blogged about this in the past; yet this campaign is popular because attackers get good results from this campaign. The attacker needs to register several typosquatting sites for Twitter and redirect the typosquat site to another site such as video-rewardz.com. This explains why it is global spam campaign, and why it can generate so much traffic. Twitter is very popular site and it’s easy for people to mistype this URL. 

To prevent such attacks, some big names like Google or Facebook have registered some names that can be easily mistyped for their portal. However, Twitter has not done this and this makes them susceptible to such attacks, causing them to have an extremely high Alexa rank spam sites.


Listed below are typosquatting sites registered by attackers:

  • ttwitter.com
  • twwitter.com
  • twiitter.com
  • twittter.com
  • twitterr.com
  • twutter.com
  • twiter.com


Additionally, we also found other spam sites related to this campaign. Some of them have already been used in the campaign and have a high Alexa rank, whilst others may potentially be used in future.

  • videorewardcentral.com
  • videorewardsonline.com
  • socialupdatepanel.com
  • videorewardstoday.com
  • videorewardsnow.com
  • giveaway-winner.com
  • videorewardspace.com
  • video-reward.com
  • videorewardspot.com
  • video-rewardz.com


Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.