Scammers are counting on your typos — and are ready to pounce if you slip up when entering a web address into your browser. Just one wrong keystroke could send you to a typosquatter's look-alike site that can install malware, steal sensitive personal and financial information, or even lock up your computer.
And don't assume that an incorrect URL will result in an error message — because that's the evil genius of typosquatting. Since these malicious sites are registered, your browser doesn't see the typo as an error, so it makes the connection.
Although we rarely hear about it, typosquatting has been around for years. The scam is "definitely getting worse," according to John Breyault, who runs the National Consumers League's Fraud.org website, which recently issued a fraud alert about the scam.
"You may go to a site that looks totally legitimate, but when you enter your Social Security number, bank account number or passwords, you're giving scammers access to those websites where they can transfer funds, set up lines of credit or access your email and start using it for phishing attacks," Breyault told NBC News.
Researchers recently documented a "vast network of potentially malicious websites … that mimic some of the world's most popular destinations," according to the website KrebsOnSecurity.com, which investigates cybercrime. Many of these domains — about 1,500 — appear to be tied to a Colorado-based marketing company whose CEO is a convicted felon, Krebs reports.
"I bet there are a dozen or more operators like this out there bringing millions of people into their typosquatting domains," Brian Krebs told NBC News.
Matthew Chambers, a security expert in Atlanta, discovered and documented a typosquatting network, estimating that these sites were visited nearly 12 million times during the first three months of 2018. That would be almost 50 million hits for the entire year.
And while everyone who lands on such sites won't have a problem, many visitors do get burned by getting lured into a tech support scam, Chambers told NBC News.
"In my testing, a good amount of the time you're redirected to web pages that lock up your computer, display messages that say there's a problem with your computer, and then lead you into this cycle of fraud," he said.
Don't forget the 'o' in .com
Chambers started his investigation when some of his clients had problems — endless pop-up ads, including bogus security alerts about malware — after they went to various well-known websites. It turns out that they had forgotten the "o" in .com and had typed .cm, landing on sites such as espn.cm, chase.cm, turbotax.cm, and Walmart.cm. The .cm domain is actually for Cameroon.
"This is just hiding in plain sight," Chambers said. "I don't think anybody would care much if they were just asking you to take an innocuous survey. But what I've seen is a pattern of malicious websites being served up this way."
Chambers was able to determine who visited these .cm sites in the first three months of 2018 and he found various government agencies, including NASA, the Department of Justice, and the Central Intelligence Agency. In many cases, a mistyped domain address took these users to porn sites, Chambers noted.
All URL typos can be dangerous
Typosquatting is not limited to omitting the "o" in .com. All sorts of mistakes can send you in the wrong direction. Forgetting the "c" in .com and typing .om can take you to typosquatting sites that use the domain for Oman.
A recent blog post by MacAfee warning about the dangers of typosquatting explained how scammers used the .om domain several years ago to hijack Netflix users. Those who typed in Netflix.om instead of Netflix.com were infected with malware.
"People suck at typing," said Nicolas Christin, associate research professor at Carnegie Mellon University's School of Computer Science. "You don't pay attention to what you're doing, and you wind up on one of these websites that's impersonating the website you really wanted to go to."
It's very easy to create a domain name that resembles a legitimate one, but is just one letter or digit off, such as Gmal instead of Gmail.
"It's low cost and high reward. And it does not require any technical expertise whatsoever," Christin told NBC News. "All you need to do is register the domain name that you're targeting. For any given domain name there are a number of typos that are easy to derive from it."
For example: Paypak for Paypal because the k and l are next to each other on the keyboard. Or Paypa1 (a former phishing website) because the l and a 1 look so much alike.
Typosquatting is a devious practice because security software cannot prevent you from misspelling a web address and browsers will not always provide a warning about dangerous sites. Also, it's not always easy to spot a look-alike site should you accidentally land on one.
"At the end of the day, you need to be careful about what you type and take some simple steps to protect yourself," Fraud.org's Breyault said.
- Always double-check the address: Before hitting enter, make sure you did not make a mistake. Taking the time to do so can save you the heartache of having your identity stolen or prevent you from purchasing counterfeit products at inflated prices.
- Bookmark your favorite websites: Once you are positive that the address you entered is correct, bookmark it. Doing this will save you the time of proofreading each web address and is particularly worthwhile for websites that have access to your financial information.
- Use a search engine: When in doubt, use a search engine rather than guessing the web address. Even then, be careful.
- Be wary of links found in social media posts: They can often lead to typosquatters.
If you discover that you have visited a typosquatter's site and you entered passwords on that site, change them right away.