There are cases when websites are compromised in order to serve as hosts that spread malware. We have seen various methods that have been used to lead users to malicious sites, one which is known as “typosquatting”.
It’s not unusual for us to make errors when we try to type a web address into a web browser. Cybercriminals often take advantage of this and lead users to malicious websites instead of the actual site the user intended to visit. This is called “typosquatting” – a combined word of “typo” and “squat”. It is also known as “URL hijacking”. Cybercriminals register domain names, which resemble popular domains, and then wait for victims who mistakenly type them. It’s a nuisance for businesses, and there have even been court cases between companies whose names were abused by typosquatters.
Of course, typosquatting is a threat for consumers. When unintentionally accessed, users may find themselves looking at unwanted spam sites, or worse, they might be infected by malware. Let’s look into this using a real-world example.
A typical case of Gmail abuse
Let me first explain our effort to reduce the number of victims of malware infection. When we find any compromised websites, we try to reach out to its administrator to issue an alert. Below is a real example we encountered. It’s the WHOIS information of a website, which unintentionally hosts malware. In the “Administrative Contact” field, you will see the string “A***3JP”. This is a JPNIC Handle managed by Japan Registry Service (JPRS), which is a key to figuring out who is the administrator of the site. (In other cases, email addresses are registered in this field)
We checked who administers the “A***3JP” domain:
The email address in the “E-Mail” field is the contact information for the person who should be made aware of the malware infection on his/her website. Alerting administrators who are unaware of infections is one of the important steps in the process of preventing malware from spreading further.
Taking a closer look, however, we found a flaw in this email address: it looks like a Gmail address (firstname.lastname@example.org), but actually it is not. A letter is missing.
For some countries, the correct registration of domain information is a legal rule. However, in Japan, sometimes registered information is not correct, and what’s worse is the fact that incorrect information may be intentionally registered. If a registered email address is not correct, we are unable to alert the web administrator, and then he/she cannot be made aware that they’ve become a victim for an unspecified number of people.
In this case, however, the intention of the Gmail-like domain was clear: it was a trap created from typosquatting, meant to lead users to download a malicious fake installer.
It turned out that the website with a Gmail-looking address could be displayed in various languages, according to its visitor’s language environment, including Japanese, German, Spanish, Italian, Dutch, Polish, Portuguese, Russian, Swedish, and Turkish. For unknown reasons, there was no English option. Take a look at the sample screenshots of the web site below. Its legitimate look would easily drive visitors who incidentally accessed the site to download and install the object without any doubt.
In this post, I explained the importance of correct registration of domain information, as well as how typosquatting works, using a real example, which we came across in our research. Typosquatting is not new: it’s a classic method used to mislead users. It’s been known about for several years, but the number of its victims continues to increase worldwide. It has a passive nature of waiting for users’ mistypes, and we are all prone to make mistakes now and then. To avoid being a victim of typosquatting-driven malware, regularly update your OS and security software.