There are multiple cases of redirect which are due to typing mistake (typos) from the users
which leads to the threat of getting infected with cryptomining malwares, malware alerts,
misleading messages, spams, etc.

Such type of human typing error is called as Typosquatting. Typosquatting, also called URL
hijacking, a sting site, or a fake URL, is a form of cybersquatting, and possibly brandjacking
which relies on mistakes such as typos made by Internet users when inputting a website
address into a web browser. Should a user accidentally enter an incorrect website address, they
may be led to any URL (including an alternative website owned by a cyber-squatter).

The typosquatter’s URL will usually be one of five kinds, all similar to the victim site address
(e.g. example.com):

1. A common misspelling, or foreign language spelling, of the intended site:
(exemple.com).
2. A misspelling based on typos: (examlpe.com).
3. A differently phrased domain name: (examples.com).
4. A different top-level domain: (example.org).
5. An abuse of the Country Code Top-Level Domain (ccTLD): example.cm by using .cm,
example.co by using .co, or example.om by using .om.

A person leaving out a letter in .com in error could arrive at the fake URL’s website. Once in the
typosquatter’s site, the user may also be tricked into thinking that they are in fact in the real
site, through the use of copied or similar logos, website layouts or content.
Spam emails sometimes make use of typosquatting URLs to trick users into visiting malicious
sites that look like a given bank’s site, for instance.

There are several different reasons for typosquatters buying a typo domain:

1. In order to try to sell the typo domain back to the brand owner.
2. To monetize the domain through advertising revenues from direct navigation
misspellings of the intended domain.
3. To redirect the typo-traffic to a competitor.
4. To redirect the typo-traffic back to the brand itself, but through an affiliate link, thus
earning commissions from the brand owner’s affiliate program.
5. As a phishing scheme to mimic the brand’s site, while intercepting passwords which the
visitor enters unsuspectingly.
6. To install drive-by malware or revenue generating adware onto the visitors’ devices.
7. To harvest misaddressed e-mail messages mistakenly sent to the typo domain.
8. To block malevolent use of the typo domain by others.
9. To express an opinion that is different from the intended website’s opinion.

Many of these sites which are ending in .com, but also .ne, .cm, .om, things that are easily
typed incorrectly.

Espn[.]cm is one of more than a thousand so-called “typosquatting” domains hosted on the
same Internet address 85[.]25[.]199[.]30. The IP Address “85[.]25[.]199[.]30” is resolving to
1,170 Domains. A list of the most popular typosquatting domains that are part of “Espn[.]cm” is
listed below:

All of the domains currently redirect visitors to just one of two landing pages — either antistrophebail[.]com or chillcardiac[.]com

For the moment, if one visits either of these domains directly via a desktop Web browser chances are the site will display a message saying, “Sorry, we currently have no promotions available right now”. Browsing some of them with a mobile device sometimes leads to a page urging the visitor to complete a “short survey” in exchange for “a chance to get a gift cards, coupons and other amazing deals!”

Recommendations:

1. Everyone makes typos from time to time, which is why it’s a good idea to avoid directly
navigating to Web sites you frequent visit.
2. Enforcing use of bookmark the sites you visit most, particularly those that store your
personal and financial information, or that require a login for access.
3. Blocking all Web sites in a given top-level domain, this will block anything coming out of
dot-cm.
4. Varutra recommends blocking the following 50 TLD’s and above mentioned IP Addresses
/URL’s which are associated primarily with this kind of activity.

References:

  1. https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
  2. https://blog.infostruction.com/2018/03/21/wrong-spelling-brand-name-hijack/

Author,

Umang G. Waghmare
SOC Team

Varutra Consulting