The Channel logo

News

By | John Leyden 13th December 2011 08:32

Typosquatters set up booby-trapped High Street names

Xmas shoppers who carnt spel targeted

Fraudsters have established thousands of typosquatting sites designed to hoodwink customers of popular shopping sites into handing over personal information to fraudulent dopplegangers.

Utilising slightly misspelled domain names, prospective marks are taken to mirror sites designed to either harvest personal data or subject victims to malware. Websense has discovered nearly 2,000 examples of these fraudulent typosquatting websites.

Brands impersonated include Argos, Debenhams, John Lewis and many others. Some of the sites are convincing enough to lead people to enter their credit card information while others are simply loaded with exploits or packed with bogus special offers designed to trick victims into handing over personal information, as Websense explains.

Fake sites look like legitimate company websites, luring unsuspecting consumers to enter information, such as when a customer tries to claim online vouchers for high-street retailers. The user is then asked to select another offer shown in a pop-up window. These pop-ups usually host fake competitions offering high value, desirable prizes like the latest iPhone. Users filling in the form inadvertently provide cybercriminals access to their personal information, leading to identity theft, phishing scams, and malware.

Examples of the fraudulent domains include “debenahams”, “johlewis” and “argues.”. In other cases, cybercrooks have register a variant of a correctly spelled legitimate site but with “.org” or “.net”, for example, instead of the .com of the real site. Fraudsters began registering these sites in October in anticipation of the Christmas holiday shopping season.

Typosquatting campaign can include thousands of registered typosquat hosts (a typosquat hive). In many cases these fraudulent domains are hosted in the US, even though typosquatting is illegal in the country. The scam infrastructure consists of web servers, changing domain names, and the enticing scam content that victims are presented with. Corrupt hosting partners partner with cycbercrooks to run the slam, getting a percentage of premium SMS sign-ups or an inflated rental fee in return for keeping scam sites live for as long as possible.

Once a typosquat domain is spotted, it gets blacklisted and lost forever.   Because of this many typosquat hosts lie low for a time, coming to life and serving scams for a short while, before going back to covert mode. It's common for typosquat hosts to employ evasion tactics while they lie low; one common method involves redirecting users or security researchers onto the legitimate Web site in to avoid any suspicion. In other cases users or security researchers that try to poke around the hive are blacklisted.

Websense has published an advisory explaining the mechanism of typosquatting scams in much greater depth, alongside a list of compromised domains, here. ®

comment icon Read 15 comments on this article alert Send corrections

Opinion

Chris Mellor

Drives nails forged with Red Hat iron into VCE's coffin
Sleep Cycle iOS app screenshot

Trevor Pott

Forget big-spending globo biz: it's about the consumer... and he's desperate for a nap
Steve Bennet, ex-Symantec CEO

Chris Mellor

Enormo security firm needs to get serious about acquisitions

Features

Windows 8.1 Update  Storeapps Taskbar
Chinese Buffet self-service
Chopping down the phone tree to scrump low-hanging fruit
An original member of the System/360 family announced in 1964, the Model 50 was the most powerful unit in the medium price range.
Big Blue's big $5bn bet adjusted, modified, reduced, back for more
Microsoft CEO Satya Nadella
Redmond needs to discover the mathematics of trust