Fraudsters have established thousands of typosquatting sites designed to hoodwink customers of popular shopping sites into handing over personal information to fraudulent dopplegangers.
Utilising slightly misspelled domain names, prospective marks are taken to mirror sites designed to either harvest personal data or subject victims to malware. Websense has discovered nearly 2,000 examples of these fraudulent typosquatting websites.
Brands impersonated include Argos, Debenhams, John Lewis and many others. Some of the sites are convincing enough to lead people to enter their credit card information while others are simply loaded with exploits or packed with bogus special offers designed to trick victims into handing over personal information, as Websense explains.
Fake sites look like legitimate company websites, luring unsuspecting consumers to enter information, such as when a customer tries to claim online vouchers for high-street retailers. The user is then asked to select another offer shown in a pop-up window. These pop-ups usually host fake competitions offering high value, desirable prizes like the latest iPhone. Users filling in the form inadvertently provide cybercriminals access to their personal information, leading to identity theft, phishing scams, and malware.
Examples of the fraudulent domains include “debenahams”, “johlewis” and “argues.”. In other cases, cybercrooks have register a variant of a correctly spelled legitimate site but with “.org” or “.net”, for example, instead of the .com of the real site. Fraudsters began registering these sites in October in anticipation of the Christmas holiday shopping season.
Typosquatting campaign can include thousands of registered typosquat hosts (a typosquat hive). In many cases these fraudulent domains are hosted in the US, even though typosquatting is illegal in the country. The scam infrastructure consists of web servers, changing domain names, and the enticing scam content that victims are presented with. Corrupt hosting partners partner with cycbercrooks to run the slam, getting a percentage of premium SMS sign-ups or an inflated rental fee in return for keeping scam sites live for as long as possible.
Once a typosquat domain is spotted, it gets blacklisted and lost forever. Because of this many typosquat hosts lie low for a time, coming to life and serving scams for a short while, before going back to covert mode. It's common for typosquat hosts to employ evasion tactics while they lie low; one common method involves redirecting users or security researchers onto the legitimate Web site in to avoid any suspicion. In other cases users or security researchers that try to poke around the hive are blacklisted.
Websense has published an advisory explaining the mechanism of typosquatting scams in much greater depth, alongside a list of compromised domains, here. ®