We recently have seen an increase in “typosquatting” activity targeting financial institutions. Typosquatting is when someone registers a domain with a name that is very similar to the legitimate domain of a company, then sets up DNS records for that domain to lead unsuspecting customers to the fake site.
The fake domain name will sometimes be missing a letter in the domain name, have an extra letter added, be a misspelled version of the legitimate domain, or will substitute a number for a letter. There are a few different variations of typosquatting attacks that can use the fake site. Today, we will look at some of these attacks and look at ways your institution can lower the risk these sites can represent.
Many times, a typosquatting site will be set up in the hopes that legitimate customers of the institution will mistype the domain name, ending up at the wrong site. Attackers will place material on the fake site designed to get the customer to attempt to sign on using their credentials, sometimes going as far as replicating the content of the institution’s legitimate website.
When the customer signs on, the site collects the credentials and sometimes repeats the credentials in real time back to the legitimate site, including any MFA prompt. The attacker is able to use this attack to gain full access to the customer’s account.
More sophisticated criminals will take a typosquatting attack to the next level, creating ways to lead unsuspecting customers to the fake site. They often do this by sending emails to people who live in the area served by the institution, or by placing ads or posts on social media sites guiding traffic to the site. They rely on potential victims not paying close attention to the URL that they are connecting to. By doing this, the attackers are able to gain access to more accounts, leading to more profit from their crime.
In very advanced typosquatting attacks, the criminal has a very targeted list of customers that has been gleaned from an earlier email takeover attack on an employee or vendor of the institution. In these cases, the attacker is able to impersonate an employee of the institution and trick a customer or vendor into going to the fake site.
While there is no way to completely protect an institution from typosquatting, there are a few things you can do to make it harder for criminals to launch a successful attack. First, monitor the Internet for sites that are similar to yours. There are free sites (dnstwister.report is one) which can be used to find existing sites which are suspiciously close to yours, or to identify site names that might be used in the future by a criminal.
There are also paid services which will perform this monitoring, and many of these services are able to determine whether a site has actually had traffic diverted to it because the services have relationships with major DNS providers that direct the traffic.
An institution should also consider being proactive and purchasing domain names which are most likely to be used by a criminal. Once you own these sites, you should point them to a domain that tells the user they entered the wrong URL, as if you point these to the primary site you run the risk of customers receiving certificate errors because of the name mismatch. You can use dnstwister or other free tools to help generate a list of potential dangerous sites.
Finally, be sure to train employees and customers that they should always pay attention to the URLs that they navigate to, and that they should never provide information or click on links on sites that seem to be impersonating legitimate sites.
Bedel Security works with banks and credit unions every day to help identify and mitigate threats such as typosquatting. Email us at firstname.lastname@example.org with your questions on how typosquatting could impact your institution and we'll talk with you about how you can prevent it.
The Virtual CISO Whitepaper
Essential Employee Training
To Click or Not to Click? The 5 Laws of Links