Holidays are near and we don’t have time to buy gifts. What do we do? Shop online. Unfortunately, as online shopping continues to grow, so does typosquatting/URL Hijacking and targeting users through malicious fake domains. Venafi, a cybersecurity software that secures and protects cryptographic keys and digital certificates, says it has uncovered nearly 100,000 typosquatted/fake domains with valid TLS certificates impersonating as major retailers.
What is Typosquatting/URL Hijacking?
Typosquatting/URL Hijacking is a phenomenon where an attacker creates another domain name that is spelled like the targeted domain name. For better understanding, consider a scenario where instead of entering the URL “www.yahoo.com”, you mistakenly entered “www.tahoo.com” or “www.yahooo.com”. It’s a common mistake that sometimes we enter a similar wrong URL having just one or two additional or mismatched letters. When such typographical errors are made by Internet users, they may be redirected to an alternate malicious website that is better known as a hijacked website.
Venafi’s Analysis
Venafi that 109,045 fake domains using valid TLS certificates were discovered which are targeting top 20 online retailers. Of the 109,000 typosquatted domains, nearly 84,000 target retailers in the U.S., including almost 50,000 domains that imitate one of the country’s top retailers. Similarly, in the U.K., nearly 14,000 certificates have been issued for targeting fake retailer domains, 7,000 certificates targeting retailers in Germany, 3,500 for domains targeting Australian retailers, and 1,500 targeting French retailers.
Jing Xie, senior threat intelligence researcher at Venafi, told SecurityWeek, “Some of these URLs probably serve a legitimate purpose, but many may be used by attackers for fraudulent purposes. We think the sheer volume of these sites is a strong indication that many of them are being used for malicious purposes, especially since we are so close to the holiday shopping season”.
Venafi, also found that an overall 60 percent of the hijacked domains had a valid TLS certificate obtained for free from Let’s Encrypt. Let’s encrypt is a free online TLS certificate provider whose services are often abused by hackers.
Causes of URL Hijacking
- Typing a misspelled domain name into the browser.
- Specifying a wrong domain extension (such as .com instead of .org).
- Forgetting to include a hyphen in the domain name.
- Spelling differently due to Language differences, such as colour (U.K. English) instead of color (U.S. English).
Threats of URL Hijacking
- Leads to phishing.
- Installation of a malware/ransomware.
- Identity theft, etc.
Mitigation Steps
- Most importantly, be very careful while typing the domain name of a website.
- Instead of entering the domain name every time in the URL field, bookmark the websites that are frequently visited.
- Perform web searches and then click on the intended site from the web search results.
- Do not click on links from unknown senders.
- Domain owners should try and register typo versions of their original domain name to avoid URL hijacking.
