What the heck is typosquatting?
And why should you care?
The other day I was attempting to connect to the Wells Fargo website and while typing in wellsfargo.com, I accidentally typed in wellsfargp.com. Yes, I typed a P where I should have typed the letter O. So how did this happen? It was an easy enough mistake to make. I generally type very quickly and, after all, the P is right next to the O on the keyboard. Unfortunately, by the time I realized my mistake, I had already completed the rest of the URL and hit Enter.
Here’s where things got interesting, instead of receiving an error message saying that the web page didn’t exist, I was actually automatically redirected to the real wellsfargo.com domain. Of course, my first assumption was that maybe this was some sort of look-alike website that was trying to steal my personal information, but after a thorough review, I was able to confirm that yes, indeed Wells Fargo did own this other mistyped domain name.
That got me thinking, I wonder if they own other mistyped domains. So I tried wellsfarfo.com and sure enough, I ended up at the real Wells Fargo! As I spent the next few minutes playing around, I came to a couple conclusions. First, Wells Fargo owns a number of domains that are mistyped by just one character. Second, the mistyped domains that they didn’t own were already owned by other people. In fact, during my quick check, I was unable to find a mistyped domain for the bank that had not been purchased by either them or someone else.
On a whim, I tried the same thing with Bank of America, this time typing in bankifamerica.com, which replaced the letter O with the letter I. Sure enough, I was taken to the real Bank of America’s website. It seems that Wells Fargo was not the only big bank that owned mistyped domain names.
The next big question I had to ask was why? What reason would these big banks have in purchasing domains that are literally nothing more than typos? I figured it had something to do with cybersecurity, so naturally I called my good friend Jim Stickley. You may have seen him on the Today Show or pitching LifeLock in the wee hours.
Jim quickly confirmed my suspicions. According to Jim, criminals spend a large amount of time and money buying up domains that are similar to real financial institution domain names. This trend is called typosquatting and the goal is to either trick unsuspecting victims into providing personal/confidential information or to simply install malware on these victims’ computers. Basically, somebody mistypes the URL for their financial institution and without even realizing it, they’ve made themselves prey for these nasty criminals.
But it gets worse. Jim brought up something I hadn’t even thought about. Criminals are also using these similar domain names for spear phishing attacks. In these cases, thousands of emails are sent out to potential victims claiming to be from the financial institution with a link that looks so close to the real financial institution’s domain, people don’t notice the minor difference.
By buying and deploying all these extra domain names, the two big banks I checked in this unscientific experiment were simply trying to head off cybercrime before it could happen. I imagine a lot of people mistype these domains names and never even realize it because of the extra measures taken by these big banks.
Unfortunately, what I found next was a little more disappointing. I started testing credit unions and regional banks, typing in domain names with a mistyped character. Time and again, either the web page did not exist, a random person owned it or in some cases, I was actually directed to a malicious website that tried to install malware on my computer.
Then Jim suggested I try Numerica Credit Union based out of Spokane, Wash. I know some folks there and their tech IQ is pretty high, so I figured I’d find out just how high. I tried their website with a mistyped domain and it went to their website. I tried another and again, it went to their website. I tried at least ten more variations and in every attempt, I was directed back to Numerica’s real website.
I had to know more so I spoke with Kelly Ferguson, Numerica CU’s CIO. He told me, “Keeping our members secure is paramount to Numerica and that means staying on the cutting edge of technology. We realized trying to figure out every possible domain to secure and then trying to purchase and manage all of those domains would require an incredible amount of work and resources, but we knew it had to be done. Fortunately, we found a service called Domain Assure, from Stickley on Security. This service allowed us to simply provide our domain name and they did the rest.” And suddenly it made sense how Jim had known that Numerica CU was secure; his company had provided Numerica with the solution.
After speaking with Kelly, I tested out a few more community financial institutions, optimistic that others might be taking similar measures. Alas, in my simple unscientific experiment, I was unable to locate any other community FIs that had taken the steps to fully secure their domain.
I talked to Jim again and he assured me that the typosquatting problem isn’t limited to just financial institutions. While they’re popular targets for obvious reasons, typosquatters can go after any business with a popular website. However, he also assured me that giving typosquatters a proverbial kick in the crotch is easy and not very expensive. Bottom line: If your business has a heavily used website, you should be taking defensive measures around typosquatting.
In the never-ending battle between big banks and community FIs, technology has long been called the great equalizer. But that only works if the community FIs use technology as well as (or even better than) the big banks. This is a good example of attention to detail. All financial institution websites may look the same, but are all consumers protected equally? Unfortunately, in this case, the answer is no. And until community FIs shore up details like these, their consumers will remain vulnerable to attacks from cybercriminals and they’ll remain vulnerable to attacks from big banks.
