Phishing domain lawsuits and the Computer Fraud and Abuse Act
Introduction
The worlds of trademark law and marketing seem to be constantly at odds with each other, occasionally collapsing into a court of law where they battle for not-insignificant amounts of money. When gray-market sources, guerilla marketing and potential malicious actions enter the mix, it can muddy the waters to the point where no one is quite certain if what is happening is legally correct.
Case in point: Microsoft's recently unsealed legislative actions against an entity charged with malicious actions, as shown here at Law360. According to the charges, there were violations of the Computer Fraud and Abuse Act, as well as a number of issues that lead users to this location in the first place such as typosquatting.
This isn't a word you hear every day, so let's break this down and then see how it can affect us on a day to day basis.
See Infosec IQ in action
What is typosquatting?
To understand typosquatting, we first have to break down “typo” — or a mistake made when typing in a word. If you ever are going along in a conversation with someone and you put in “Facbook” instead of “Facebook,” for example, that is a typo — a mistake made when typing something.
Many times now in programs like Messenger, an autocorrect function will change it to the word that it thinks that you mean, but web browsers (for example) don’t have this luxury. If you type in facbook.something instead of facebook.something, it will take you to a completely different website.
Typosquatting is the practice of deliberately purchasing a domain that is extremely similar to a known good site for financial gain. Say, for instance, that you had a rival social networking site that you wanted people to go to but were having a hard time making headway. You could then purchase something like the domains mentioned above and drive traffic to them via people typing in the wrong address.
Alternatively, you could just hold onto the domain itself and then try to sell it to the organization that the address is similar to for a profit. However, falsifying representation like this can go beyond just URLs into full cybersquatting.
What is an example of cybersquatting?
Let's say for a moment that someone created a social media profile of a person or organization with enough details to be considered them at first glance. Once this was made, they started painting this person or organization in a very bad light — embarrassing details, insulting remarks, etc. This could potentially destroy the reputation of this person or organization without them ever being aware of what is happening.
Depending on who runs the social media site in question, there may be methods in place to reclaim the profile, but the damage is done. As a result, it's usually best to try to take control of the possibilities at the outset, rather than do damage control afterwards.
How to prevent cybersquatting
Being proactive is really the best defense against cybersquatting, and that means being very aware when new Top-Level Domains (TLDs) become available, social networks start to become popular and new products are being deployed from your organization.
Most large organizations are able to easily dispute cybersquatting with time and energy, but this can be significantly more difficult for smaller organizations or individuals. Even for larger organizations, though, it isn't a sure thing, as depending on the phrase it may be considered generic and as a result, not be granted. Most registrars are aware of this possibility, though, and will show a listing of possible variants on any domain you plan to purchase. While this may cost a significant amount of money up front, it may very well be worth it to not fight issues down the line.
How to prevent typosquatting (typosquatting protection)
Typosquatting, like cybersquatting, is best dealt with by being proactive and registering as many domains as possible along certain lines. For instance registering “gogle”, “oogle” or “gool” or other variants on a theme if you were Google.
It is also possible to use dedicated tools such as DNS Twist to see if typosquatting may already be active against your domain. On the user-side, a common defense for trying to avoid navigating to a site you do not intend to go to is to use a web search. The higher a particular site's reputation (when the search result isn't an ad), the more likely it is to be the legitimate site.
But it doesn't always work that way. Enter URL hijacking.
URL hijacking versus typosquatting
While typosquatting and URL hijacking can sometimes be used interchangeably, there are a few instances where URL hijacking does more than just navigate to a different domain. For example, all services for domain name registrations expire after a certain amount of time. If a domain expires, it is then available for anyone to purchase, as it becomes freed up. So if google.com expired tomorrow and the organization did either renew it ahead of time or go through the registration process quick enough, someone else could purchase the domain through standard means.
In other cases, a domain is able to be transferred off of the original registrar if security has not been configured properly and onto a different host. Still other times, user PCs can individually be forcibly redirected to go to a different IP address when entering a particular domain through any number of means.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Conclusion
Typosquatting, cybersquatting and URL hijacking are all serious issues that need to be dealt with proactively by both organizations and individuals. Without diligent defenses, it is very possible to lose control of an online identity in the blink of an eye.
This means more than just losing what page comes up first in a web search — this could mean disruption of communications, services and unintended receipt of sensitive information. It is extremely important therefore to be aware of what could possibly happen in the future, for whatever that reason would be. This is only one possible action that organizations can take to be proactive when it comes to information security.
Sources
What is Typosquatting?, McAfee
Domain Name Hijacking: Incidents, Threats, Risks and Remediation [SAC007], ICANN
Typosquatting – what happens when you mistype a website name?, Naked Security by Sophos
What is typosquatting? How misspelling that domain name can cost you, Norton
What is Domain Typosquatting and how to protect your business from it?, namify.medium.com
Fakebook: Misspelled domain squatters must pay Facebook nearly $2.8 million, The Verge
Facebook Typosquatting Campaign Harvests User Info, Infosecurity Magazine
How to protect your online brand against cybersquatters, BBC News
What is Cybersquatting and What You Can do to Prevent It, Creately
How to stop typosquatting attacks, opensource.com
elceef/dnstwist, GitHub
In this Series
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
