Typesquatting is one of the common methods used by cybercriminals to create websites that imitate famous brands. In fact, this technique is a registration of domain names that are similar in spelling to the addresses of popular sites. As specialists from Palo Alto Networks found out , cybercriminals most often imitate the sites of Microsoft, Facebook, Netflix, PayPal, Apple, Royal Bank of Canada, LinkedIn, Google, Apple iCloud, Bank of America, Dropbox, Amazon and Instagram.
Mostly malicious domains are used to distribute malware, scams, phishing campaigns, or fraudulent support services. According to the researchers, of 13,857 such domains registered in December 2020, 18.5% were used for malicious purposes.
According to the study, cybercriminals are interested in social media sites, financial and banking organizations, as well as trading platforms - that is, resources on which visitors can make money.
In particular, experts have found several such campaigns. As part of one of them, the cybercriminals created a fraudulent resource (secure-wellsfargo [.] org), imitating the official website of Wells Fargo Bank, stealing PIN codes and e-mail credentials of visitors. In the second case, the researchers found the domain samsungeblyaiphone [.] com, from which the Azorult infostealer was distributed, capable of stealing credentials and billing information.
The most popular among the "typesquatters" were the Cloudflare and cPanel CAs. Despite the fact that sites created using typswitting are quite common, many security vendors do not provide adequate protection against this threat.
The study showed that vendors showing good results only detect about 25% of domains regarded as malicious or high risk, while 55% of such domains were not detected by any of the vendors.
